I'm wondering if anyone can point me in the right direction for the following two issues with Kamailio and tls.cfg
1. When attempting to configure TLS settings for connecting to a specific IPv4 client, it seems that the ca_list indicated in [client:default] overrides the one in the client-specific config. If I don't include the client's CA in the [client:default] section, I get the following, regardless of what is in [client:204.74.213.5:5061].
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[client:default] method = TLSv1+ verify_certificate = yes require_certificate = no private_key = /etc/kamailio/key.pem certificate = /etc/kamailio/crt.pem verify_depth = 2 # In order for the client below to work, the ca_list here needs to support # contain the CA for the specific client. Not sure why, maybe a bug? #ca_list = /etc/pki/CA/myownCA.pem # Can't use this one ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
[client:204.74.213.5:5061] method = TLSv1+ verify_certificate = yes require_certificate = yes verify_depth = 2 ca_list = /etc/kamailio/204.74.213.5.crt.pem
2. When attempting to configure TLS settings for connecting to a specific IPv6 client, I cannot figure out the syntax needed to specify the IPv6 client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Any guidance is appreciated. Thanks. -A
Hello,
On 23/02/15 02:16, Anthony Messina wrote:
I'm wondering if anyone can point me in the right direction for the following two issues with Kamailio and tls.cfg
- When attempting to configure TLS settings for connecting to a specific IPv4
client, it seems that the ca_list indicated in [client:default] overrides the one in the client-specific config. If I don't include the client's CA in the [client:default] section, I get the following, regardless of what is in [client:204.74.213.5:5061].
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[client:default] method = TLSv1+ verify_certificate = yes require_certificate = no private_key = /etc/kamailio/key.pem certificate = /etc/kamailio/crt.pem verify_depth = 2 # In order for the client below to work, the ca_list here needs to support # contain the CA for the specific client. Not sure why, maybe a bug? #ca_list = /etc/pki/CA/myownCA.pem # Can't use this one ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
[client:204.74.213.5:5061] method = TLSv1+ verify_certificate = yes require_certificate = yes verify_depth = 2 ca_list = /etc/kamailio/204.74.213.5.crt.pem
I noticed that this one is hard to match because it specifies the local socket, but the kernel returns a random local port when doing a connect. The matching should be changed to be done on an xavp or the forced socket. I made a note on the commit:
- https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2e...
It is on my list to solve it, but no time so far.
- When attempting to configure TLS settings for connecting to a specific IPv6
client, I cannot figure out the syntax needed to specify the IPv6 client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Perhaps it is an issue in the parser of the config, I will look at it.
Cheers, Daniel
Any guidance is appreciated. Thanks. -A
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
can you try with latest master? After just quick view of sources, I spotted some issue identifying ipv6 address and pushed a small patch for it, but no time to test it for now.
Cheers, Daniel
On 23/02/15 10:01, Daniel-Constantin Mierla wrote:
Hello,
On 23/02/15 02:16, Anthony Messina wrote:
I'm wondering if anyone can point me in the right direction for the following two issues with Kamailio and tls.cfg
- When attempting to configure TLS settings for connecting to a specific IPv4
client, it seems that the ca_list indicated in [client:default] overrides the one in the client-specific config. If I don't include the client's CA in the [client:default] section, I get the following, regardless of what is in [client:204.74.213.5:5061].
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[client:default] method = TLSv1+ verify_certificate = yes require_certificate = no private_key = /etc/kamailio/key.pem certificate = /etc/kamailio/crt.pem verify_depth = 2 # In order for the client below to work, the ca_list here needs to support # contain the CA for the specific client. Not sure why, maybe a bug? #ca_list = /etc/pki/CA/myownCA.pem # Can't use this one ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
[client:204.74.213.5:5061] method = TLSv1+ verify_certificate = yes require_certificate = yes verify_depth = 2 ca_list = /etc/kamailio/204.74.213.5.crt.pem
I noticed that this one is hard to match because it specifies the local socket, but the kernel returns a random local port when doing a connect. The matching should be changed to be done on an xavp or the forced socket. I made a note on the commit:
https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2e...
It is on my list to solve it, but no time so far.
- When attempting to configure TLS settings for connecting to a specific IPv6
client, I cannot figure out the syntax needed to specify the IPv6 client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Perhaps it is an issue in the parser of the config, I will look at it.
Cheers, Daniel
Any guidance is appreciated. Thanks. -A
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, May 27-29, 2015 Berlin, Germany - http://www.kamailioworld.com
I just pushed a patch to lookup client tls profile using bind address (if available), instead of local source address for the connection, trying to avoid matching on a randomly allocated port by os.
Let me know if works fine.
Cheers, Daniel
On 23/02/15 11:26, Daniel-Constantin Mierla wrote:
Hello,
can you try with latest master? After just quick view of sources, I spotted some issue identifying ipv6 address and pushed a small patch for it, but no time to test it for now.
Cheers, Daniel
On 23/02/15 10:01, Daniel-Constantin Mierla wrote:
Hello,
On 23/02/15 02:16, Anthony Messina wrote:
I'm wondering if anyone can point me in the right direction for the following two issues with Kamailio and tls.cfg
- When attempting to configure TLS settings for connecting to a specific IPv4
client, it seems that the ca_list indicated in [client:default] overrides the one in the client-specific config. If I don't include the client's CA in the [client:default] section, I get the following, regardless of what is in [client:204.74.213.5:5061].
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[client:default] method = TLSv1+ verify_certificate = yes require_certificate = no private_key = /etc/kamailio/key.pem certificate = /etc/kamailio/crt.pem verify_depth = 2 # In order for the client below to work, the ca_list here needs to support # contain the CA for the specific client. Not sure why, maybe a bug? #ca_list = /etc/pki/CA/myownCA.pem # Can't use this one ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
[client:204.74.213.5:5061] method = TLSv1+ verify_certificate = yes require_certificate = yes verify_depth = 2 ca_list = /etc/kamailio/204.74.213.5.crt.pem
I noticed that this one is hard to match because it specifies the local socket, but the kernel returns a random local port when doing a connect. The matching should be changed to be done on an xavp or the forced socket. I made a note on the commit:
https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2e...
It is on my list to solve it, but no time so far.
- When attempting to configure TLS settings for connecting to a specific IPv6
client, I cannot figure out the syntax needed to specify the IPv6 client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Perhaps it is an issue in the parser of the config, I will look at it.
Cheers, Daniel
Any guidance is appreciated. Thanks. -A
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, May 27-29, 2015 Berlin, Germany - http://www.kamailioworld.com
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, May 27-29, 2015 Berlin, Germany - http://www.kamailioworld.com
On Monday, February 23, 2015 11:31:27 PM Daniel-Constantin Mierla wrote:
I just pushed a patch to lookup client tls profile using bind address (if available), instead of local source address for the connection, trying to avoid matching on a randomly allocated port by os.
Let me know if works fine.
Do have the commit of the patch for reference? The last github commit I can pull on master is https://github.com/kamailio/kamailio/commit/b9e5b9181c0f9c315e0f27ad96f69d5c... which doesn't seem related.
Thanks, Daniel. I'll be rebuilding with the recent changes this evening. A few clarification requests inline below...
On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote:
Hello,
can you try with latest master? After just quick view of sources, I spotted some issue identifying ipv6 address and pushed a small patch for it, but no time to test it for now.
Cheers, Daniel
On 23/02/15 10:01, Daniel-Constantin Mierla wrote: Hello,
On 23/02/15 02:16, Anthony Messina wrote: I'm wondering if anyone can point me in the right direction for the following two issues with Kamailio and tls.cfg
- When attempting to configure TLS settings for connecting to a specific
IPv4 client, it seems that the ca_list indicated in [client:default] overrides the one in the client-specific config. If I don't include the client's CA in the [client:default] section, I get the following, regardless of what is in [client:204.74.213.5:5061].
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[client:default] method = TLSv1+ verify_certificate = yes require_certificate = no private_key = /etc/kamailio/key.pem certificate = /etc/kamailio/crt.pem verify_depth = 2 # In order for the client below to work, the ca_list here needs to support # contain the CA for the specific client. Not sure why, maybe a bug? #ca_list = /etc/pki/CA/myownCA.pem # Can't use this one ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
[client:204.74.213.5:5061] method = TLSv1+ verify_certificate = yes require_certificate = yes verify_depth = 2 ca_list = /etc/kamailio/204.74.213.5.crt.pem
I noticed that this one is hard to match because it specifies the local socket, but the kernel returns a random local port when doing a connect. The matching should be changed to be done on an xavp or the forced socket. I made a note on the commit:
https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2 eebfd8c36
It is on my list to solve it, but no time so far.
I'm not sure I follow you here. Kamailio is sending an outbound connection to [client:204.74.213.5:5061] -- I'm not specifying the local socket, but the remote endpoint, as far as I can tell, based on the iptel.org example in the tls.cfg file below. I have not yet begun to use the new SNI features. How did this work prior to the SNI implementation? I ask because Kamailio (acting as the client in this case) is connecting to a TLS server set via LCR with the destination 204.74.213.5:5061.
# Special settings for the iptel.org public SIP # server. We do not verify the certificate of the # server because it can be expired. The server # implements authentication using SSL client # certificates so configure the client certificate # that was given to use by iptel.org staff here. # #[client:195.37.77.101:5061] #verify_certificate = no #certificate = /etc/kamailio/iptel_client.pem #private_key = /etc/kamailio/iptel_key.pem #ca_list = /etc/kamailio/iptel_ca.pem #crl = /etc/kamailio/iptel_crl.pem
- When attempting to configure TLS settings for connecting to a specific
IPv6 client, I cannot figure out the syntax needed to specify the IPv6 client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Perhaps it is an issue in the parser of the config, I will look at it.
So after https://github.com/kamailio/kamailio/commit/4b682e15fcd14fc3eb153865c2071162... are the following IPv6 syntax is correct? Is the port necessary? I was unsure of the nested brackets.
[client:[2607:5300:60:1f93::0]:5061]
On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote:
Hello,
can you try with latest master? After just quick view of sources, I spotted some issue identifying ipv6 address and pushed a small patch for it, but no time to test it for now.
Cheers, Daniel
<snip>
- When attempting to configure TLS settings for connecting to a specific
IPv6 client, I cannot figure out the syntax needed to specify the IPv6 client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Unfortunately, with master@b9e5b91 and [client:[2607:5300:60:1f93::0]:5061] in tls.cfg:
kamailio[32495]: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address kamailio[32495]: ERROR: <core> [sr_module.c:945]: init_mod(): Error while initializing module tls (/usr/lib64/kamailio/modules/tls.so) kamailio[32495]: : tls [tls_locking.c:103]: locking_f(): BUG: tls: locking_f (callback): invalid lock number: 12 (range 0 - 0), called from ssl_lib.c:345
Hello,
can you try again with the latest master -- it should have fixed the part with ipv6.
The other issue with matching client profile was changed to ignore port if it is 0 in the tls.cfg definition -- can you try to see if works?
Cheers, Daniel
On 24/02/15 04:09, Anthony Messina wrote:
On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote:
Hello,
can you try with latest master? After just quick view of sources, I spotted some issue identifying ipv6 address and pushed a small patch for it, but no time to test it for now.
Cheers, Daniel
<snip>
- When attempting to configure TLS settings for connecting to a specific
IPv6 client, I cannot figure out the syntax needed to specify the IPv6 client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Unfortunately, with master@b9e5b91 and [client:[2607:5300:60:1f93::0]:5061] in tls.cfg:
kamailio[32495]: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address kamailio[32495]: ERROR: <core> [sr_module.c:945]: init_mod(): Error while initializing module tls (/usr/lib64/kamailio/modules/tls.so) kamailio[32495]: : tls [tls_locking.c:103]: locking_f(): BUG: tls: locking_f (callback): invalid lock number: 12 (range 0 - 0), called from ssl_lib.c:345
On Tuesday, February 24, 2015 12:32:38 Daniel-Constantin Mierla wrote:
Hello,
can you try again with the latest master -- it should have fixed the part with ipv6.
The other issue with matching client profile was changed to ignore port if it is 0 in the tls.cfg definition -- can you try to see if works?
Cheers, Daniel
Yes Daniel, I'll try it again this evening when I get home from work. Thanks again! -A
On 24/02/15 04:09, Anthony Messina wrote:
On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote:
Hello,
can you try with latest master? After just quick view of sources, I spotted some issue identifying ipv6 address and pushed a small patch for it, but no time to test it for now.
Cheers, Daniel
<snip>
- When attempting to configure TLS settings for connecting to a specific
IPv6 client, I cannot figure out the syntax needed to specify the IPv6 client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Unfortunately, with master@b9e5b91 and [client:[2607:5300:60:1f93::0]:5061] in tls.cfg:
kamailio[32495]: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address kamailio[32495]: ERROR: <core> [sr_module.c:945]: init_mod(): Error while initializing module tls (/usr/lib64/kamailio/modules/tls.so) kamailio[32495]: : tls [tls_locking.c:103]: locking_f(): BUG: tls: locking_f (callback): invalid lock number: 12 (range 0 - 0), called from ssl_lib.c:345
On Tuesday, February 24, 2015 12:32:38 PM Daniel-Constantin Mierla wrote:
Hello,
can you try again with the latest master -- it should have fixed the part with ipv6.
Using [client:[2607:5300:60:1f93::0]:0] in tls.cfg, it looks like the IPv6 part works. Thank you.
The other issue with matching client profile was changed to ignore port if it is 0 in the tls.cfg definition -- can you try to see if works?
This part doesn't seem to work. I still need need to have the ca_list in [client:default] contain the remote server's certificate or else I get:
Using either [client:204.74.213.5:0] or [client:[2607:5300:60:1f93::0]:0] in tls.cfg:
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ERROR: <core> [tcp_read.c:1296]: tcp_read_req(): ERROR: tcp_read_req: error reading
Cheers, Daniel
On 24/02/15 04:09, Anthony Messina wrote:
On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote:
Hello,
can you try with latest master? After just quick view of sources, I spotted some issue identifying ipv6 address and pushed a small patch for it, but no time to test it for now.
Cheers, Daniel
<snip>
- When attempting to configure TLS settings for connecting to a specific
IPv6 client, I cannot figure out the syntax needed to specify the IPv6 client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Unfortunately, with master@b9e5b91 and [client:[2607:5300:60:1f93::0]:5061] in tls.cfg:
kamailio[32495]: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address kamailio[32495]: ERROR: <core> [sr_module.c:945]: init_mod(): Error while initializing module tls (/usr/lib64/kamailio/modules/tls.so) kamailio[32495]: : tls [tls_locking.c:103]: locking_f(): BUG: tls: locking_f (callback): invalid lock number: 12 (range 0 - 0), called from ssl_lib.c:345
-
Anthony Messina -
Daniel-Constantin Mierla