now that 3.1 has async tls support, i decided (first time ever) to try to test tls. things went quite smoothly when i followed "Create Certificates to be used with Kamailio" document
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_cert...
during the process, i fixed a typo in the doc, added two comments to cfg part:
enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060 listen=tls:0.0.0.0:5061 # not needed in 3.1
and fixed wrong file references in client configurations:
eyebeam: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the Windows PC and add it to the Windows certificate store (Start→Control Panel→Internet)
QjSimple: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the client PC and configure QjSimple to use this CA (“TLS CA file” and “verify TLS server certificate)
earlier the paths pointed to certs/sip.mydomain.com files, which i think were wrong. at least i was not able to get them working.
perhaps someone who is more familiar with tsl stuff could verify the above changes.
-- juha
I added note about configuring Snom phones to connect over TLS and created a section from that part: http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_tls_and_...
Also, in my configs I set:
tcp_connection_lifetime=3610
Which is slightly higher than max allowed registration time. Some clients do not reconnect if tcp/tls connection is closed by server. Maybe we should add this one in the wiki as well.
Cheers, Daniel
On 9/30/10 5:27 PM, Juha Heinanen wrote:
now that 3.1 has async tls support, i decided (first time ever) to try to test tls. things went quite smoothly when i followed "Create Certificates to be used with Kamailio" document
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_cert...
during the process, i fixed a typo in the doc, added two comments to cfg part:
enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060 listen=tls:0.0.0.0:5061 # not needed in 3.1
and fixed wrong file references in client configurations:
eyebeam: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the Windows PC and add it to the Windows certificate store (Start→Control Panel→Internet)
QjSimple: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the client PC and configure QjSimple to use this CA (“TLS CA file” and “verify TLS server certificate)
earlier the paths pointed to certs/sip.mydomain.com files, which i think were wrong. at least i was not able to get them working.
perhaps someone who is more familiar with tsl stuff could verify the above changes.
-- juha
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
one question about the certificate tutorial: is something else needed in the config or certificate business, when sr talks over tls with another sip proxy, e.g. another sr? namely in that case sr may be in client role when tls session is established.
-- juha
On Sep 30, 2010 at 18:44, Juha Heinanen jh@tutpro.com wrote:
one question about the certificate tutorial: is something else needed in the config or certificate business, when sr talks over tls with another sip proxy, e.g. another sr? namely in that case sr may be in client role when tls session is established.
Nothing special if needed. However if you want to have different certificates in function of the role, or who are you talking with, you need to use a separate tls config file (http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#...)
Andrei
Andrei Pelinescu-Onciul writes:
However if you want to have different certificates in function of the role (server or client, or who are you talking with, you need to use a separate tls config file (http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#...)
ok thanks. i added a note about that to the tuto.
one more thing i would like to add to the tuto if someone knows the answer: how to capture/see sip over ssl packets in the proxy host using wireshark, ngrep, or something?
-- juha
On Sep 30, 2010 at 19:56, Juha Heinanen jh@tutpro.com wrote:
Andrei Pelinescu-Onciul writes:
However if you want to have different certificates in function of the role (server or client, or who are you talking with, you need to use a separate tls config file (http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#...)
ok thanks. i added a note about that to the tuto.
one more thing i would like to add to the tuto if someone knows the answer: how to capture/see sip over ssl packets in the proxy host using wireshark, ngrep, or something?
ssldump -k modules/tls/sip-router-selfsigned.key tcp and port 5061
Andrei
Andrei Pelinescu-Onciul writes:
one more thing i would like to add to the tuto if someone knows the answer: how to capture/see sip over ssl packets in the proxy host using wireshark, ngrep, or something?
ssldump -k modules/tls/sip-router-selfsigned.key tcp and port 5061
i tried with command
ssldump -i any -k /etc/sip-proxy/certs/sip-proxy/key.pem tcp and port 5061
where /etc/sip-proxy/certs/sip-proxy/key.pem is the same file as specified as tls module private key:
modparam("tls", "private_key", "/etc/sip-proxy/certs/sip-proxy/key.pem")
nothing comes to console. i must have misunderstood the command. i also tried with -i eth0, but it didn't help.
-- juha
Juha Heinanen writes:
i tried with command
ssldump -i any -k /etc/sip-proxy/certs/sip-proxy/key.pem tcp and port 5061
where /etc/sip-proxy/certs/sip-proxy/key.pem is the same file as specified as tls module private key:
modparam("tls", "private_key", "/etc/sip-proxy/certs/sip-proxy/key.pem")
nothing comes to console. i must have misunderstood the command. i also tried with -i eth0, but it didn't help.
i was able to figure out how do to it using wireshark. one needs to go to Preferences/Protocols/SSL and there add to RSA keys list:
<ip-of-sip-proxy>,5061,sip,/etc/certs/sip.mydomain.com/key.pem
then in Options specify 'port 5061'. after that, new ssl connections will be shown in clear.
i don't know why ssldump didn't work with the same key.pem file.
-- juha
Am 30.09.2010 21:20, schrieb Juha Heinanen:
Juha Heinanen writes:
i tried with command
ssldump -i any -k /etc/sip-proxy/certs/sip-proxy/key.pem tcp and port 5061
where /etc/sip-proxy/certs/sip-proxy/key.pem is the same file as specified as tls module private key:
modparam("tls", "private_key", "/etc/sip-proxy/certs/sip-proxy/key.pem")
nothing comes to console. i must have misunderstood the command. i also tried with -i eth0, but it didn't help.
i was able to figure out how do to it using wireshark. one needs to go to Preferences/Protocols/SSL and there add to RSA keys list:
<ip-of-sip-proxy>,5061,sip,/etc/certs/sip.mydomain.com/key.pem
then in Options specify 'port 5061'. after that, new ssl connections will be shown in clear.
i don't know why ssldump didn't work with the same key.pem file.
Just a note: this only works when non-DH ciphers are used. I added a wiki page: http://www.kamailio.org/dokuwiki/doku.php/tls:tls-decoding
regards Klaus
On Sep 30, 2010 at 21:12, Juha Heinanen jh@tutpro.com wrote:
Andrei Pelinescu-Onciul writes:
one more thing i would like to add to the tuto if someone knows the answer: how to capture/see sip over ssl packets in the proxy host using wireshark, ngrep, or something?
ssldump -k modules/tls/sip-router-selfsigned.key tcp and port 5061
i tried with command
ssldump -i any -k /etc/sip-proxy/certs/sip-proxy/key.pem tcp and port 5061
where /etc/sip-proxy/certs/sip-proxy/key.pem is the same file as specified as tls module private key:
modparam("tls", "private_key", "/etc/sip-proxy/certs/sip-proxy/key.pem")
nothing comes to console. i must have misunderstood the command. i also tried with -i eth0, but it didn't help.
For me it doesn't work with -i any, but works with -i eth0.
To quickly create a test tls connection I use: openssl s_client -connect host:5061 -tls1
Andrei
You are right. Thanks for fixing my bugs :-)
Klaus
Am 30.09.2010 17:27, schrieb Juha Heinanen:
now that 3.1 has async tls support, i decided (first time ever) to try to test tls. things went quite smoothly when i followed "Create Certificates to be used with Kamailio" document
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_cert...
during the process, i fixed a typo in the doc, added two comments to cfg part:
enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060 listen=tls:0.0.0.0:5061 # not needed in 3.1
and fixed wrong file references in client configurations:
eyebeam: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the Windows PC and add it to the Windows certificate store (Start→Control Panel→Internet)
QjSimple: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the client PC and configure QjSimple to use this CA (“TLS CA file” and “verify TLS server certificate)
earlier the paths pointed to certs/sip.mydomain.com files, which i think were wrong. at least i was not able to get them working.
perhaps someone who is more familiar with tsl stuff could verify the above changes.
-- juha
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On Sep 30, 2010 at 18:27, Juha Heinanen jh@tutpro.com wrote:
now that 3.1 has async tls support, i decided (first time ever) to try to test tls. things went quite smoothly when i followed "Create Certificates to be used with Kamailio" document
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_cert...
during the process, i fixed a typo in the doc, added two comments to cfg part:
enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060
^^^^^^^^ it should not be 0.0.0.0 but an actual IP. If you use 0.0.0.0 you _must_ set adevertised_adress or you will have some strange Vias && RRs.
listen=tls:0.0.0.0:5061 # not needed in 3.1
^^^^^^^^^^^^^^^^ - it's optional only if you have another listen which does not specify the protocol (e.g. listen=10.0.0.2:5060 or listen=10.0.0.2). In this case ser will listen on all protocols on the default port). I This is true also for 3.0 and at least for all ser versions.
In general I use http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#... as a quick setup reminder.
Andrei
Andrei Pelinescu-Onciul writes:
enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060
^^^^^^^^ it should not be 0.0.0.0 but an actual IP. If you use 0.0.0.0 you _must_ set adevertised_adress or you will have some strange Vias && RRs.listen=tls:0.0.0.0:5061 # not needed in 3.1
^^^^^^^^^^^^^^^^ - it's optional only if you have another listen which does not specify the protocol (e.g. listen=10.0.0.2:5060 or listen=10.0.0.2). In this case ser will listen on all protocols on the default port). I This is true also for 3.0 and at least for all ser versions.
ok, fixed.
In general I use http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#... as a quick setup reminder.
i read that too, but it was not as easy to follow as the tuto.
-- juha
Am 30.09.2010 17:27, schrieb Juha Heinanen:
now that 3.1 has async tls support, i decided (first time ever) to try to test tls. things went quite smoothly when i followed "Create Certificates to be used with Kamailio" document
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_cert...
during the process, i fixed a typo in the doc, added two comments to cfg part:
enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060 listen=tls:0.0.0.0:5061 # not needed in 3.1
I wonder which IP address is used as TLS socket if you do not specify it in the config file?
I always specify it explicitly as I do not want any kind of automatism.
regards Klaus
-
Andrei Pelinescu-Onciul -
Daniel-Constantin Mierla -
Juha Heinanen -
Klaus Darilion