Hi All
I want to encrypt the communication between the softphone and OpenSER. I have compiled 1.3 with TLS support and I am using the default certs that come with the source code and are located in
/usr/local/etc/openser/tls/user
My TLS config looks as follows
disable_tls = no
listen = tls:xx.xx.xx.xx:443
tls_verify_server = 1
tls_verify_client = 1
tls_require_client_certificate = 0
tls_method = TLSv1
tls_certificate = "/usr/local/etc/openser/tls/user/user-cert.pem"
tls_private_key = "/usr/local/etc/openser/tls/user/user-privkey.pem"
tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem"
I am getting the following error on my softphone
ERROR:core:tls_accept: some error in SSL:
ERROR:core:tls_print_errstack: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Any Suggestions ?
Thx
Ali Jawad wrote:
ERROR:core:tls_print_errstack: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
The server presents a certificate and the client will verify the certificate. Verification is done by the client by inspecting if the CA which signed the servers certificate is one of the local trusted (well known) CAs. (certificate authority)
Thus, you have to import the CA certificate into your SIP client.
regards klaus
(read some SSL tutorials to understand how it works)
Dear Klaus
Thank you for your prompt reply, I cant find a place to import certs in X-lite..I will need to investigate this more. Is there any possible way to encrypt communication between the server and the client without any action on the client side.
-----Original Message----- From: Klaus Darilion [mailto:klaus.mailinglists@pernau.at] Sent: Friday, February 22, 2008 4:55 PM To: Ali Jawad Cc: users@lists.openser.org Subject: Re: [OpenSER-Users] Probs With TLS Certificate
Ali Jawad wrote:
ERROR:core:tls_print_errstack: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
The server presents a certificate and the client will verify the certificate. Verification is done by the client by inspecting if the CA which signed the servers certificate is one of the local trusted (well known) CAs. (certificate authority)
Thus, you have to import the CA certificate into your SIP client.
regards klaus
(read some SSL tutorials to understand how it works)
Ali Jawad wrote:
Dear Klaus
Thank you for your prompt reply, I cant find a place to import certs in X-lite..I will need to investigate this more. Is there any possible way
XLite uses the Certificate store of Windows. (e.g. System Settings -> Internet -> ...-> Certificates )
to encrypt communication between the server and the client without any action on the client side.
If you want to avoid that the clients have to import your CA certificate, you can by a certificate by one of the "trusted" CAs which are already installed in the CA store (e.g. Verisign, Thawte, .....)
regards klaus
-
Ali Jawad -
Klaus Darilion