I found that my TLS client was not happy because my server cert is signed by an intermediate root.
A quick search in Google found other people mentioning the same problem, but no solution or documentation.
I've had a quick look in the Kamailio source and I notice it is using the call:
SSL_CTX_use_certificate_chain_file
to load the certificate specified in tls.cfg with
certificate=myserver.pem
In practice, this means the intermediate certificates can be appended to myserver.pem and Kamailio will present them to the TLS client:
Example:
Trust heirarchy:
trusted root - inter 1 - inter 2 - server.example.com.pem
Construct the PEM file in this exact order:
cat server.example.com.pem > chain-server.example.com.pem cat inter2.pem >> chain-server.example.com.pem cat inter1.pem >> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem
29 jan 2012 kl. 13:11 skrev Daniel Pocock:
I found that my TLS client was not happy because my server cert is signed by an intermediate root.
A quick search in Google found other people mentioning the same problem, but no solution or documentation.
I've had a quick look in the Kamailio source and I notice it is using the call:
SSL_CTX_use_certificate_chain_file
to load the certificate specified in tls.cfg with
certificate=myserver.pem
In practice, this means the intermediate certificates can be appended to myserver.pem and Kamailio will present them to the TLS client:
Example:
Trust heirarchy:
trusted root
- inter 1
- inter 2 - server.example.com.pem
Construct the PEM file in this exact order:
cat server.example.com.pem > chain-server.example.com.pem cat inter2.pem >> chain-server.example.com.pem cat inter1.pem >> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem
This applies to almost all OpenSSL based implementations. But it should be documented somewhere.
/O
Construct the PEM file in this exact order:
cat server.example.com.pem > chain-server.example.com.pem cat inter2.pem >> chain-server.example.com.pem cat inter1.pem >> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem
This applies to almost all OpenSSL based implementations. But it should be documented somewhere.
This post will probably end up in Google - so people will find it that way (including me, when I've forgotten this little detail at some point in the future)
It's a little bit different in Apache, where the user specifies a file containing intermediate certs - many of the CAs give instructions for adding that file in Apache, but they make no mention of OpenSSL/Kamailio/concatenating everything, so I imagine people will get stuck on things like this
2012/1/29 Daniel Pocock daniel@pocock.com.au:
It's a little bit different in Apache, where the user specifies a file containing intermediate certs - many of the CAs give instructions for adding that file in Apache, but they make no mention of OpenSSL/Kamailio/concatenating everything, so I imagine people will get stuck on things like this
If your certificate is not signed by a root CA then you will be also provided with an intermediary certificate which is signed by a root CA, and that intermediary certificate validates yours.
So to use it, you must take your public certificate and the intermediate certificate in PEM format and concatenate both, having your public certificate at the top of the resulting file.
On 29/01/12 21:47, Iñaki Baz Castillo wrote:
2012/1/29 Daniel Pocock daniel@pocock.com.au:
It's a little bit different in Apache, where the user specifies a file containing intermediate certs - many of the CAs give instructions for adding that file in Apache, but they make no mention of OpenSSL/Kamailio/concatenating everything, so I imagine people will get stuck on things like this
If your certificate is not signed by a root CA then you will be also provided with an intermediary certificate which is signed by a root CA, and that intermediary certificate validates yours.
So to use it, you must take your public certificate and the intermediate certificate in PEM format and concatenate both, having your public certificate at the top of the resulting file.
Yes, that is exactly what I described in my original post - it is working fine too
I notice that Asterisk needs to be patched to do it the way Kamailio does:
29 jan 2012 kl. 22:27 skrev Daniel Pocock:
On 29/01/12 21:47, Iñaki Baz Castillo wrote:
2012/1/29 Daniel Pocock daniel@pocock.com.au:
It's a little bit different in Apache, where the user specifies a file containing intermediate certs - many of the CAs give instructions for adding that file in Apache, but they make no mention of OpenSSL/Kamailio/concatenating everything, so I imagine people will get stuck on things like this
If your certificate is not signed by a root CA then you will be also provided with an intermediary certificate which is signed by a root CA, and that intermediary certificate validates yours.
So to use it, you must take your public certificate and the intermediate certificate in PEM format and concatenate both, having your public certificate at the top of the resulting file.
Yes, that is exactly what I described in my original post - it is working fine too
I notice that Asterisk needs to be patched to do it the way Kamailio does:
The Asterisk TCP/TLS implementation is marked experimental for a reason. And it's been that way for many years.
/O
I notice that Asterisk needs to be patched to do it the way Kamailio does:
The Asterisk TCP/TLS implementation is marked experimental for a reason. And it's been that way for many years.
All the more reason for people to use a product like Kamailio as the `hub' of their SIP network, and keep Asterisk as a service hanging off the side
Hello,
On 1/29/12 2:53 PM, Daniel Pocock wrote:
Construct the PEM file in this exact order:
cat server.example.com.pem> chain-server.example.com.pem cat inter2.pem>> chain-server.example.com.pem cat inter1.pem>> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem
This applies to almost all OpenSSL based implementations. But it should be documented somewhere.
This post will probably end up in Google - so people will find it that way (including me, when I've forgotten this little detail at some point in the future)
It's a little bit different in Apache, where the user specifies a file containing intermediate certs - many of the CAs give instructions for adding that file in Apache, but they make no mention of OpenSSL/Kamailio/concatenating everything, so I imagine people will get stuck on things like this
we can include your notes to the readme, they may help people looking for same subject in the future.
If you create a patch against a docbook xml file in modules/tls/doc/*.xml, adding a new section or to Important Notes, then we will commit.
As a general policy, we are happy always to get improvements to documentation, for large enhancements we can allow git commit as well.
Cheers, Daniel
-
Daniel Pocock -
Daniel-Constantin Mierla -
Iñaki Baz Castillo -
Olle E. Johansson