I am using SER ottendorf with TLS protocol and have the following issues. Does anybody experience similar problems?
SER cannot run with the following setup in the configuration file: (I follow this link to setup key and certificate: http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
modparam("tls", "private_key", "cakey.pem") modparam("tls", "certificate", "cacert.pem") modparam("tls", "ca_list", "calist.pem") modparam("tls", "cipher_list", "HIGH");
With the last line commented out: #modparam("tls", "cipher_list", "HIGH"); SER can start, but the tls connection cannot be established. Network trace shows SER does not responde to ClientHello sent by client.
Thanks, Joy
____________________________________________________________________________________ Food fight? Enjoy some healthy debate in the Yahoo! Answers Food & Drink Q&A. http://answers.yahoo.com/dir/?link=list&sid=396545367
Katty Xiong wrote:
I am using SER ottendorf with TLS protocol and have the following issues. Does anybody experience similar problems?
SER cannot run with the following setup in the configuration file: (I follow this link to setup key and certificate: http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
modparam("tls", "private_key", "cakey.pem") modparam("tls", "certificate", "cacert.pem") modparam("tls", "ca_list", "calist.pem") modparam("tls", "cipher_list", "HIGH");
You don't need that option unless you want to restrict thee list of ciphers that are available. openssl uses all available ciphers by default.
With the last line commented out: #modparam("tls", "cipher_list", "HIGH"); SER can start, but the tls connection cannot be established. Network trace shows SER does not responde to ClientHello sent by client.
A couple of quick questions:
- Have you configured SER to listen on tls using listen parameter? - Are you connecting to the right port (i.e. 5061 and not 5060) ?
Jan.
Yes. I configured SER to listen on tls using listen parameter.
listen=tls:199.199.2.50:5061
Actually from the system I can see TCP connection for this tls is established. But somehow the tls process does not responde to the ClientHello message.
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Katty Xiong wrote:
I am using SER ottendorf with TLS protocol and
have
the following issues. Does anybody experience
similar
problems?
SER cannot run with the following setup in the configuration file: (I follow this link to setup
key
and certificate:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
modparam("tls", "private_key", "cakey.pem") modparam("tls", "certificate", "cacert.pem") modparam("tls", "ca_list", "calist.pem") modparam("tls", "cipher_list", "HIGH");
You don't need that option unless you want to restrict thee list of ciphers that are available. openssl uses all available ciphers by default.
With the last line commented out: #modparam("tls", "cipher_list", "HIGH"); SER can start, but the tls connection cannot be established. Network trace shows SER does not
responde
to ClientHello sent by client.
A couple of quick questions:
- Have you configured SER to listen on tls using
listen parameter?
- Are you connecting to the right port (i.e. 5061
and not 5060) ?
Jan.
____________________________________________________________________________________ Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097
Is there anything in syslog?
Jan.
Katty Xiong wrote:
Yes. I configured SER to listen on tls using listen parameter.
listen=tls:199.199.2.50:5061
Actually from the system I can see TCP connection for this tls is established. But somehow the tls process does not responde to the ClientHello message.
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Katty Xiong wrote:
I am using SER ottendorf with TLS protocol and
have
the following issues. Does anybody experience
similar
problems?
SER cannot run with the following setup in the configuration file: (I follow this link to setup
key
and certificate:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
modparam("tls", "private_key", "cakey.pem") modparam("tls", "certificate", "cacert.pem") modparam("tls", "ca_list", "calist.pem") modparam("tls", "cipher_list", "HIGH");
You don't need that option unless you want to restrict thee list of ciphers that are available. openssl uses all available ciphers by default.
With the last line commented out: #modparam("tls", "cipher_list", "HIGH"); SER can start, but the tls connection cannot be established. Network trace shows SER does not
responde
to ClientHello sent by client.
A couple of quick questions:
- Have you configured SER to listen on tls using
listen parameter?
- Are you connecting to the right port (i.e. 5061
and not 5060) ?
Jan.
Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097
Hi,
Just out of quriousity or how you write it..
How did you compile ser? and hw did you make your certificates?
did you do : make install TLS=1 ?
- Atle
* Jan Janak jan@iptel.org [070403 19:34]:
Is there anything in syslog?
Jan.
Katty Xiong wrote:
Yes. I configured SER to listen on tls using listen parameter.
listen=tls:199.199.2.50:5061
Actually from the system I can see TCP connection for this tls is established. But somehow the tls process does not responde to the ClientHello message.
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Katty Xiong wrote:
I am using SER ottendorf with TLS protocol and
have
the following issues. Does anybody experience
similar
problems?
SER cannot run with the following setup in the configuration file: (I follow this link to setup
key
and certificate:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
modparam("tls", "private_key", "cakey.pem") modparam("tls", "certificate", "cacert.pem") modparam("tls", "ca_list", "calist.pem") modparam("tls", "cipher_list", "HIGH");
You don't need that option unless you want to restrict thee list of ciphers that are available. openssl uses all available ciphers by default.
With the last line commented out: #modparam("tls", "cipher_list", "HIGH"); SER can start, but the tls connection cannot be established. Network trace shows SER does not
responde
to ClientHello sent by client.
A couple of quick questions:
- Have you configured SER to listen on tls using
listen parameter?
- Are you connecting to the right port (i.e. 5061
and not 5060) ?
Jan.
Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097
Serusers mailing list Serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
I compile SER using: gmake TLS_HOOKS=1. I can see tls.so is generated in the tls directory. I follow the link to generate certificate: http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
thanks, Joy
--- Atle Samuelsen clona@cyberhouse.no wrote:
Hi,
Just out of quriousity or how you write it..
How did you compile ser? and hw did you make your certificates?
did you do : make install TLS=1 ?
- Atle
- Jan Janak jan@iptel.org [070403 19:34]:
Is there anything in syslog?
Jan.
Katty Xiong wrote:
Yes. I configured SER to listen on tls using listen parameter.
listen=tls:199.199.2.50:5061
Actually from the system I can see TCP
connection for
this tls is established. But somehow the tls
process
does not responde to the ClientHello message.
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Katty Xiong wrote:
I am using SER ottendorf with TLS protocol and
have
the following issues. Does anybody experience
similar
problems?
SER cannot run with the following setup in the configuration file: (I follow this link to
setup
key
and certificate:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
modparam("tls", "private_key", "cakey.pem") modparam("tls", "certificate", "cacert.pem") modparam("tls", "ca_list", "calist.pem") modparam("tls", "cipher_list", "HIGH");
You don't need that option unless you want to restrict thee list of ciphers that are available. openssl
uses
all available ciphers by default.
With the last line commented out: #modparam("tls", "cipher_list", "HIGH"); SER can start, but the tls connection cannot
be
established. Network trace shows SER does not
responde
to ClientHello sent by client.
A couple of quick questions:
- Have you configured SER to listen on tls
using
listen parameter?
- Are you connecting to the right port (i.e.
5061
and not 5060) ?
Jan.
____________________________________________________________________________________
Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel
sites to find flight and hotel bargains.
http://farechase.yahoo.com/promo-generic-14795097
Serusers mailing list Serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
____________________________________________________________________________________ Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/
No, I didn't see anything related with SER in syslog. But after I start SER, there is something strange on the screen:
TLS<default>:cipher_list='
It shows only a single quote. This line seems to me that the cipher list is not set up.
I am using the SER2.0.0+cvs20070315.
Joy
--- Jan Janak jan@iptel.org wrote:
Is there anything in syslog?
Jan.
Katty Xiong wrote:
Yes. I configured SER to listen on tls using listen parameter.
listen=tls:199.199.2.50:5061
Actually from the system I can see TCP connection
for
this tls is established. But somehow the tls
process
does not responde to the ClientHello message.
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Katty Xiong wrote:
I am using SER ottendorf with TLS protocol and
have
the following issues. Does anybody experience
similar
problems?
SER cannot run with the following setup in the configuration file: (I follow this link to setup
key
and certificate:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
modparam("tls", "private_key", "cakey.pem") modparam("tls", "certificate", "cacert.pem") modparam("tls", "ca_list", "calist.pem") modparam("tls", "cipher_list", "HIGH");
You don't need that option unless you want to restrict thee list of ciphers that are available. openssl
uses
all available ciphers by default.
With the last line commented out: #modparam("tls", "cipher_list", "HIGH"); SER can start, but the tls connection cannot be established. Network trace shows SER does not
responde
to ClientHello sent by client.
A couple of quick questions:
- Have you configured SER to listen on tls
using
listen parameter?
- Are you connecting to the right port (i.e.
5061
and not 5060) ?
Jan.
____________________________________________________________________________________
Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel
sites to find flight and hotel bargains.
____________________________________________________________________________________ Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. http://autos.yahoo.com/new_cars.html
After I dig a bit, it seems the problem is related with certificate.
When I comment out the line in the configuration file, #modparam("tls", "cipher_list", "HIGH"); fill_missing (in tls_domain.c) returns -1 since the following condition becomes true. 193 if (!d->cipher_list && 194 shm_asciiz_dup(&d->cipher_list, parent->cipher_list) < 0) return -1; 195 LOG(L_INFO, "%s: cipher_list='%s'\n", tls_domain_str(d), d->cipher_list);
So though SER starts, certificate and private key is not loaded.
To avoid this issue, I set up the cipher_list to HIGH. But somehow, SER complains that: tls_domain.c:229: Unable to load certificate file tls_domain.c:230 load_cert:error...
So I guess there is something wrong with the certificate. What I did is as follows. Could you check if I made mistakes in generating CA?
1. Create CA private key #openssl genrsa -out ./private/cakey.pem 2048 2. Create self-signed certificate #openssl req -out ./cacert.pem -x509 -new -key ./private/cakey.pem 3. Create a certificate request #openssl req -out ser1_cert_req.pem -new -nodes 4. Sign it with the CA certificate #openssl ca -in ser1_cert_req.pem -out ser1_cert.pem 5. Copy ser1_cert.pem and privkey.pem to ser configuration directory
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Is there anything in syslog?
Jan.
Katty Xiong wrote:
Yes. I configured SER to listen on tls using listen parameter.
listen=tls:199.199.2.50:5061
Actually from the system I can see TCP connection
for
this tls is established. But somehow the tls
process
does not responde to the ClientHello message.
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Katty Xiong wrote:
I am using SER ottendorf with TLS protocol and
have
the following issues. Does anybody experience
similar
problems?
SER cannot run with the following setup in the configuration file: (I follow this link to setup
key
and certificate:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
modparam("tls", "private_key", "cakey.pem") modparam("tls", "certificate", "cacert.pem") modparam("tls", "ca_list", "calist.pem") modparam("tls", "cipher_list", "HIGH");
You don't need that option unless you want to restrict thee list of ciphers that are available. openssl
uses
all available ciphers by default.
With the last line commented out: #modparam("tls", "cipher_list", "HIGH"); SER can start, but the tls connection cannot be established. Network trace shows SER does not
responde
to ClientHello sent by client.
A couple of quick questions:
- Have you configured SER to listen on tls
using
listen parameter?
- Are you connecting to the right port (i.e.
5061
and not 5060) ?
Jan.
____________________________________________________________________________________
Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel
sites to find flight and hotel bargains.
____________________________________________________________________________________ Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/
I replace the function SSL_CTX_use_certificate_chain_file() with SSL_CTX_use_certificate_file() in tls_domain.c, and it's working now.
227 //if (!SSL_CTX_use_certificate_chain_file(d->ctx[i], d->cert_file)) { 228 if (!SSL_CTX_use_certificate_file(d->ctx[i], d->cert_file, SSL_FILETYPE_PEM)) {
For SSL_CTX_use_certificate_chain_file(), I tried different CA, it didn't work.
thanks, Joy
--- Katty Xiong cyyxiong@yahoo.com wrote:
After I dig a bit, it seems the problem is related with certificate.
When I comment out the line in the configuration file, #modparam("tls", "cipher_list", "HIGH"); fill_missing (in tls_domain.c) returns -1 since the following condition becomes true. 193 if (!d->cipher_list && 194 shm_asciiz_dup(&d->cipher_list, parent->cipher_list) < 0) return -1; 195 LOG(L_INFO, "%s: cipher_list='%s'\n", tls_domain_str(d), d->cipher_list);
So though SER starts, certificate and private key is not loaded.
To avoid this issue, I set up the cipher_list to HIGH. But somehow, SER complains that: tls_domain.c:229: Unable to load certificate file tls_domain.c:230 load_cert:error...
So I guess there is something wrong with the certificate. What I did is as follows. Could you check if I made mistakes in generating CA?
- Create CA private key
#openssl genrsa -out ./private/cakey.pem 2048 2. Create self-signed certificate #openssl req -out ./cacert.pem -x509 -new -key ./private/cakey.pem 3. Create a certificate request #openssl req -out ser1_cert_req.pem -new -nodes 4. Sign it with the CA certificate #openssl ca -in ser1_cert_req.pem -out ser1_cert.pem 5. Copy ser1_cert.pem and privkey.pem to ser configuration directory
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Is there anything in syslog?
Jan.
Katty Xiong wrote:
Yes. I configured SER to listen on tls using listen parameter.
listen=tls:199.199.2.50:5061
Actually from the system I can see TCP
connection
for
this tls is established. But somehow the tls
process
does not responde to the ClientHello message.
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Katty Xiong wrote:
I am using SER ottendorf with TLS protocol and
have
the following issues. Does anybody experience
similar
problems?
SER cannot run with the following setup in the configuration file: (I follow this link to
setup
key
and certificate:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
modparam("tls", "private_key", "cakey.pem") modparam("tls", "certificate", "cacert.pem") modparam("tls", "ca_list", "calist.pem") modparam("tls", "cipher_list", "HIGH");
You don't need that option unless you want to restrict thee list of ciphers that are available. openssl
uses
all available ciphers by default.
With the last line commented out: #modparam("tls", "cipher_list", "HIGH"); SER can start, but the tls connection cannot
be
established. Network trace shows SER does not
responde
to ClientHello sent by client.
A couple of quick questions:
- Have you configured SER to listen on tls
using
listen parameter?
- Are you connecting to the right port (i.e.
5061
and not 5060) ?
Jan.
____________________________________________________________________________________
Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel
sites to find flight and hotel bargains.
http://farechase.yahoo.com/promo-generic-14795097
____________________________________________________________________________________
Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/ _______________________________________________ Serusers mailing list Serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
____________________________________________________________________________________ Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. http://farechase.yahoo.com/promo-generic-14795097
Thanks a lot! I have to retest the code again. Could you do me a favor and send me (privately) your configuration file?
Jan.
Katty Xiong wrote:
I replace the function SSL_CTX_use_certificate_chain_file() with SSL_CTX_use_certificate_file() in tls_domain.c, and it's working now.
227 //if (!SSL_CTX_use_certificate_chain_file(d->ctx[i], d->cert_file)) { 228 if (!SSL_CTX_use_certificate_file(d->ctx[i], d->cert_file, SSL_FILETYPE_PEM)) {
For SSL_CTX_use_certificate_chain_file(), I tried different CA, it didn't work.
thanks, Joy
--- Katty Xiong cyyxiong@yahoo.com wrote:
After I dig a bit, it seems the problem is related with certificate.
When I comment out the line in the configuration file, #modparam("tls", "cipher_list", "HIGH"); fill_missing (in tls_domain.c) returns -1 since the following condition becomes true. 193 if (!d->cipher_list && 194 shm_asciiz_dup(&d->cipher_list, parent->cipher_list) < 0) return -1; 195 LOG(L_INFO, "%s: cipher_list='%s'\n", tls_domain_str(d), d->cipher_list);
So though SER starts, certificate and private key is not loaded.
To avoid this issue, I set up the cipher_list to HIGH. But somehow, SER complains that: tls_domain.c:229: Unable to load certificate file tls_domain.c:230 load_cert:error...
So I guess there is something wrong with the certificate. What I did is as follows. Could you check if I made mistakes in generating CA?
- Create CA private key
#openssl genrsa -out ./private/cakey.pem 2048 2. Create self-signed certificate #openssl req -out ./cacert.pem -x509 -new -key ./private/cakey.pem 3. Create a certificate request #openssl req -out ser1_cert_req.pem -new -nodes 4. Sign it with the CA certificate #openssl ca -in ser1_cert_req.pem -out ser1_cert.pem 5. Copy ser1_cert.pem and privkey.pem to ser configuration directory
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Is there anything in syslog?
Jan.
Katty Xiong wrote:
Yes. I configured SER to listen on tls using listen parameter.
listen=tls:199.199.2.50:5061
Actually from the system I can see TCP
connection
for
this tls is established. But somehow the tls
process
does not responde to the ClientHello message.
thanks, Joy
--- Jan Janak jan@iptel.org wrote:
Katty Xiong wrote:
I am using SER ottendorf with TLS protocol and
have
the following issues. Does anybody experience
similar
problems?
SER cannot run with the following setup in the configuration file: (I follow this link to
setup
key
and certificate:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?...)
modparam("tls", "private_key", "cakey.pem") modparam("tls", "certificate", "cacert.pem") modparam("tls", "ca_list", "calist.pem") modparam("tls", "cipher_list", "HIGH");
You don't need that option unless you want to restrict thee list of ciphers that are available. openssl
uses
all available ciphers by default.
With the last line commented out: #modparam("tls", "cipher_list", "HIGH"); SER can start, but the tls connection cannot
be
established. Network trace shows SER does not
responde
to ClientHello sent by client.
A couple of quick questions:
- Have you configured SER to listen on tls
using
listen parameter?
- Are you connecting to the right port (i.e.
5061
and not 5060) ?
Jan.
Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel
sites to find flight and hotel bargains.
Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/ _______________________________________________ Serusers mailing list Serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. http://farechase.yahoo.com/promo-generic-14795097
-
Atle Samuelsen -
Jan Janak -
Katty Xiong