23 Feb
2015
23 Feb
'15
2:16 a.m.
I'm wondering if anyone can point me in the right direction for the following
two issues with Kamailio and tls.cfg
1. When attempting to configure TLS settings for connecting to a specific IPv4
client, it seems that the ca_list indicated in [client:default] overrides the
one in the client-specific config. If I don't include the client's CA in the
[client:default] section, I get the following, regardless of what is in
[client:204.74.213.5:5061].
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[client:default]
method = TLSv1+
verify_certificate = yes
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/crt.pem
verify_depth = 2
# In order for the client below to work, the ca_list here needs to support #
contain the CA for the specific client. Not sure why, maybe a bug?
#ca_list = /etc/pki/CA/myownCA.pem # Can't use this one
ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
[client:204.74.213.5:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
verify_depth = 2
ca_list = /etc/kamailio/204.74.213.5.crt.pem
2. When attempting to configure TLS settings for connecting to a specific IPv6
client, I cannot figure out the syntax needed to specify the IPv6 client.
What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get:
ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Any guidance is appreciated. Thanks. -A
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
23 Feb
23 Feb
10:01 a.m.
New subject: 2 TLS issues/questions: per-client config & IPv6 client
Hello,
On 23/02/15 02:16, Anthony Messina wrote:
I'm wondering if anyone can point me in the right
direction for the following
two issues with Kamailio and tls.cfg
1. When attempting to configure TLS settings for connecting to a specific IPv4
client, it seems that the ca_list indicated in [client:default] overrides the
one in the client-specific config. If I don't include the client's CA in the
[client:default] section, I get the following, regardless of what is in
[client:204.74.213.5:5061].
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[client:default]
method = TLSv1+
verify_certificate = yes
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/crt.pem
verify_depth = 2
# In order for the client below to work, the ca_list here needs to support #
contain the CA for the specific client. Not sure why, maybe a bug?
#ca_list = /etc/pki/CA/myownCA.pem # Can't use this one
ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
[client:204.74.213.5:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
verify_depth = 2
ca_list = /etc/kamailio/204.74.213.5.crt.pem
I noticed that this one is hard to match because it specifies the local
socket, but the kernel returns a random local port when doing a connect.
The matching should be changed to be done on an xavp or the forced
socket. I made a note on the commit:
-
https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2…
It is on my list to solve it, but no time so far.
2. When attempting to configure TLS settings for connecting to a specific IPv6
client, I cannot figure out the syntax needed to specify the IPv6 client.
What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get:
ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Perhaps it is an issue in the parser of the config, I will look at it.
Cheers,
Daniel
Any guidance is appreciated. Thanks. -A
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
11:26 a.m.
New subject: 2 TLS issues/questions: per-client config & IPv6 client
Hello,
can you try with latest master? After just quick view of sources, I
spotted some issue identifying ipv6 address and pushed a small patch for
it, but no time to test it for now.
Cheers,
Daniel
On 23/02/15 10:01, Daniel-Constantin Mierla wrote:
Hello,
On 23/02/15 02:16, Anthony Messina wrote:
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
I'm wondering if anyone can point me in the
right direction for the following
two issues with Kamailio and tls.cfg
1. When attempting to configure TLS settings for connecting to a specific IPv4
client, it seems that the ca_list indicated in [client:default] overrides the
one in the client-specific config. If I don't include the client's CA in the
[client:default] section, I get the following, regardless of what is in
[client:204.74.213.5:5061].
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[client:default]
method = TLSv1+
verify_certificate = yes
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/crt.pem
verify_depth = 2
# In order for the client below to work, the ca_list here needs to support #
contain the CA for the specific client. Not sure why, maybe a bug?
#ca_list = /etc/pki/CA/myownCA.pem # Can't use this one
ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
[client:204.74.213.5:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
verify_depth = 2
ca_list = /etc/kamailio/204.74.213.5.crt.pem
I noticed that this one is hard to match because it specifies the
local socket, but the kernel returns a random local port when doing a
connect. The matching should be changed to be done on an xavp or the
forced socket. I made a note on the commit:
-
https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2…
It is on my list to solve it, but no time so far.
2. When attempting to configure TLS settings for connecting to a specific IPv6
client, I cannot figure out the syntax needed to specify the IPv6 client.
What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get:
ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Perhaps it is an issue in the parser of the config, I will look at it.
Cheers,
Daniel
Any guidance is appreciated. Thanks. -A
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
11:31 p.m.
New subject: 2 TLS issues/questions: per-client config & IPv6 client
I just pushed a patch to lookup client tls profile using bind address
(if available), instead of local source address for the connection,
trying to avoid matching on a randomly allocated port by os.
Let me know if works fine.
Cheers,
Daniel
On 23/02/15 11:26, Daniel-Constantin Mierla wrote:
Hello,
can you try with latest master? After just quick view of sources, I
spotted some issue identifying ipv6 address and pushed a small patch
for it, but no time to test it for now.
Cheers,
Daniel
On 23/02/15 10:01, Daniel-Constantin Mierla wrote:
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
Hello,
On 23/02/15 02:16, Anthony Messina wrote:
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com I'm wondering if anyone can point me in the
right direction for the following
two issues with Kamailio and tls.cfg
1. When attempting to configure TLS settings for connecting to a specific IPv4
client, it seems that the ca_list indicated in [client:default] overrides the
one in the client-specific config. If I don't include the client's CA in the
[client:default] section, I get the following, regardless of what is in
[client:204.74.213.5:5061].
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[client:default]
method = TLSv1+
verify_certificate = yes
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/crt.pem
verify_depth = 2
# In order for the client below to work, the ca_list here needs to support #
contain the CA for the specific client. Not sure why, maybe a bug?
#ca_list = /etc/pki/CA/myownCA.pem # Can't use this one
ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
[client:204.74.213.5:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
verify_depth = 2
ca_list = /etc/kamailio/204.74.213.5.crt.pem
I noticed that this one is hard to match because it specifies the
local socket, but the kernel returns a random local port when doing a
connect. The matching should be changed to be done on an xavp or the
forced socket. I made a note on the commit:
-
https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2…
It is on my list to solve it, but no time so far.
2. When attempting to configure TLS settings for
connecting to a specific IPv6
client, I cannot figure out the syntax needed to specify the IPv6 client.
What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get:
ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
Perhaps it is an issue in the parser of the config, I will look at it.
Cheers,
Daniel
Any guidance is appreciated. Thanks. -A
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
24 Feb
24 Feb
12:08 a.m.
New subject: 2 TLS issues/questions: per-client config & IPv6 client
On Monday, February 23, 2015 11:31:27 PM Daniel-Constantin Mierla wrote:
I just pushed a patch to lookup client tls profile
using bind address (if
available), instead of local source address for the connection, trying to
avoid matching on a randomly allocated port by os.
Let me know if works fine.
Do have the commit of the patch for reference? The last github commit I can
pull on master is
https://github.com/kamailio/kamailio/commit/b9e5b9181c0f9c315e0f27ad96f69d5…
which doesn't seem related.
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
23 Feb
23 Feb
11:58 p.m.
New subject: 2 TLS issues/questions: per-client config & IPv6 client
Thanks, Daniel. I'll be rebuilding with the recent changes this evening. A
few clarification requests inline below...
On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote:
Hello,
can you try with latest master? After just quick view of sources, I spotted
some issue identifying ipv6 address and pushed a small patch for it, but no
time to test it for now.
Cheers,
Daniel
On 23/02/15 10:01, Daniel-Constantin Mierla wrote:
Hello,
On 23/02/15 02:16, Anthony Messina wrote:
I'm wondering if anyone can point me in the right direction for the
following two issues with Kamailio and tls.cfg
1. When attempting to configure TLS settings for connecting to a specific
IPv4 client, it seems that the ca_list indicated in [client:default]
overrides the one in the client-specific config. If I don't include the
client's CA in the [client:default] section, I get the following,
regardless of what is in [client:204.74.213.5:5061].
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[client:default]
method = TLSv1+
verify_certificate = yes
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/crt.pem
verify_depth = 2
# In order for the client below to work, the ca_list here needs to support #
contain the CA for the specific client. Not sure why, maybe a bug? #ca_list
= /etc/pki/CA/myownCA.pem # Can't use this one
ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
[client:204.74.213.5:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
verify_depth = 2
ca_list = /etc/kamailio/204.74.213.5.crt.pem
I noticed that this one is hard to match because it specifies the local
socket, but the kernel returns a random local port when doing a connect.
The matching should be changed to be done on an xavp or the forced socket.
I made a note on the commit:
-
https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2
eebfd8c36
It is on my list to solve it, but no time so far.
I'm not sure I follow you here. Kamailio is sending an outbound connection to
[client:204.74.213.5:5061] -- I'm not specifying the local socket, but the
remote endpoint, as far as I can tell, based on the iptel.org example in the
tls.cfg file below. I have not yet begun to use the new SNI features. How
did this work prior to the SNI implementation? I ask because Kamailio (acting
as the client in this case) is connecting to a TLS server set via LCR with the
destination 204.74.213.5:5061.
# Special settings for the iptel.org public SIP
# server. We do not verify the certificate of the
# server because it can be expired. The server
# implements authentication using SSL client
# certificates so configure the client certificate
# that was given to use by iptel.org staff here.
#
#[client:195.37.77.101:5061]
#verify_certificate = no
#certificate = /etc/kamailio/iptel_client.pem
#private_key = /etc/kamailio/iptel_key.pem
#ca_list = /etc/kamailio/iptel_ca.pem
#crl = /etc/kamailio/iptel_crl.pem
2. When attempting to configure TLS settings for
connecting to a specific
IPv6 client, I cannot figure out the syntax needed to specify the IPv6
client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get:
ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6
address
Perhaps it is an issue in the parser of the config, I will look at it.
So after
https://github.com/kamailio/kamailio/commit/4b682e15fcd14fc3eb153865c207116…
are the following IPv6 syntax is correct? Is the port necessary? I was unsure
of the nested brackets.
[client:[2607:5300:60:1f93::0]:5061]
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
24 Feb
24 Feb
4:09 a.m.
New subject: 2 TLS issues/questions: per-client config & IPv6 client
On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote:
Hello,
can you try with latest master? After just quick view of sources, I spotted
some issue identifying ipv6 address and pushed a small patch for it, but no
time to test it for now.
Cheers,
Daniel
<snip>
2. When attempting to configure TLS settings for connecting to a specific
IPv6 client, I cannot figure out the syntax needed to specify the IPv6
client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get:
ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6
address
Unfortunately, with master@b9e5b91 and [client:[2607:5300:60:1f93::0]:5061] in
tls.cfg:
kamailio[32495]: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9:
Invalid IPv6 address
kamailio[32495]: ERROR: <core> [sr_module.c:945]: init_mod(): Error while
initializing module tls (/usr/lib64/kamailio/modules/tls.so)
kamailio[32495]: : tls [tls_locking.c:103]: locking_f(): BUG: tls: locking_f
(callback): invalid lock number: 12 (range 0 - 0), called from ssl_lib.c:345
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
12:32 p.m.
New subject: 2 TLS issues/questions: per-client config & IPv6 client
Hello,
can you try again with the latest master -- it should have fixed the
part with ipv6.
The other issue with matching client profile was changed to ignore port
if it is 0 in the tls.cfg definition -- can you try to see if works?
Cheers,
Daniel
On 24/02/15 04:09, Anthony Messina wrote:
On Monday, February 23, 2015 11:26:27 AM
Daniel-Constantin Mierla wrote:
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
Hello,
can you try with latest master? After just quick view of sources, I spotted
some issue identifying ipv6 address and pushed a small patch for it, but no
time to test it for now.
Cheers,
Daniel
<snip>
2. When attempting to configure TLS settings for
connecting to a specific
IPv6 client, I cannot figure out the syntax needed to specify the IPv6
client. What is the proper syntax?
With [client:[2607:5300:60:1f93::0]:5061], I get:
ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6
address
Unfortunately, with master@b9e5b91 and
[client:[2607:5300:60:1f93::0]:5061] in
tls.cfg:
kamailio[32495]: ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9:
Invalid IPv6 address
kamailio[32495]: ERROR: <core> [sr_module.c:945]: init_mod(): Error while
initializing module tls (/usr/lib64/kamailio/modules/tls.so)
kamailio[32495]: : tls [tls_locking.c:103]: locking_f(): BUG: tls: locking_f
(callback): invalid lock number: 12 (range 0 - 0), called from ssl_lib.c:345
1:02 p.m.
New subject: 2 TLS issues/questions: per-client config & IPv6 client
On Tuesday, February 24, 2015 12:32:38 Daniel-Constantin Mierla wrote:
Hello,
can you try again with the latest master -- it should have fixed the
part with ipv6.
The other issue with matching client profile was changed to ignore port
if it is 0 in the tls.cfg definition -- can you try to see if works?
Cheers,
Daniel
Yes Daniel, I'll try it again this evening when I get home from work. Thanks
again! -A
On 24/02/15 04:09, Anthony Messina wrote:
> On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote:
>> Hello,
>>
>> can you try with latest master? After just quick view of sources, I
>> spotted
>> some issue identifying ipv6 address and pushed a small patch for it, but
>> no
>> time to test it for now.
>>
>> Cheers,
>> Daniel
>
> <snip>
>
>> 2. When attempting to configure TLS settings for connecting to a specific
>> IPv6 client, I cannot figure out the syntax needed to specify the IPv6
>> client. What is the proper syntax?
>>
>> With [client:[2607:5300:60:1f93::0]:5061], I get:
>> ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6
>> address
>
> Unfortunately, with master@b9e5b91 and
> [client:[2607:5300:60:1f93::0]:5061] in tls.cfg:
>
> kamailio[32495]: ERROR: tls [tls_config.c:71]: parse_ipv6():
> tls.cfg:57:9:
> Invalid IPv6 address
> kamailio[32495]: ERROR: <core> [sr_module.c:945]: init_mod(): Error while
> initializing module tls (/usr/lib64/kamailio/modules/tls.so)
> kamailio[32495]: : tls [tls_locking.c:103]: locking_f(): BUG: tls:
> locking_f (callback): invalid lock number: 12 (range 0 - 0), called
> from ssl_lib.c:345
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
25 Feb
25 Feb
2:30 a.m.
New subject: 2 TLS issues/questions: per-client config & IPv6 client
On Tuesday, February 24, 2015 12:32:38 PM Daniel-Constantin Mierla wrote:
Hello,
can you try again with the latest master -- it should have fixed the
part with ipv6.
Using [client:[2607:5300:60:1f93::0]:0] in tls.cfg, it looks like the IPv6
part works. Thank you.
The other issue with matching client profile was changed to ignore port
if it is 0 in the tls.cfg definition -- can you try to see if works?
This part doesn't seem to work. I still need need to have the ca_list in
[client:default] contain the remote server's certificate or else I get:
Using either [client:204.74.213.5:0] or [client:[2607:5300:60:1f93::0]:0] in
tls.cfg:
ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ERROR: <core> [tcp_read.c:1296]: tcp_read_req(): ERROR: tcp_read_req: error
reading
Cheers,
Daniel
On 24/02/15 04:09, Anthony Messina wrote:
> On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote:
>> Hello,
>>
>> can you try with latest master? After just quick view of sources, I
>> spotted
>> some issue identifying ipv6 address and pushed a small patch for it, but
>> no
>> time to test it for now.
>>
>> Cheers,
>> Daniel
>
> <snip>
>
>> 2. When attempting to configure TLS settings for connecting to a specific
>> IPv6 client, I cannot figure out the syntax needed to specify the IPv6
>> client. What is the proper syntax?
>>
>> With [client:[2607:5300:60:1f93::0]:5061], I get:
>> ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6
>> address
>
> Unfortunately, with master@b9e5b91 and
> [client:[2607:5300:60:1f93::0]:5061] in tls.cfg:
>
> kamailio[32495]: ERROR: tls [tls_config.c:71]: parse_ipv6():
> tls.cfg:57:9:
> Invalid IPv6 address
> kamailio[32495]: ERROR: <core> [sr_module.c:945]: init_mod(): Error while
> initializing module tls (/usr/lib64/kamailio/modules/tls.so)
> kamailio[32495]: : tls [tls_locking.c:103]: locking_f(): BUG: tls:
> locking_f (callback): invalid lock number: 12 (range 0 - 0), called
> from ssl_lib.c:345
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
3370
days inactive
3372
days old
9 comments
2 participants
participants (2)
-
Anthony Messina -
Daniel-Constantin Mierla