hello --
some time ago i extended ser to support tls, basically i implemented functions needed by the existing tls api. i polished the code a bit and i am giving it away freely. there are still some things to fix, but it mostly works.
to use the code, copy tls directory into your ser tree and optionally patch cfg.lex and cfg.y, then recompile ser with TLS=on.
if you also patch cfg.lex and cfg.y then you can use extended cfg syntax and specify different keys and certificates for different listen sockets. this is similar to apache virtual servers with ssl. without the patches you can only use the default configuration directives.
to iptel: would be great to have it in cvs, what do you think ?
-- peter
----------- example ser.cfg:
listen=tls:127.0.0.1:5061 listen=tls:127.0.0.1:5062
# defaults for outgoing tls connections tls_certificate="default.crt" tls_private_key = "default.key"
# domain1.com tls_domain[127.0.0.1:5061] { tls_certificate="domain1.crt" tls_private_key = "domain1.key" tls_method = sslv2 }
# domain2.com tls_domain[127.0.0.1:5062] { tls_certificate="domain2.crt" tls_private_key="domain2.key" }
__________________________________ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/
Hi Peter!
gr8 that you are willing to share your TLS part with uss!
:-)
I tried to compile it in on 0.9.0 but had some problems with this, Could you give me a "hint" on what I've done wrong or if there's something "silly" that I forgot :S
I built it with :
make TLS=on
tls/tls_init.c: In function `passwd_cb': tls/tls_init.c:51: `UI' undeclared (first use in this function) tls/tls_init.c:51: (Each undeclared identifier is reported only once tls/tls_init.c:51: for each function it appears in.) tls/tls_init.c:51: `ui' undeclared (first use in this function) tls/tls_init.c:55: warning: implicit declaration of function `UI_new' tls/tls_init.c:59: warning: implicit declaration of function `UI_construct_prompt' tls/tls_init.c:59: warning: assignment makes pointer from integer without a cast tls/tls_init.c:60: warning: implicit declaration of function `UI_add_input_string' tls/tls_init.c:61: warning: implicit declaration of function `UI_process' tls/tls_init.c:62: warning: implicit declaration of function `UI_free' gmake: *** [tls/tls_init.o] Error 1
- Atle
* Peter Griffiths peter_grf@yahoo.com [050307 19:23]:
hello --
some time ago i extended ser to support tls, basically i implemented functions needed by the existing tls api. i polished the code a bit and i am giving it away freely. there are still some things to fix, but it mostly works.
to use the code, copy tls directory into your ser tree and optionally patch cfg.lex and cfg.y, then recompile ser with TLS=on.
if you also patch cfg.lex and cfg.y then you can use extended cfg syntax and specify different keys and certificates for different listen sockets. this is similar to apache virtual servers with ssl. without the patches you can only use the default configuration directives.
to iptel: would be great to have it in cvs, what do you think ?
-- peter
example ser.cfg:
listen=tls:127.0.0.1:5061 listen=tls:127.0.0.1:5062
# defaults for outgoing tls connections tls_certificate="default.crt" tls_private_key = "default.key"
# domain1.com tls_domain[127.0.0.1:5061] { tls_certificate="domain1.crt" tls_private_key = "domain1.key" tls_method = sslv2 }
# domain2.com tls_domain[127.0.0.1:5062] { tls_certificate="domain2.crt" tls_private_key="domain2.key" }
__________________________________ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi Peter!
Thanks for sharing your code. For which version of ser are these extensions? 0.8.12? 0.8.14? 0.9.0?
As I'm new to TLS, can you give some hints on how to test TLS? Which SIP user agents can be used to test TLS?
regards, klaus
Peter Griffiths wrote:
hello --
some time ago i extended ser to support tls, basically i implemented functions needed by the existing tls api. i polished the code a bit and i am giving it away freely. there are still some things to fix, but it mostly works.
to use the code, copy tls directory into your ser tree and optionally patch cfg.lex and cfg.y, then recompile ser with TLS=on.
if you also patch cfg.lex and cfg.y then you can use extended cfg syntax and specify different keys and certificates for different listen sockets. this is similar to apache virtual servers with ssl. without the patches you can only use the default configuration directives.
to iptel: would be great to have it in cvs, what do you think ?
-- peter
example ser.cfg:
listen=tls:127.0.0.1:5061 listen=tls:127.0.0.1:5062
# defaults for outgoing tls connections tls_certificate="default.crt" tls_private_key = "default.key"
# domain1.com tls_domain[127.0.0.1:5061] { tls_certificate="domain1.crt" tls_private_key = "domain1.key" tls_method = sslv2 }
# domain2.com tls_domain[127.0.0.1:5062] { tls_certificate="domain2.crt" tls_private_key="domain2.key" }
__________________________________ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
I saw somebody asking for a place to download the TLS implementation before it is introduced into CVS. I have the original post from Peter Griffiths. Is that the latest code(I have seen a thread on a patch) ? I can post it to http://onsip.org/ As you may be aware of, we have already made available the backports of the LCR, xlog, and UAC modules. g-)
Peter Griffiths wrote:
hello --
some time ago i extended ser to support tls, basically i implemented functions needed by the existing tls api. i polished the code a bit and i am giving it away freely. there are still some things to fix, but it mostly works.
to use the code, copy tls directory into your ser tree and optionally patch cfg.lex and cfg.y, then recompile ser with TLS=on.
if you also patch cfg.lex and cfg.y then you can use extended cfg syntax and specify different keys and certificates for different listen sockets. this is similar to apache virtual servers with ssl. without the patches you can only use the default configuration directives.
to iptel: would be great to have it in cvs, what do you think ?
-- peter
example ser.cfg:
listen=tls:127.0.0.1:5061 listen=tls:127.0.0.1:5062
# defaults for outgoing tls connections tls_certificate="default.crt" tls_private_key = "default.key"
# domain1.com tls_domain[127.0.0.1:5061] { tls_certificate="domain1.crt" tls_private_key = "domain1.key" tls_method = sslv2 }
# domain2.com tls_domain[127.0.0.1:5062] { tls_certificate="domain2.crt" tls_private_key="domain2.key" }
Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi Greger!
That was me requesting a download site. Would be great to have the package at onsip. Would be greater to have it in CVS ;)
I didn't hear of a patch lately but someone posted a probable bug fix with TLS session caching. The post is added below.
Alex Mack
[quote] Hi,
First, how is free-TLS going? i mean ... is it ever going to make it into CVS? I have been testing for some time, it may have some bugs, but just as any piece of code. So far, i think it is good.
I found what i think it is a bug. I was testing with minisip, which supports TLS completely on the client side (even client certs, incoming connections, etc). It would create the initial connection ok to SER. After 2 minutes, SER shuts down the socket. So far so good. When minisip tries to register, it tries to create a new SSL connection, and as it supports session resuming, it would try to resume the previous session. But SER does not support it ... and here is the bug.
To fix it ... as simple as calling SSL_CTX_set_session_cache_mode( ssl_ctx, SSL_SESS_CACHE_OFF );
This turns the cache off ... and when ssl receives a session resume request, it sends back a message indicating it is not possible, the client then starts the handshake from scratch. Another solution is to implement session catching ... but this may be too resource consuming in big servers or in embedded systems ... so maybe better just to not support it by default ... maybe implement an option to turn it on at will.
Another thing ... the verification of the certificates ... it is turned off. It should be turned on i think. /* Set verification procedure * The verification can be made null with SSL_VERIFY_NONE, or * at least easier with SSL_VERIFY_CLIENT_ONCE instead of SSL_VERIFY_FAIL_IF_NO_PEER_CERT. * For extra control, instead of 0, we can specify a callback function: * int (*verify_callback)(int, X509_STORE_CTX *) * Also, depth 2 may be not enough in some scenarios ... though no need * to increase it much further */ SSL_CTX_set_verify( _ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); SSL_CTX_set_verify_depth( _ctx, 2);
This is it for now ...
Regards,
Cesc
Unclassified [/quote]
Greger V. Teigre schrieb:
I saw somebody asking for a place to download the TLS implementation before it is introduced into CVS. I have the original post from Peter Griffiths. Is that the latest code(I have seen a thread on a patch) ? I can post it to http://onsip.org/ As you may be aware of, we have already made available the backports of the LCR, xlog, and UAC modules. g-)
Peter Griffiths wrote:
hello --
some time ago i extended ser to support tls, basically i implemented functions needed by the existing tls api. i polished the code a bit and i am giving it away freely. there are still some things to fix, but it mostly works.
to use the code, copy tls directory into your ser tree and optionally patch cfg.lex and cfg.y, then recompile ser with TLS=on.
if you also patch cfg.lex and cfg.y then you can use extended cfg syntax and specify different keys and certificates for different listen sockets. this is similar to apache virtual servers with ssl. without the patches you can only use the default configuration directives.
to iptel: would be great to have it in cvs, what do you think ?
-- peter
example ser.cfg:
listen=tls:127.0.0.1:5061 listen=tls:127.0.0.1:5062
# defaults for outgoing tls connections tls_certificate="default.crt" tls_private_key = "default.key"
# domain1.com tls_domain[127.0.0.1:5061] { tls_certificate="domain1.crt" tls_private_key = "domain1.key" tls_method = sslv2 }
# domain2.com tls_domain[127.0.0.1:5062] { tls_certificate="domain2.crt" tls_private_key="domain2.key" }
Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serdev mailing list serdev@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serdev
-
Alex Mack -
Atle Samuelsen -
Greger V. Teigre -
Klaus Darilion -
Peter Griffiths