4 Sep
2010
4 Sep
'10
7:21 a.m.
hi all,
I have configured tls support in kamailio, but i cannot register sip phone.
my configure :
I create cert and private key as:
"kamctl tls userCERT user"
log show :
Creating directory /usr/local/etc/kamailio//tls/user
Creating user certificate request
Generating a 512 bit RSA private key
..++++++++++++
...................++++++++++++
writing new private key to '/usr/local/etc/kamailio//tls/user/user-privkey.pem'
-----
Signing certificate request
Using configuration from /usr/local/etc/kamailio//tls/request.conf
Enter pass phrase for ./rootCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'somename.somewhere.com'
stateOrProvinceName :PRINTABLE:'Some State'
countryName :PRINTABLE:'XY'
emailAddress :IA5STRING:'root@somename.somewhere.com'
organizationName :PRINTABLE:'My Large Organization Name'
organizationalUnitName:PRINTABLE:'My Subunit of Large Organization'
Certificate is to be certified until Sep 4 09:13:58 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Generating CA list
DONE
INFO: Private key is locate at /usr/local/etc/kamailio//tls/user/user-privkey.pem
INFO: Certificate is locate at /usr/local/etc/kamailio//tls/user/user-cert.pem
INFO: CA-List is locate at /usr/local/etc/kamailio//tls/user/user-calist.pem
I add to kamailio.cfg
enable_tls=1
tcp_async=no
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "certificate",
"/usr/local/etc/kamailio//tls/user/user-cert.pem")
modparam("tls", "private_key",
"/usr/local/etc/kamailio//tls/user/user-privkey.pem")
modparam("tls", "ca_list",
"/usr/local/etc/kamailio//tls/user/user-calist.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
i restart kamailio:
"kamctl restart"
log in tail -f /var/log/message
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:175]:
TLSc<default>: tls_method=9
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:185]:
TLSc<default>:
certificate='/usr/local/etc/kamailio//tls/user/user-cert.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:190]:
TLSc<default>: ca_list='/usr/local/etc/kamailio//tls/user/user-calist.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:193]:
TLSc<default>: require_certificate=1
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:198]:
TLSc<default>: cipher_list='(null)'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:203]:
TLSc<default>:
private_key='/usr/local/etc/kamailio//tls/user/user-privkey.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:206]:
TLSc<default>: verify_certificate=1
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:209]:
TLSc<default>: verify_depth=9
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:331]:
TLSc<default>: Server MUST present valid certificate
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: WARNING: tls [tls_domain.c:395]:
tls: set_ssl_options: openssl SSL_OP_TLS_BLOCK_PADDING bug workaround enabled (openssl
version 90802f)
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3116]: INFO: ctl [io_listener.c:224]:
io_listen_loop: using epoll_lt io watch method (config)
i see that kamailio start okie, but sip phone cannot register.
log in :tail -f /var/log/message:
Sep 4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls [tls_server.c:392]:
SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
in portgo : certificate validation failure.
please suggest to fix it,
thanks.
Peter green
6 Sep
6 Sep
10:26 a.m.
log in :tail -f /var/log/message:
Sep 4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls
[tls_server.c:392]: SSL error:error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
in portgo : certificate validation failure.
It is rather clear - your SIP client does not accept the proxy's
certificate and thus terminates the TLS handshake with an "unknown ca"
error.
You have to configure your SIP client to accept the CA which has signed
the proxy's certificate.
regards
klaus
11:19 a.m.
Date: Mon, 6 Sep 2010 10:26:38 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls
support.
Dear Klaus,
i have the same problem when add user-privkey.pem in SIP client, I use 3CX soft phone.
when i run command : kamctl tls userCERT user
openssl creates three file.
INFO: Private key is locate at /usr/local/etc/kamailio//tls/user/user-privkey.pem
INFO: Certificate is locate at /usr/local/etc/kamailio//tls/user/user-cert.pem
INFO: CA-List is locate at /usr/local/etc/kamailio//tls/user/user-calist.pem
i copy user-privkey.pem to PC which have SIP client. after that i change the name to
root_cert_3CXphone.pem to add to 3CX soft phone.
but problem is the same.
Sep 6 08:59:33 appliance /usr/local/sbin/kamailio[4442]: ERROR: tls [tls_server.c:392]:
SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Sep 6 08:59:34 appliance /usr/local/sbin/kamailio[4437]: ERROR: tls [tls_server.c:392]:
SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Sep 6 08:59:34 appliance /usr/local/sbin/kamailio[4438]: ERROR: tls [tls_server.c:392]:
SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Sep 6 08:59:34 appliance /usr/local/sbin/kamailio[4440]: ERROR: tls [tls_server.c:392]:
SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Sep 6 08:59:34 appliance /usr/local/sbin/kamailio[4442]: ERROR: tls [tls_server.c:392]:
SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
please tell me, if you know
thanks so much.
Peter Green
log in :tail -f /var/log/message:
Sep 4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls
[tls_server.c:392]: SSL error:error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
in portgo : certificate validation failure.
It is rather clear - your SIP client does not accept the proxy's
certificate and thus terminates the TLS handshake with an "unknown ca"
error.
You have to configure your SIP client to accept the CA which has signed
the proxy's certificate.
regards
klaus
2:34 p.m.
Am 06.09.2010 11:19, schrieb peter_green lion:
i have the same problem when add user-privkey.pem in
SIP client, I use
3CX soft phone.
You have to import the self-signed certificate of the root CA which
signed the server certificate. Maybe "cakey.pem" ?
Probably you have to read some certificate and openssl howtos to get
proper backround - SIP over TLS is just like HTTPS.
regards
Klaus
8:07 p.m.
Date: Mon, 6 Sep 2010 14:34:35 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls
support.
Am 06.09.2010 11:19, schrieb peter_green lion:
dear Klaus,
I try to test with all file.pem in ca directory. but i get the same error.
i try to verify cert file and get :
openssl verify calist.pem
calist.pem: /C=vn/ST=hcm/L=htk/O=inc/OU=4/CN=kamailio
error 18 at 0 depth lookup:self signed certificate
OK
openssl verify privkey.pem
unable to load certificate
2904:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting:
TRUSTED CERTIFICATE
openssl verify ser1_cert.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
so is this my problem ?
thanks for help .
Peter Green
i have the same problem when add user-privkey.pem
in SIP client, I use
3CX soft phone.
You have to import the self-signed certificate of the root CA which
signed the server certificate. Maybe "cakey.pem" ?
Probably you have to read some certificate and openssl howtos to get
proper backround - SIP over TLS is just like HTTPS.
regards
Klaus
8:15 p.m.
Date: Mon, 6 Sep 2010 14:34:35 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls
support.
Am 06.09.2010 11:19, schrieb peter_green lion:
dear Klaus,
I try to test with all file.pem in ca directory. but i get the same error.
i try to verify cert file and get :
openssl verify calist.pem
calist.pem: /C=vn/ST=hcm/L=htk/O=inc/OU=4/CN=kamailio
error 18 at 0 depth lookup:self signed certificate
OK
openssl verify privkey.pem
unable to load certificate
2904:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting:
TRUSTED CERTIFICATE
openssl verify ser1_cert.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
so is this my problem ?
thanks for help .
Peter Green
i have the same problem when add user-privkey.pem
in SIP client, I use
3CX soft phone.
You have to import the self-signed certificate of the root CA which
signed the server certificate. Maybe "cakey.pem" ?
Probably you have to read some certificate and openssl howtos to get
proper backround - SIP over TLS is just like HTTPS.
regards
Klaus
7 Sep
7 Sep
9:47 a.m.
I couldn't follow what you exactly did, but you should
1. create a self-signed CA certificate
2. create private and public key for server. Make certificate signing
request (CSR) from the public key. Sign this CSR with the CA certificate
- this will give you the server certificate.
3. configure in Kamailio the server's public key (certificate), the
server's private key and the CA certificate as CA list.
4. Import the CA certificate into the TLS client (e.g. the SIP client)
You can test if the Kamailio configuration works by using a browser e.g:
- surf with Internet Explorer to
https://domain.name.ofyour.sipproxy:5061/
This should give you a certificate warning (do NOT accept the
certificate)
- close Internet Explorer
- import CA certificate into Windows certificate store
- surf with Internet Explorer again to
https://domain.name.ofyour.sipproxy:5061/
This time there should not be any certificate warning.
You can also try other SIP clients, e.g. eyebeam (uses Windows
certificate store), twinkle (Linux) or QjSimple (let you specify the CA
file manually, do not configure client certificate and private key)
regards
klaus
Am 06.09.2010 20:15, schrieb peter_green lion:
Date: Mon, 6
Sep 2010 14:34:35 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] please help to register sip phone to kamailio
server via
tls support.
Am 06.09.2010 11:19, schrieb peter_green lion:
dear Klaus,
I try to test with all file.pem in ca directory. but i get the same error.
i try to verify cert file and get :
openssl verify calist.pem
calist.pem: /C=vn/ST=hcm/L=htk/O=inc/OU=4/CN=kamailio
error 18 at 0 depth lookup:self signed certificate
OK
openssl verify privkey.pem
unable to load certificate
2904:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
openssl verify ser1_cert.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
so is this my problem ?
thanks for help .
Peter Green
i have the same problem when add user-privkey.pem
in SIP client, I use
3CX soft phone.
You have to import the self-signed certificate of the root CA which
signed the server certificate. Maybe "cakey.pem" ?
Probably you have to read some certificate and openssl howtos to get
proper backround - SIP over TLS is just like HTTPS.
regards
Klaus
10:57 a.m.
Date: Tue, 7 Sep 2010 09:47:18 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls
support.
I couldn't follow what you exactly did, but you should
1. create a self-signed CA certificate
2. create private and public key for server. Make certificate signing
request (CSR) from the public key. Sign this CSR with the CA certificate
- this will give you the server certificate.
3. configure in Kamailio the server's public key (certificate), the
server's private key and the CA certificate as CA list.
4. Import the CA certificate into the TLS client (e.g. the SIP client)
You can test if the Kamailio configuration works by using a browser e.g:
- surf with Internet Explorer to
https://domain.name.ofyour.sipproxy:5061/
This should give you a certificate warning (do NOT accept the
certificate)
- close Internet Explorer
- import CA certificate into Windows certificate store
- surf with Internet Explorer again to
https://domain.name.ofyour.sipproxy:5061/
This time there should not be any certificate warning.
You can also try other SIP clients, e.g. eyebeam (uses Windows
certificate store), twinkle (Linux) or QjSimple (let you specify the CA
file manually, do not configure client certificate and private key)
regards
klaus
Hi Klaus,
i have configure as your advise :
1. create a self-signed CA certificate
Creating
CA certificate
-----------------------
1. create CA dir
mkdir ca
cd ca
2. create ca dir structure and files (see ca(1))
mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
echo 01 >demoCA/serial
2. create CA private key
openssl genrsa -out demoCA/private/cakey.pem 2048
chmod 600 demoCA/private/cakey.pem
3. create CA self-signed certificate
openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
2. create private and public key for server. Make
certificate signing
request (CSR) from the public key. Sign this CSR with the CA certificate
- this will give you the server certificate.
Creating a server/client certificate
------------------------------------
1. create a certificate request (and its private key in privkey.pem)
openssl req -out ser1_cert_req.pem -new -nodes
WARNING: the organization name should be the same as in the ca certificate.
2. sign it with the ca certificate
openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
so "ser1_cert.pem" is server certificate.
3. configure in Kamailio the server's public key
(certificate), the
server's private key and the CA certificate as CA list.
my configure is :
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "certificate",
"/usr/local/etc/kamailio/ser1_cert.pem") #server cert
modparam("tls", "private_key",
"/usr/local/etc/kamailio/privkey.pem") #privkey
modparam("tls", "ca_list",
"/usr/local/etc/kamailio/calist.pem") #ca cert
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
4. Import the CA certificate into the TLS client (e.g.
the SIP client)
i copy calist.pem to my pc, and add to ie certificate, test:
the result is :
--> start kamailio is ok.
--> open ie :as you describe, add calist.pem to Windows certificate store ,but it
fail.
message is : Windows cannot validate that the certificate is actually from
192.168.1.81.you should confirm its orgin by contacting 192.168.1.81.................
please help me to fix it .
thank you so much.
Peter Green.
6 Sep
6 Sep
11:01 a.m.
hi all,
no one know this error ?
or no one can help me ?
please suggest if any one know this problem !
From: betergreen(a)live.com
To: sr-users(a)lists.sip-router.org
Date: Sat, 4 Sep 2010 12:21:23 +0700
Subject: [SR-Users] please help to register sip phone to kamailio server via tls support.
hi all,
I have configured tls support in kamailio, but i cannot register sip phone.
my configure :
I create cert and private key as:
"kamctl tls userCERT user"
log show :
Creating directory /usr/local/etc/kamailio//tls/user
Creating user certificate request
Generating a 512 bit RSA private key
..++++++++++++
...................++++++++++++
writing new private key to '/usr/local/etc/kamailio//tls/user/user-privkey.pem'
-----
Signing certificate request
Using configuration from /usr/local/etc/kamailio//tls/request.conf
Enter pass phrase for ./rootCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'somename.somewhere.com'
stateOrProvinceName :PRINTABLE:'Some State'
countryName :PRINTABLE:'XY'
emailAddress :IA5STRING:'root@somename.somewhere.com'
organizationName :PRINTABLE:'My Large Organization Name'
organizationalUnitName:PRINTABLE:'My Subunit of Large Organization'
Certificate is to be certified until Sep 4 09:13:58 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Generating CA list
DONE
INFO: Private key is locate at /usr/local/etc/kamailio//tls/user/user-privkey.pem
INFO: Certificate is locate at /usr/local/etc/kamailio//tls/user/user-cert.pem
INFO: CA-List is locate at /usr/local/etc/kamailio//tls/user/user-calist.pem
I add to kamailio.cfg
enable_tls=1
tcp_async=no
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "certificate",
"/usr/local/etc/kamailio//tls/user/user-cert.pem")
modparam("tls", "private_key",
"/usr/local/etc/kamailio//tls/user/user-privkey.pem")
modparam("tls", "ca_list",
"/usr/local/etc/kamailio//tls/user/user-calist.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
i restart kamailio:
"kamctl restart"
log in tail -f /var/log/message
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:175]:
TLSc<default>: tls_method=9
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:185]:
TLSc<default>:
certificate='/usr/local/etc/kamailio//tls/user/user-cert.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:190]:
TLSc<default>: ca_list='/usr/local/etc/kamailio//tls/user/user-calist.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:193]:
TLSc<default>: require_certificate=1
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:198]:
TLSc<default>: cipher_list='(null)'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:203]:
TLSc<default>:
private_key='/usr/local/etc/kamailio//tls/user/user-privkey.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:206]:
TLSc<default>: verify_certificate=1
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:209]:
TLSc<default>: verify_depth=9
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:331]:
TLSc<default>: Server MUST present valid certificate
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: WARNING: tls [tls_domain.c:395]:
tls: set_ssl_options: openssl SSL_OP_TLS_BLOCK_PADDING bug workaround enabled (openssl
version 90802f)
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3116]: INFO: ctl [io_listener.c:224]:
io_listen_loop: using epoll_lt io watch method (config)
i see that kamailio start okie, but sip phone cannot register.
log in :tail -f /var/log/message:
Sep 4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls [tls_server.c:392]:
SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
in portgo : certificate validation failure.
please suggest to fix it,
thanks.
Peter green
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
4986
days inactive
4989
days old
8 comments
2 participants
participants (2)
-
Klaus Darilion -
peter_green lion