10 Apr
2014
10 Apr
'14
7:45 p.m.
while doing some tls tests, i noticed that if tls.cfg has a section like
this
[server:default]
verify_certificate = no
require_certificate = no
tls_method = SSLv23
private_key = /etc/sip-proxy/certs/sip-proxy/key.pem
certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem
ca_list = /etc/ssl/certs/cacert.org.pem
then client does not give its certificate to kamailio server during tls
connection setup even if it had one.
if i specify:
require_certificate = no
then client sends its certificate to kamailio server, but if another
client does not have a client certificate, then it cannot connect at
all.
one way to solve this would be making kamailio listen on two tls ports,
one for clients that are required to present a a certificate and another
port for clients that do not have a certificate.
unfortunately, it is not possible to add a mask to ip address in tls.cfg
section like this:
[server:0.0.0.0/0:5062]
does anyone have a solution to this problem (other that running two
kamailio instances)?
-- juha
11 Apr
11 Apr
10:12 a.m.
i read tls code and docs more carefully and found that if tls server is
configured like this:
[server:default]
verify_certificate = yes
require_certificate = no
tls_method = SSLv23
private_key = /etc/sip-proxy/certs/sip-proxy/key.pem
certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem
ca_list = /etc/ssl/certs/cacert.org.pem
then server asks certificate from client. if client provides one,
server verifies it, but it is ok for the client not to provide a
certificate.
regarding tls module pseudo vars, one can use $tls_peer_verified to test
if client provided verified certificate and, if it did, one can use
$tls_peer_subject_cn to gets its common name.
i added $tls_* pseudo vars to wiki under TLS Module Pseudo Variables,
but didn't give any explanation to any of them.
-- juha
1:18 p.m.
On 11/04/14 09:12, Juha Heinanen wrote:
i read tls code and docs more carefully and found that
if tls server is
configured like this:
[server:default]
verify_certificate = yes
require_certificate = no
tls_method = SSLv23
private_key = /etc/sip-proxy/certs/sip-proxy/key.pem
certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem
ca_list = /etc/ssl/certs/cacert.org.pem
then server asks certificate from client. if client provides one,
server verifies it, but it is ok for the client not to provide a
certificate.
regarding tls module pseudo vars, one can use $tls_peer_verified to test
if client provided verified certificate and, if it did, one can use
$tls_peer_subject_cn to gets its common name.
i added $tls_* pseudo vars to wiki under TLS Module Pseudo Variables,
but didn't give any explanation to any of them.
Thanks, maybe someone will have
time to add description as well -- the
info can be taken from:
- http://kamailio.org/docs/modules/1.5.x/tlsops.html#id2454119
Cheers,
Daniel
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
3908
days inactive
3909
days old
2 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
Juha Heinanen