hi all, I have configured tls support in kamailio, but i cannot register sip phone.
my configure :
I create cert and private key as:
"kamctl tls userCERT user"
log show :
Creating directory /usr/local/etc/kamailio//tls/user Creating user certificate request Generating a 512 bit RSA private key ..++++++++++++ ...................++++++++++++ writing new private key to '/usr/local/etc/kamailio//tls/user/user-privkey.pem' ----- Signing certificate request Using configuration from /usr/local/etc/kamailio//tls/request.conf Enter pass phrase for ./rootCA/private/cakey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'somename.somewhere.com' stateOrProvinceName :PRINTABLE:'Some State' countryName :PRINTABLE:'XY' emailAddress :IA5STRING:'root@somename.somewhere.com' organizationName :PRINTABLE:'My Large Organization Name' organizationalUnitName:PRINTABLE:'My Subunit of Large Organization' Certificate is to be certified until Sep 4 09:13:58 2011 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Generating CA list DONE INFO: Private key is locate at /usr/local/etc/kamailio//tls/user/user-privkey.pem INFO: Certificate is locate at /usr/local/etc/kamailio//tls/user/user-cert.pem INFO: CA-List is locate at /usr/local/etc/kamailio//tls/user/user-calist.pem
I add to kamailio.cfg
enable_tls=1 tcp_async=no
modparam("tls", "tls_method", "TLSv1") modparam("tls", "certificate", "/usr/local/etc/kamailio//tls/user/user-cert.pem") modparam("tls", "private_key", "/usr/local/etc/kamailio//tls/user/user-privkey.pem") modparam("tls", "ca_list", "/usr/local/etc/kamailio//tls/user/user-calist.pem") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 1)
i restart kamailio:
"kamctl restart"
log in tail -f /var/log/message
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:175]: TLSc<default>: tls_method=9 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:185]: TLSc<default>: certificate='/usr/local/etc/kamailio//tls/user/user-cert.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:190]: TLSc<default>: ca_list='/usr/local/etc/kamailio//tls/user/user-calist.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:193]: TLSc<default>: require_certificate=1 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:198]: TLSc<default>: cipher_list='(null)' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:203]: TLSc<default>: private_key='/usr/local/etc/kamailio//tls/user/user-privkey.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:206]: TLSc<default>: verify_certificate=1 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:209]: TLSc<default>: verify_depth=9 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:331]: TLSc<default>: Server MUST present valid certificate Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: WARNING: tls [tls_domain.c:395]: tls: set_ssl_options: openssl SSL_OP_TLS_BLOCK_PADDING bug workaround enabled (openssl version 90802f) Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3116]: INFO: ctl [io_listener.c:224]: io_listen_loop: using epoll_lt io watch method (config)
i see that kamailio start okie, but sip phone cannot register.
log in :tail -f /var/log/message:
Sep 4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
in portgo : certificate validation failure.
please suggest to fix it, thanks. Peter green
log in :tail -f /var/log/message:
Sep 4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
in portgo : certificate validation failure.
It is rather clear - your SIP client does not accept the proxy's certificate and thus terminates the TLS handshake with an "unknown ca" error.
You have to configure your SIP client to accept the CA which has signed the proxy's certificate.
regards klaus
Date: Mon, 6 Sep 2010 10:26:38 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls support.
log in :tail -f /var/log/message:
Sep 4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
in portgo : certificate validation failure.
It is rather clear - your SIP client does not accept the proxy's certificate and thus terminates the TLS handshake with an "unknown ca" error.
You have to configure your SIP client to accept the CA which has signed the proxy's certificate.
regards klaus
Dear Klaus,
i have the same problem when add user-privkey.pem in SIP client, I use 3CX soft phone.
when i run command : kamctl tls userCERT user
openssl creates three file.
INFO: Private key is locate at /usr/local/etc/kamailio//tls/user/user-privkey.pem INFO: Certificate is locate at /usr/local/etc/kamailio//tls/user/user-cert.pem INFO: CA-List is locate at /usr/local/etc/kamailio//tls/user/user-calist.pem
i copy user-privkey.pem to PC which have SIP client. after that i change the name to root_cert_3CXphone.pem to add to 3CX soft phone. but problem is the same.
Sep 6 08:59:33 appliance /usr/local/sbin/kamailio[4442]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Sep 6 08:59:34 appliance /usr/local/sbin/kamailio[4437]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Sep 6 08:59:34 appliance /usr/local/sbin/kamailio[4438]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Sep 6 08:59:34 appliance /usr/local/sbin/kamailio[4440]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Sep 6 08:59:34 appliance /usr/local/sbin/kamailio[4442]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
please tell me, if you know thanks so much. Peter Green
Am 06.09.2010 11:19, schrieb peter_green lion:
i have the same problem when add user-privkey.pem in SIP client, I use 3CX soft phone.
You have to import the self-signed certificate of the root CA which signed the server certificate. Maybe "cakey.pem" ?
Probably you have to read some certificate and openssl howtos to get proper backround - SIP over TLS is just like HTTPS.
regards Klaus
Date: Mon, 6 Sep 2010 14:34:35 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls support.
Am 06.09.2010 11:19, schrieb peter_green lion:
i have the same problem when add user-privkey.pem in SIP client, I use 3CX soft phone.
You have to import the self-signed certificate of the root CA which signed the server certificate. Maybe "cakey.pem" ?
Probably you have to read some certificate and openssl howtos to get proper backround - SIP over TLS is just like HTTPS.
regards Klaus
dear Klaus,
I try to test with all file.pem in ca directory. but i get the same error.
i try to verify cert file and get :
openssl verify calist.pem
calist.pem: /C=vn/ST=hcm/L=htk/O=inc/OU=4/CN=kamailio
error 18 at 0 depth lookup:self signed certificate
OK
openssl verify privkey.pem
unable to load certificate
2904:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
openssl verify ser1_cert.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
so is this my problem ? thanks for help . Peter Green
Date: Mon, 6 Sep 2010 14:34:35 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls support.
Am 06.09.2010 11:19, schrieb peter_green lion:
i have the same problem when add user-privkey.pem in SIP client, I use 3CX soft phone.
You have to import the self-signed certificate of the root CA which signed the server certificate. Maybe "cakey.pem" ?
Probably you have to read some certificate and openssl howtos to get proper backround - SIP over TLS is just like HTTPS.
regards Klaus
dear Klaus,
I try to test with all file.pem in ca directory. but i get the same error.
i try to verify cert file and get :
openssl verify calist.pem
calist.pem: /C=vn/ST=hcm/L=htk/O=inc/OU=4/CN=kamailio
error 18 at 0 depth lookup:self signed certificate
OK
openssl verify privkey.pem
unable to load certificate
2904:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
openssl verify ser1_cert.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
so is this my problem ? thanks for help . Peter Green
I couldn't follow what you exactly did, but you should
1. create a self-signed CA certificate
2. create private and public key for server. Make certificate signing request (CSR) from the public key. Sign this CSR with the CA certificate - this will give you the server certificate.
3. configure in Kamailio the server's public key (certificate), the server's private key and the CA certificate as CA list.
4. Import the CA certificate into the TLS client (e.g. the SIP client)
You can test if the Kamailio configuration works by using a browser e.g:
- surf with Internet Explorer to https://domain.name.ofyour.sipproxy:5061/ This should give you a certificate warning (do NOT accept the certificate)
- close Internet Explorer
- import CA certificate into Windows certificate store
- surf with Internet Explorer again to https://domain.name.ofyour.sipproxy:5061/ This time there should not be any certificate warning.
You can also try other SIP clients, e.g. eyebeam (uses Windows certificate store), twinkle (Linux) or QjSimple (let you specify the CA file manually, do not configure client certificate and private key)
regards klaus
Am 06.09.2010 20:15, schrieb peter_green lion:
Date: Mon, 6 Sep 2010 14:34:35 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] please help to register sip phone to kamailio
server via tls support.
Am 06.09.2010 11:19, schrieb peter_green lion:
i have the same problem when add user-privkey.pem in SIP client, I use 3CX soft phone.
You have to import the self-signed certificate of the root CA which signed the server certificate. Maybe "cakey.pem" ?
Probably you have to read some certificate and openssl howtos to get proper backround - SIP over TLS is just like HTTPS.
regards Klaus
dear Klaus, I try to test with all file.pem in ca directory. but i get the same error. i try to verify cert file and get :
openssl verify calist.pem calist.pem: /C=vn/ST=hcm/L=htk/O=inc/OU=4/CN=kamailio error 18 at 0 depth lookup:self signed certificate OK
openssl verify privkey.pem unable to load certificate 2904:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
openssl verify ser1_cert.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
so is this my problem ? thanks for help . Peter Green
Date: Tue, 7 Sep 2010 09:47:18 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls support.
I couldn't follow what you exactly did, but you should
create a self-signed CA certificate
create private and public key for server. Make certificate signing
request (CSR) from the public key. Sign this CSR with the CA certificate
- this will give you the server certificate.
- configure in Kamailio the server's public key (certificate), the
server's private key and the CA certificate as CA list.
- Import the CA certificate into the TLS client (e.g. the SIP client)
You can test if the Kamailio configuration works by using a browser e.g:
- surf with Internet Explorer to https://domain.name.ofyour.sipproxy:5061/ This should give you a certificate warning (do NOT accept the
certificate)
close Internet Explorer
import CA certificate into Windows certificate store
surf with Internet Explorer again to https://domain.name.ofyour.sipproxy:5061/ This time there should not be any certificate warning.
You can also try other SIP clients, e.g. eyebeam (uses Windows certificate store), twinkle (Linux) or QjSimple (let you specify the CA file manually, do not configure client certificate and private key)
regards klaus
Hi Klaus, i have configure as your advise :
- create a self-signed CA certificate
Creating CA certificate ----------------------- 1. create CA dir mkdir ca cd ca 2. create ca dir structure and files (see ca(1)) mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf mkdir demoCA/private mkdir demoCA/newcerts touch demoCA/index.txt echo 01 >demoCA/serial 2. create CA private key openssl genrsa -out demoCA/private/cakey.pem 2048 chmod 600 demoCA/private/cakey.pem 3. create CA self-signed certificate openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
- create private and public key for server. Make certificate signing
request (CSR) from the public key. Sign this CSR with the CA certificate
- this will give you the server certificate.
Creating a server/client certificate ------------------------------------ 1. create a certificate request (and its private key in privkey.pem) openssl req -out ser1_cert_req.pem -new -nodes WARNING: the organization name should be the same as in the ca certificate. 2. sign it with the ca certificate
openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
so "ser1_cert.pem" is server certificate.
- configure in Kamailio the server's public key (certificate), the
server's private key and the CA certificate as CA list.
my configure is :
modparam("tls", "tls_method", "TLSv1") modparam("tls", "certificate", "/usr/local/etc/kamailio/ser1_cert.pem") #server cert modparam("tls", "private_key", "/usr/local/etc/kamailio/privkey.pem") #privkey modparam("tls", "ca_list", "/usr/local/etc/kamailio/calist.pem") #ca cert modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 1)
- Import the CA certificate into the TLS client (e.g. the SIP client)
i copy calist.pem to my pc, and add to ie certificate, test:
the result is :
--> start kamailio is ok. --> open ie :as you describe, add calist.pem to Windows certificate store ,but it fail.
message is : Windows cannot validate that the certificate is actually from 192.168.1.81.you should confirm its orgin by contacting 192.168.1.81.................
please help me to fix it . thank you so much. Peter Green.
hi all, no one know this error ? or no one can help me ? please suggest if any one know this problem ! From: betergreen@live.com To: sr-users@lists.sip-router.org Date: Sat, 4 Sep 2010 12:21:23 +0700 Subject: [SR-Users] please help to register sip phone to kamailio server via tls support.
hi all, I have configured tls support in kamailio, but i cannot register sip phone.
my configure :
I create cert and private key as:
"kamctl tls userCERT user"
log show :
Creating directory /usr/local/etc/kamailio//tls/user Creating user certificate request Generating a 512 bit RSA private key ..++++++++++++ ...................++++++++++++ writing new private key to '/usr/local/etc/kamailio//tls/user/user-privkey.pem' ----- Signing certificate request Using configuration from /usr/local/etc/kamailio//tls/request.conf Enter pass phrase for ./rootCA/private/cakey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'somename.somewhere.com' stateOrProvinceName :PRINTABLE:'Some State' countryName :PRINTABLE:'XY' emailAddress :IA5STRING:'root@somename.somewhere.com' organizationName :PRINTABLE:'My Large Organization Name' organizationalUnitName:PRINTABLE:'My Subunit of Large Organization' Certificate is to be certified until Sep 4 09:13:58 2011 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Generating CA list DONE INFO: Private key is locate at /usr/local/etc/kamailio//tls/user/user-privkey.pem INFO: Certificate is locate at /usr/local/etc/kamailio//tls/user/user-cert.pem INFO: CA-List is locate at /usr/local/etc/kamailio//tls/user/user-calist.pem
I add to kamailio.cfg
enable_tls=1 tcp_async=no
modparam("tls", "tls_method", "TLSv1") modparam("tls", "certificate", "/usr/local/etc/kamailio//tls/user/user-cert.pem") modparam("tls", "private_key", "/usr/local/etc/kamailio//tls/user/user-privkey.pem") modparam("tls", "ca_list", "/usr/local/etc/kamailio//tls/user/user-calist.pem") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 1)
i restart kamailio:
"kamctl restart"
log in tail -f /var/log/message
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:175]: TLSc<default>: tls_method=9 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:185]: TLSc<default>: certificate='/usr/local/etc/kamailio//tls/user/user-cert.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:190]: TLSc<default>: ca_list='/usr/local/etc/kamailio//tls/user/user-calist.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:193]: TLSc<default>: require_certificate=1 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:198]: TLSc<default>: cipher_list='(null)' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:203]: TLSc<default>: private_key='/usr/local/etc/kamailio//tls/user/user-privkey.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:206]: TLSc<default>: verify_certificate=1 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:209]: TLSc<default>: verify_depth=9 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:331]: TLSc<default>: Server MUST present valid certificate Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: WARNING: tls [tls_domain.c:395]: tls: set_ssl_options: openssl SSL_OP_TLS_BLOCK_PADDING bug workaround enabled (openssl version 90802f) Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3116]: INFO: ctl [io_listener.c:224]: io_listen_loop: using epoll_lt io watch method (config)
i see that kamailio start okie, but sip phone cannot register.
log in :tail -f /var/log/message:
Sep 4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
in portgo : certificate validation failure.
please suggest to fix it, thanks. Peter green
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Klaus Darilion -
peter_green lion