Hi Folks,
I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server. I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
I’ve configured the following in tls.cfg:
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/calist.pem
In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server. Private_key and certificate are of my own server (public godaddy signed)
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/godaddyca.pem
In the section above the ca_list is godaddy’s ca and subordinate.
In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module). Then the server replies with tls SERVER HELLO which includes it’s certificate But for some reason we are rejecting it: Alert (level: fatal, Description: Unknown CA)
How should I set this up to make sure the remote server CA’s are verified?
Thank you,
Hello,
On 20.11.20 11:13, George Goglidze wrote:
Hi Folks,
I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server.
I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
I’ve configured the following in tls.cfg:
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/calist.pem
In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server.
Private_key and certificate are of my own server (public godaddysigned)
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/godaddyca.pem
In the section above the ca_list is godaddy’s ca and subordinate.
In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module).
Then the server replies with tls SERVER HELLO which includes it’s certificate
But for some reason we are rejecting it:
Alert (level: fatal, Description: Unknown CA)
How should I set this up to make sure the remote server CA’s are verified?
I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed by a trusted CA from its CAs trusted list.
Cheers, Daniel
Hi Daniel,
No – you misunderstood me.
It’s not the remote server that is not trusting us but we are not trusting the remote server. My SBC (Kamailio) is sending out TLS error unknown CA.
Thanks,
From: Daniel-Constantin Mierla miconda@gmail.com Date: Friday, 20 November 2020 at 14:48 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org, George Goglidze george@ipcorp.co.uk Subject: Re: [SR-Users] Issue with ca-list
Hello, On 20.11.20 11:13, George Goglidze wrote: Hi Folks,
I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server. I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
I’ve configured the following in tls.cfg:
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/calist.pem
In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server. Private_key and certificate are of my own server (public godaddy signed)
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/godaddyca.pem
In the section above the ca_list is godaddy’s ca and subordinate.
In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module). Then the server replies with tls SERVER HELLO which includes it’s certificate But for some reason we are rejecting it: Alert (level: fatal, Description: Unknown CA)
How should I set this up to make sure the remote server CA’s are verified?
I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed by a trusted CA from its CAs trusted list.
Cheers, Daniel
--
Daniel-Constantin Mierla -- www.asipto.comhttp://www.asipto.com
www.twitter.com/micondahttp://www.twitter.com/miconda -- www.linkedin.com/in/micondahttp://www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla -->
Hello,
does the client section ca_list file has the CA of the remote server?
Cheers, Daniel
On 20.11.20 15:56, George Goglidze wrote:
Hi Daniel,
No – you misunderstood me.
It’s not the remote server that is not trusting us but we are not trusting the remote server.
My SBC (Kamailio) is sending out TLS error unknown CA.
Thanks,
*From: *Daniel-Constantin Mierla miconda@gmail.com *Date: *Friday, 20 November 2020 at 14:48 *To: *Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org, George Goglidze george@ipcorp.co.uk *Subject: *Re: [SR-Users] Issue with ca-list
Hello,
On 20.11.20 11:13, George Goglidze wrote:
Hi Folks, I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server. I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061. I’ve configured the following in tls.cfg: [server:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/kamailio/certs/sbc-private.pem certificate = /etc/kamailio/certs/godaddy.pem ca_list = /etc/kamailio/certs/calist.pem In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server. Private_key and certificate are of my own server (public godaddysigned) [client:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/kamailio/certs/sbc-private.pem certificate = /etc/kamailio/certs/godaddy.pem ca_list = /etc/kamailio/certs/godaddyca.pem In the section above the ca_list is godaddy’s ca and subordinate. In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module). Then the server replies with tls SERVER HELLO which includes it’s certificate But for some reason we are rejecting it: Alert (level: fatal, Description: Unknown CA) How should I set this up to make sure the remote server CA’s are verified?I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed by a trusted CA from its CAs trusted list.
Cheers, Daniel
-- Daniel-Constantin Mierla -- www.asipto.com http://www.asipto.com www.twitter.com/miconda http://www.twitter.com/miconda -- www.linkedin.com/in/miconda http://www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla https://www.paypal.me/dcmierla
-->
It does. It has a combination of all of them. Over 50 CA’s pem files combined.
From: Daniel-Constantin Mierla miconda@gmail.com Date: Friday, 20 November 2020 at 15:48 To: George Goglidze george@ipcorp.co.uk, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Issue with ca-list
Hello,
does the client section ca_list file has the CA of the remote server?
Cheers, Daniel On 20.11.20 15:56, George Goglidze wrote: Hi Daniel,
No – you misunderstood me.
It’s not the remote server that is not trusting us but we are not trusting the remote server. My SBC (Kamailio) is sending out TLS error unknown CA.
Thanks,
From: Daniel-Constantin Mierla miconda@gmail.commailto:miconda@gmail.com Date: Friday, 20 November 2020 at 14:48 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org, George Goglidze george@ipcorp.co.ukmailto:george@ipcorp.co.uk Subject: Re: [SR-Users] Issue with ca-list
Hello, On 20.11.20 11:13, George Goglidze wrote: Hi Folks,
I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server. I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
I’ve configured the following in tls.cfg:
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/calist.pem
In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server. Private_key and certificate are of my own server (public godaddy signed)
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/godaddyca.pem
In the section above the ca_list is godaddy’s ca and subordinate.
In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module). Then the server replies with tls SERVER HELLO which includes it’s certificate But for some reason we are rejecting it: Alert (level: fatal, Description: Unknown CA)
How should I set this up to make sure the remote server CA’s are verified?
I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed by a trusted CA from its CAs trusted list.
Cheers, Daniel
--
Daniel-Constantin Mierla -- www.asipto.comhttp://www.asipto.com
www.twitter.com/micondahttp://www.twitter.com/miconda -- www.linkedin.com/in/micondahttp://www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla -->
--
Daniel-Constantin Mierla -- www.asipto.comhttp://www.asipto.com
www.twitter.com/micondahttp://www.twitter.com/miconda -- www.linkedin.com/in/micondahttp://www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla -->
To be exact this is what my ca_list file contains: My own certificate’s root CA My own certificate’s subordinate CA Remote SIP Provider’s root CAs (there are many over 10) Remote SIP Provider’s subordinate CAs (over 50)
I’m trying Direct Routing integration with Microsoft – and there’s a big list of root CA’s and subordinates that Microsoft recommends you to trust for this purpose. Here’s the link to all certificates: https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption-office-...
Regards,
From: Daniel-Constantin Mierla miconda@gmail.com Date: Friday, 20 November 2020 at 15:48 To: George Goglidze george@ipcorp.co.uk, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Issue with ca-list
Hello,
does the client section ca_list file has the CA of the remote server?
Cheers, Daniel On 20.11.20 15:56, George Goglidze wrote: Hi Daniel,
No – you misunderstood me.
It’s not the remote server that is not trusting us but we are not trusting the remote server. My SBC (Kamailio) is sending out TLS error unknown CA.
Thanks,
From: Daniel-Constantin Mierla miconda@gmail.commailto:miconda@gmail.com Date: Friday, 20 November 2020 at 14:48 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org, George Goglidze george@ipcorp.co.ukmailto:george@ipcorp.co.uk Subject: Re: [SR-Users] Issue with ca-list
Hello, On 20.11.20 11:13, George Goglidze wrote: Hi Folks,
I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server. I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
I’ve configured the following in tls.cfg:
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/calist.pem
In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server. Private_key and certificate are of my own server (public godaddy signed)
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/godaddyca.pem
In the section above the ca_list is godaddy’s ca and subordinate.
In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module). Then the server replies with tls SERVER HELLO which includes it’s certificate But for some reason we are rejecting it: Alert (level: fatal, Description: Unknown CA)
How should I set this up to make sure the remote server CA’s are verified?
I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed by a trusted CA from its CAs trusted list.
Cheers, Daniel
--
Daniel-Constantin Mierla -- www.asipto.comhttp://www.asipto.com
www.twitter.com/micondahttp://www.twitter.com/miconda -- www.linkedin.com/in/micondahttp://www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla -->
--
Daniel-Constantin Mierla -- www.asipto.comhttp://www.asipto.com
www.twitter.com/micondahttp://www.twitter.com/miconda -- www.linkedin.com/in/micondahttp://www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla -->
I have that working using the OS provided ssl CA list. That said, Kamailio takes >20s to startup because it has to load the entire list, and I had to increase memory limits.
If you manage to narrow the list down please share it.
On Fri, Nov 20, 2020 at 07:59 George Goglidze george@ipcorp.co.uk wrote:
To be exact this is what my ca_list file contains:
My own certificate’s root CA
My own certificate’s subordinate CA
Remote SIP Provider’s root CAs (there are many over 10)
Remote SIP Provider’s subordinate CAs (over 50)
I’m trying Direct Routing integration with Microsoft – and there’s a big list of root CA’s and subordinates that Microsoft recommends you to trust for this purpose.
Here’s the link to all certificates:
https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption-office-...
Regards,
*From: *Daniel-Constantin Mierla miconda@gmail.com *Date: *Friday, 20 November 2020 at 15:48
*To: *George Goglidze george@ipcorp.co.uk, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject: *Re: [SR-Users] Issue with ca-list
Hello,
does the client section ca_list file has the CA of the remote server?
Cheers, Daniel
On 20.11.20 15:56, George Goglidze wrote:
Hi Daniel,
No – you misunderstood me.
It’s not the remote server that is not trusting us but we are not trusting the remote server.
My SBC (Kamailio) is sending out TLS error unknown CA.
Thanks,
*From: *Daniel-Constantin Mierla miconda@gmail.com miconda@gmail.com *Date: *Friday, 20 November 2020 at 14:48 *To: *Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org sr-users@lists.kamailio.org, George Goglidze george@ipcorp.co.uk george@ipcorp.co.uk *Subject: *Re: [SR-Users] Issue with ca-list
Hello,
On 20.11.20 11:13, George Goglidze wrote:
Hi Folks,
I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server.
I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
I’ve configured the following in tls.cfg:
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/calist.pem
In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server.
Private_key and certificate are of my own server (public godaddy signed)
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/godaddyca.pem
In the section above the ca_list is godaddy’s ca and subordinate.
In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module).
Then the server replies with tls SERVER HELLO which includes it’s certificate
But for some reason we are rejecting it:
Alert (level: fatal, Description: Unknown CA)
How should I set this up to make sure the remote server CA’s are verified?
I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed by a trusted CA from its CAs trusted list.
Cheers, Daniel
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
-->
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
--> _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
I can narrow it down - as the team’s part only uses Baltimore certificates
That actually means one root and 4 subordinates for direct routing currently.
I can point out exact certs you need if you cannot identify them.
But can you please share your configuration to make this work? As I was not able to.
What’s your kaimailo.cfg/ tls.cfg like?
Get Outlook for iOShttps://aka.ms/o0ukef ________________________________ From: sr-users sr-users-bounces@lists.kamailio.org on behalf of Joel Serrano joel@textplus.com Sent: Friday, November 20, 2020 6:30:17 PM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Issue with ca-list
I have that working using the OS provided ssl CA list. That said, Kamailio takes >20s to startup because it has to load the entire list, and I had to increase memory limits.
If you manage to narrow the list down please share it.
On Fri, Nov 20, 2020 at 07:59 George Goglidze <george@ipcorp.co.ukmailto:george@ipcorp.co.uk> wrote:
To be exact this is what my ca_list file contains:
My own certificate’s root CA
My own certificate’s subordinate CA
Remote SIP Provider’s root CAs (there are many over 10)
Remote SIP Provider’s subordinate CAs (over 50)
I’m trying Direct Routing integration with Microsoft – and there’s a big list of root CA’s and subordinates that Microsoft recommends you to trust for this purpose.
Here’s the link to all certificates:
https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption-office-...
Regards,
From: Daniel-Constantin Mierla <miconda@gmail.commailto:miconda@gmail.com> Date: Friday, 20 November 2020 at 15:48
To: George Goglidze <george@ipcorp.co.ukmailto:george@ipcorp.co.uk>, Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Subject: Re: [SR-Users] Issue with ca-list
Hello,
does the client section ca_list file has the CA of the remote server?
Cheers, Daniel
On 20.11.20 15:56, George Goglidze wrote:
Hi Daniel,
No – you misunderstood me.
It’s not the remote server that is not trusting us but we are not trusting the remote server.
My SBC (Kamailio) is sending out TLS error unknown CA.
Thanks,
From: Daniel-Constantin Mierla miconda@gmail.commailto:miconda@gmail.com Date: Friday, 20 November 2020 at 14:48 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org, George Goglidze george@ipcorp.co.ukmailto:george@ipcorp.co.uk Subject: Re: [SR-Users] Issue with ca-list
Hello,
On 20.11.20 11:13, George Goglidze wrote:
Hi Folks,
I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server.
I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
I’ve configured the following in tls.cfg:
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/calist.pem
In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server.
Private_key and certificate are of my own server (public godaddy signed)
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/godaddyca.pem
In the section above the ca_list is godaddy’s ca and subordinate.
In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module).
Then the server replies with tls SERVER HELLO which includes it’s certificate
But for some reason we are rejecting it:
Alert (level: fatal, Description: Unknown CA)
How should I set this up to make sure the remote server CA’s are verified?
I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed by a trusted CA from its CAs trusted list.
Cheers, Daniel
--
Daniel-Constantin Mierla -- www.asipto.comhttp://www.asipto.com
www.twitter.com/micondahttp://www.twitter.com/miconda -- www.linkedin.com/in/micondahttp://www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
-->
--
Daniel-Constantin Mierla -- www.asipto.comhttp://www.asipto.com
www.twitter.com/micondahttp://www.twitter.com/miconda -- www.linkedin.com/in/micondahttp://www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
-->
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hey George,
I’m not on my computer right now, but give a try with your settings but changing:
ca_list=/etc/ssl/certs/ca-certificates.crt
(That is for Debian, other OS have different locations)
Using that on Debian 10 it works, but be prepared to wait a while for the startup and potentially increasing memory limits..
On Fri, Nov 20, 2020 at 10:43 George Goglidze george@ipcorp.co.uk wrote:
I can narrow it down - as the team’s part only uses Baltimore certificates
That actually means one root and 4 subordinates for direct routing currently.
I can point out exact certs you need if you cannot identify them.
But can you please share your configuration to make this work? As I was not able to.
What’s your kaimailo.cfg/ tls.cfg like?
Get Outlook for iOS https://aka.ms/o0ukef
*From:* sr-users sr-users-bounces@lists.kamailio.org on behalf of Joel Serrano joel@textplus.com *Sent:* Friday, November 20, 2020 6:30:17 PM
*To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* Re: [SR-Users] Issue with ca-list
I have that working using the OS provided ssl CA list. That said, Kamailio takes >20s to startup because it has to load the entire list, and I had to increase memory limits.
If you manage to narrow the list down please share it.
On Fri, Nov 20, 2020 at 07:59 George Goglidze george@ipcorp.co.uk wrote:
To be exact this is what my ca_list file contains:
My own certificate’s root CA
My own certificate’s subordinate CA
Remote SIP Provider’s root CAs (there are many over 10)
Remote SIP Provider’s subordinate CAs (over 50)
I’m trying Direct Routing integration with Microsoft – and there’s a big list of root CA’s and subordinates that Microsoft recommends you to trust for this purpose.
Here’s the link to all certificates:
https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption-office-...
Regards,
*From: *Daniel-Constantin Mierla miconda@gmail.com *Date: *Friday, 20 November 2020 at 15:48
*To: *George Goglidze george@ipcorp.co.uk, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject: *Re: [SR-Users] Issue with ca-list
Hello,
does the client section ca_list file has the CA of the remote server?
Cheers, Daniel
On 20.11.20 15:56, George Goglidze wrote:
Hi Daniel,
No – you misunderstood me.
It’s not the remote server that is not trusting us but we are not trusting the remote server.
My SBC (Kamailio) is sending out TLS error unknown CA.
Thanks,
*From: *Daniel-Constantin Mierla miconda@gmail.com miconda@gmail.com *Date: *Friday, 20 November 2020 at 14:48 *To: *Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org sr-users@lists.kamailio.org, George Goglidze george@ipcorp.co.uk george@ipcorp.co.uk *Subject: *Re: [SR-Users] Issue with ca-list
Hello,
On 20.11.20 11:13, George Goglidze wrote:
Hi Folks,
I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server.
I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
I’ve configured the following in tls.cfg:
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/calist.pem
In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server.
Private_key and certificate are of my own server (public godaddy signed)
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/godaddyca.pem
In the section above the ca_list is godaddy’s ca and subordinate.
In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module).
Then the server replies with tls SERVER HELLO which includes it’s certificate
But for some reason we are rejecting it:
Alert (level: fatal, Description: Unknown CA)
How should I set this up to make sure the remote server CA’s are verified?
I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed by a trusted CA from its CAs trusted list.
Cheers, Daniel
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
-->
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
--> _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
That’s how I have it. Although I’ve put the certs into kamailio folder.
Get Outlook for iOShttps://aka.ms/o0ukef ________________________________ From: sr-users sr-users-bounces@lists.kamailio.org on behalf of Joel Serrano joel@textplus.com Sent: Friday, November 20, 2020 6:51:04 PM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Issue with ca-list
Hey George,
I’m not on my computer right now, but give a try with your settings but changing:
ca_list=/etc/ssl/certs/ca-certificates.crt
(That is for Debian, other OS have different locations)
Using that on Debian 10 it works, but be prepared to wait a while for the startup and potentially increasing memory limits..
On Fri, Nov 20, 2020 at 10:43 George Goglidze <george@ipcorp.co.ukmailto:george@ipcorp.co.uk> wrote: I can narrow it down - as the team’s part only uses Baltimore certificates
That actually means one root and 4 subordinates for direct routing currently.
I can point out exact certs you need if you cannot identify them.
But can you please share your configuration to make this work? As I was not able to.
What’s your kaimailo.cfg/ tls.cfg like?
Get Outlook for iOShttps://aka.ms/o0ukef ________________________________ From: sr-users <sr-users-bounces@lists.kamailio.orgmailto:sr-users-bounces@lists.kamailio.org> on behalf of Joel Serrano <joel@textplus.commailto:joel@textplus.com> Sent: Friday, November 20, 2020 6:30:17 PM
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Subject: Re: [SR-Users] Issue with ca-list
I have that working using the OS provided ssl CA list. That said, Kamailio takes >20s to startup because it has to load the entire list, and I had to increase memory limits.
If you manage to narrow the list down please share it.
On Fri, Nov 20, 2020 at 07:59 George Goglidze <george@ipcorp.co.ukmailto:george@ipcorp.co.uk> wrote:
To be exact this is what my ca_list file contains:
My own certificate’s root CA
My own certificate’s subordinate CA
Remote SIP Provider’s root CAs (there are many over 10)
Remote SIP Provider’s subordinate CAs (over 50)
I’m trying Direct Routing integration with Microsoft – and there’s a big list of root CA’s and subordinates that Microsoft recommends you to trust for this purpose.
Here’s the link to all certificates:
https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption-office-...
Regards,
From: Daniel-Constantin Mierla <miconda@gmail.commailto:miconda@gmail.com> Date: Friday, 20 November 2020 at 15:48
To: George Goglidze <george@ipcorp.co.ukmailto:george@ipcorp.co.uk>, Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Subject: Re: [SR-Users] Issue with ca-list
Hello,
does the client section ca_list file has the CA of the remote server?
Cheers, Daniel
On 20.11.20 15:56, George Goglidze wrote:
Hi Daniel,
No – you misunderstood me.
It’s not the remote server that is not trusting us but we are not trusting the remote server.
My SBC (Kamailio) is sending out TLS error unknown CA.
Thanks,
From: Daniel-Constantin Mierla miconda@gmail.commailto:miconda@gmail.com Date: Friday, 20 November 2020 at 14:48 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org, George Goglidze george@ipcorp.co.ukmailto:george@ipcorp.co.uk Subject: Re: [SR-Users] Issue with ca-list
Hello,
On 20.11.20 11:13, George Goglidze wrote:
Hi Folks,
I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server.
I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
I’ve configured the following in tls.cfg:
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/calist.pem
In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server.
Private_key and certificate are of my own server (public godaddy signed)
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/godaddyca.pem
In the section above the ca_list is godaddy’s ca and subordinate.
In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module).
Then the server replies with tls SERVER HELLO which includes it’s certificate
But for some reason we are rejecting it:
Alert (level: fatal, Description: Unknown CA)
How should I set this up to make sure the remote server CA’s are verified?
I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed by a trusted CA from its CAs trusted list.
Cheers, Daniel
--
Daniel-Constantin Mierla -- www.asipto.comhttp://www.asipto.com
www.twitter.com/micondahttp://www.twitter.com/miconda -- www.linkedin.com/in/micondahttp://www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
-->
--
Daniel-Constantin Mierla -- www.asipto.comhttp://www.asipto.com
www.twitter.com/micondahttp://www.twitter.com/miconda -- www.linkedin.com/in/micondahttp://www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
-->
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
George Goglidze -
Joel Serrano