Quick look at the logs
"tlsv1 alert unknown ca"
This means your CA list does not include lets encrypt, download it from
Not sure how you generate your ca_list.pem lets encrypt became trusted by
default, at one point on Debian not sure about the exact details
Regards
Julien
On Tue, Feb 5, 2019 at 2:33 AM Gertjan Wolzak <g.wolzak(a)kazlow.nl> wrote:
Hello Kamailions,
Ive beent trying to configure a tls connection between kamailio servers,
but looks like Im missing some knowledge.
The situation:
phone1 <> internet <> kamailio1 <internet> kamailio2<> internet
<> phone2
The phones are yealink phones, they are connected using TLS v1.2, phone 1
registers at kamailio1 and phone2 registers at kamailio2.
Both kamailio servers have an letsencrypt certificate.
When the connection between the two kamailio servers is set as sip, a call
from a phone1 to phone2 the singnaling is forwarded and rtp flows.
When I set the connection between the two kamailio servers to tls, things
go wrong.. or better said I go wrong.
The kamailio log on the receiving kamailio(kamailio2) shows that things go
wrong and where, but I just cant figure out how to solve it.
The log shows that the tls connection will be handled by the TLS Default
configuration, the CA certificate is missing, well unknown.
15(7209) DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new
tcp connection: 116.203.53.212
15(7209) DEBUG: <core> [core/tcp_main.c:999]: tcpconn_new(): on port
44153, type 3
15(7209) DEBUG: <core> [core/tcp_main.c:1309]: tcpconn_add(): hashes:
1805:3331:3809, 3
15(7209) DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG:
io_watch_add(0xa77de0, 32, 2, 0x7ff9596d4b10), fd_no=23
15(7209) DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG:
io_watch_del (0xa77de0, 32, -1, 0x0) fd_no=24 called
15(7209) DEBUG: <core> [core/tcp_main.c:4196]: handle_tcpconn_ev():
sending to child, events 1
15(7209) DEBUG: <core> [core/tcp_main.c:3878]: send2child(): selected tcp
worker 1 8(7202) for activity on [tls:kamailio2:5061], 0x7ff9596d4b10
8(7202) DEBUG: <core> [core/tcp_read.c:1759]: handle_io(): received n=8
con=0x7ff9596d4b10, fd=9
8(7202) DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing
tls connection initialization
8(7202) DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial
TLS domain TLSs<default> (dom 0x7ff959498600 ctx 0x7ff9594b6430 sn [])
8(7202) DEBUG: tls [tls_domain.c:724]: sr_ssl_ctx_info_callback(): SSL
handshake started
8(7202) DEBUG: <core> [core/tcp_main.c:2460]: tcpconn_do_send():
sending...
8(7202) DEBUG: <core> [core/tcp_main.c:2494]: tcpconn_do_send(): after
real write: c= 0x7ff9596d4b10 n=2637 fd=9
8(7202) DEBUG: <core> [core/tcp_main.c:2495]: tcpconn_do_send(): buf=
8(7202) DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG:
io_watch_add(0xac78a0, 9, 2, 0x7ff9596d4b10), fd_no=1
8(7202) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
8(7202) ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR:
tcp_read_req: error reading - c: 0x7ff9596d4b10 r: 0x7ff9596d4b90 (-1)
8(7202) DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG:
io_watch_del (0xac78a0, 9, -1, 0x10) fd_no=2 called
8(7202) DEBUG: <core> [core/tcp_read.c:1683]: release_tcpconn():
releasing con 0x7ff9596d4b10, state -2, fd=9, id=3 (kamailio1]:44153 ->
[kamailio1]:5061)
8(7202) DEBUG: <core> [core/tcp_read.c:1684]: release_tcpconn():
extra_data 0x7ff9596d2ab0
15(7209) DEBUG: <core> [core/tcp_main.c:3308]: handle_tcp_child(): reader
response= 7ff9596d4b10, -2 from 1
15(7209) DEBUG: tls [tls_server.c:667]: tls_h_close(): Closing SSL
connection 0x7ff9596d2ab0
I assume I have configured tls.cfg partially correct, as the phones
register and can make tls calls.
What I find strange is this line: 8(7202) DEBUG: <core>
[core/tcp_read.c:1683]: release_tcpconn(): releasing con 0x7ff9596d4b10,
state -2, fd=9, id=3 (kamailio1]:44153 -> [kamailio1]:5061)
Would the "[kamailio1]:5061" be the client configuration?
So, what do I need to configure within the tls.cfg file so when a tls
connection is initiated from the other server it will work.
I have tried adding the other server as server within the tls.cfg, which
does not work as kamailio is not listening on the ip address configured.
When I add the server as a client in the tls.cfg as follows, the
connection is handled by the default TLS configuration.
[server:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/kamailio.kazlow.nl/privkey.pem
certificate = /etc/letsencrypt/live/kamailio.kazlow.nl/fullchain.pem
#ca_list = /etc/kamailio/tls/cacert.pem
#crl = /etc/kamailio/tls/crl.pem
[client:kamailio1:5061]
method = TLSv1.2
verify_certificate = no
require_certificate = yes
certificate = /etc/kamailio/tls/fullchain.pem
ca_list = /etc/kamailio/tls/cacert.pem
# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
ca_list = /etc/kamailio/tls/cacert.pem
I have tried forcing the socket on the sending kamailio, but that does not
work.
Any feedback on what I am doing wrong or where I can find information to
extend my knowledge would be appreciated.
Rgds,
Gertjan Wolzak
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users