4 May
2005
4 May
'05
12:28 p.m.
Hi Cesc!
I tried your previuos suggestions on changing cleint certificate check.
I'm now running SSL_VERIFY_NONE. MS Messenger works again. But the snom
still fails.
Ethereal tells me the server doesn't ask for a client certificate any
more. Ethereal also shows that "Cipher Suite: TLS_RSA_WITH_RC4_128_SHA"
was selected. So far so good, but the snom still rejects the Server
Hello with an Alert.
What else have you changed? The original version worked with the snoms.
BTW patch throws some warnings:
# patch -i patch.core.cfg.files.diff
patching file cfg.y
Hunk #1 FAILED at 1.
1 out of 6 hunks FAILED -- saving rejects to file cfg.y.rej
patching file cfg.lex
Hunk #1 FAILED at 1.
1 out of 5 hunks FAILED -- saving rejects to file cfg.lex.rej
cfg.y.rej reads:
***************
*** 1,5 ****
/*
- * $Id: cfg.y,v 1.2 2005/01/06 14:35:10 sam Exp $
*
* cfg grammar
*
--- 1,5 ----
/*
+ * $Id: cfg.y,v 1.4 2005/05/03 08:16:35 cesc Exp $
*
* cfg grammar
*
cfg.lex.rej reads:
***************
*** 1,5 ****
/*
- * $Id: cfg.lex,v 1.2 2005/01/06 14:35:10 sam Exp $
*
* scanner for cfg files
*
--- 1,5 ----
/*
+ * $Id: cfg.lex,v 1.3 2005/04/11 08:18:31 cesc Exp $
*
* scanner for cfg files
*
Seems to be a minor mismatch, it compiles well anyway.
Alex Mack
Cesc Santasusana schrieb:
Hi,
Yeah ... I send it with my default config which is using client and server
authentication.
I use this settings with minisip client (supports client side certs) and for tls between
ser proxies. It works perfect.
To turn client authentication off, check:
tls/tls_init.c file
init_ssl_ctx_behavior function
the line
SSL_CTX_set_verify( _ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
means that the server will request a certificate from the client and if it doesn't get
one, it will fail.
Try changing it with:
SSL_CTX_set_verify( _ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, 0);
this way the server will request a cert, the client will not provide, but on the following
renegotiation, the server (ser) will not ask for a cert.
And if you want to turn verification off ... completely ...
SSL_CTX_set_verify( _ctx, SSL_VERIFY_NONE, 0);
this will also work for you if only using tls for ser2phone ... it will not work if you
want tls between proxies ... as the ser client will accept ANY certificate from the ser
server.
And then, from the prompt:
make TLS=1 all && make TLS=1 install
;)
This whole verification thing needs to be improved and probably the parameters should be
changeable directly from the config file. This and many other parameters should be
exchangeable without the need to recompile.
Any volunteer for a ser-tls.README? :D
Can you provide me with some extra info from the snom phones and the messenger? Do it
offline, so you can send me some ethereal captures and ser logs ...
Regards,
Cesc
>>Alex Mack <amack(a)fhm.edu> 05/04/05
02:01PM >>>
>>
>>
Hi Cesc!
I compiled in your patch.
Now I'm facing a new problem: SER wants a client certificate from the
UA. Snom phones immediately reply with an ALERT and break up connection
upon the certificate requests. MS Messenger on the other hand sends at
least a reply - without certificate - and SER rejects the Client Hello
because of the missing client certificate:
tls_accept: Error in SSL:
tls_error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate
Could you please provide some more documentation about the new TLS
options you added? It seems you've implemented support for client
certificates for a two-way certificate authorization - which would be a
good thing if supported by the UAs, which don't right now. So how can I
turn it off again and get back to server side certification?
Alex Mack
Cesc Santasusana schrieb:
Hi everybody,
The last i sent is a replacement as a whole for the original code sent by P. Griffiths.
Sorry i forgot to mention that.
The patches for cfg.y and cfg.lex are both in the same file (patch.core.cfg..files.diff)
within the zip. I was lazy :)
I resent it as a whole, and not as a diff, because i indented all the code with tabs,
instead of spaces (so a diff would be bigger than just sending all the files).
As for the CVS thing ... i agree with Juha. Either gets into the "official" cvs
or we do something about it. The code i think is rather stable as it is (i only tested on
my debian linux box, soon i will try on an ARM linux and i will report back on that too).
For me, as long as it gets into a CVS, i don't care if it is mantained against HEAD or
0.9.0 (i use 0.9.0 .... so all my patches are against it).
On a more philosophical level, i understand the "quietness" on iptel's side
... they have their own version, and make money on it. But the thing is that this free
version is here to stay ... it is the "problem" of opensource.
Another option would be for them to release their proprietary implementation if they feel
that it is a better, more tested one.
In any case, i think that this whole thing needs to be decided fast.
Regards!
Cesc
Unclassified
>>Alex Mack <amack(a)fhm.edu> 05/03/05
01:26PM >>>
>>
>>
>>
Hi Cesc!
Nice to have those fixes in a package.
Is your cfg.y-patch to be applied *after* cfg.y.patch was applied or
*instead* of cfg.y.patch?
Or is your version a patched one which replaces the original
implementation as a whole? In that case where's cfg.lex.patch?
Alex Mack
Cesc Santasusana schrieb:
>Hi,
>
>I really hate to be so pushy, but i dont understand how such an important piece of
code as TLS is not moving on into CVS ... or anywhere else by this matter. I will keep
sending patches till i get tired (soon).
>
>Anyway ... i thought someone may be interested in a compilation fix for cfg.y
introduced with the tls_domains (it would not compile if the cfg.y file had been patched
but the tls-core files were not there); a bug fix for the session caching (fixed by
turning session caching and resumption off); and an extension (the ability to choose the
list of allowed ciphers from the config file). Oh, and all the files have been tabbed,
instead of spaced (for indentation).
>
>Enjoy!
>
>Cesc
>
>
>
>
------------------------------------------------------------------------
_______________________________________________
Serdev mailing list
serdev(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serdev
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
5 May
5 May
8:08 a.m.
New subject: [Serusers] Re: [Serdev] Patched free-TLS implementation
Try checking the expiration date of the certificate and the time & date of
the phone.
I once had a phone where the time was not set and he rejected the server
certificate due to date expiration.
-----Original Message-----
From: serdev-bounces(a)iptel.org [mailto:serdev-bounces@lists.iptel.org] On Behalf
Of Alex Mack
Sent: Wednesday, May 04, 2005 7:29 PM
To: Cesc Santasusana
Cc: serdev(a)lists.iptel.org; serusers(a)lists.iptel.org
Subject: Re: [Serusers] Re: [Serdev] Patched free-TLS implementation
Hi Cesc!
I tried your previuos suggestions on changing cleint certificate check.
I'm now running SSL_VERIFY_NONE. MS Messenger works again. But the snom
still fails.
Ethereal tells me the server doesn't ask for a client certificate any more.
Ethereal also shows that "Cipher Suite: TLS_RSA_WITH_RC4_128_SHA"
was selected. So far so good, but the snom still rejects the Server Hello
with an Alert.
What else have you changed? The original version worked with the snoms.
BTW patch throws some warnings:
# patch -i patch.core.cfg.files.diff
patching file cfg.y
Hunk #1 FAILED at 1.
1 out of 6 hunks FAILED -- saving rejects to file cfg.y.rej patching file
cfg.lex Hunk #1 FAILED at 1.
1 out of 5 hunks FAILED -- saving rejects to file cfg.lex.rej
cfg.y.rej reads:
***************
*** 1,5 ****
/*
- * $Id: cfg.y,v 1.2 2005/01/06 14:35:10 sam Exp $
*
* cfg grammar
*
--- 1,5 ----
/*
+ * $Id: cfg.y,v 1.4 2005/05/03 08:16:35 cesc Exp $
*
* cfg grammar
*
cfg.lex.rej reads:
***************
*** 1,5 ****
/*
- * $Id: cfg.lex,v 1.2 2005/01/06 14:35:10 sam Exp $
*
* scanner for cfg files
*
--- 1,5 ----
/*
+ * $Id: cfg.lex,v 1.3 2005/04/11 08:18:31 cesc Exp $
*
* scanner for cfg files
*
Seems to be a minor mismatch, it compiles well anyway.
Alex Mack
Cesc Santasusana schrieb:
_______________________________________________
Serdev mailing list
serdev(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serdev
Hi,
Yeah ... I send it with my default config which is using client and server
authentication.
I use this settings with minisip client (supports
client side certs) and
for tls between ser proxies. It works perfect.
To turn client authentication off, check:
tls/tls_init.c file
init_ssl_ctx_behavior function
the line
SSL_CTX_set_verify( _ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
means that the server will request a certificate from the client and if it
doesn't get one, it will fail.
Try changing it with:
SSL_CTX_set_verify( _ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, 0);
this way the server will request a cert, the client will not provide, but
on the
following renegotiation, the server (ser) will not ask for a cert.
And if you want to turn verification off ... completely ...
SSL_CTX_set_verify( _ctx, SSL_VERIFY_NONE, 0); this will also work for
you if only using tls for ser2phone ... it will not work if you want tls
between
proxies ... as the ser client will accept ANY certificate from the
ser server.
And then, from the prompt:
parameters
should be changeable directly from the config file. This and many
other parameters should be exchangeable without the need to recompile.
make TLS=1 all && make TLS=1 install
;)
This whole verification thing needs to be improved and probably the
Any volunteer for a ser-tls.README? :D
Can you provide me with some extra info from the snom phones and the
messenger? Do
it offline, so you can send me some ethereal captures and ser
logs ...
Regards,
Cesc
P.
Griffiths. Sorry i forgot to mention that.
>>Alex Mack <amack(a)fhm.edu> 05/04/05
02:01PM >>>
>>
>>
Hi Cesc!
I compiled in your patch.
Now I'm facing a new problem: SER wants a client certificate from the
UA. Snom phones immediately reply with an ALERT and break up connection
upon the certificate requests. MS Messenger on the other hand sends at
least a reply - without certificate - and SER rejects the Client Hello
because of the missing client certificate:
tls_accept: Error in SSL:
tls_error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate
Could you please provide some more documentation about the new TLS
options you added? It seems you've implemented support for client
certificates for a two-way certificate authorization - which would be a
good thing if supported by the UAs, which don't right now. So how can I
turn it off again and get back to server side certification?
Alex Mack
Cesc Santasusana schrieb:
>Hi everybody,
>
>The last i sent is a replacement as a whole for the original code sent by >
>The patches for cfg.y and cfg.lex are both in the same file
>(patch.core.cfg..files.diff) within the zip. I was lazy :) I resent it as
a
whole, and not as a diff, because i indented all the code with tabs,
instead of spaces (so a diff would be bigger than just sending all the
files).
>
>As for the CVS thing ... i agree with Juha. Either gets into the
"official" cvs or we do something about it. The code i think is rather
stable as it is (i only tested on my debian linux box, soon i will try on an
ARM linux and i will report back on that too). For me, as long as it gets
into a CVS, i don't care if it is mantained against HEAD or 0.9.0 (i use
0.9.0 .... so all my patches are against it).
>
>On a more philosophical level, i understand the "quietness" on iptel's
side ... they have their own version, and make money on it. But the thing is
that this free version is here to stay ... it is the "problem" of
opensource.
>Another option would be for them to release their
proprietary
implementation if they feel that it is a better, more tested one.
>In any case, i think that this whole thing needs to
be decided fast.
>
>Regards!
>
>Cesc
>
>
>
>
>
>
>>>>Alex Mack <amack(a)fhm.edu> 05/03/05 01:26PM >>>
>>>>
>>>>
>>>>
>Hi Cesc!
>
>Nice to have those fixes in a package.
>
>Is your cfg.y-patch to be applied *after* cfg.y.patch was applied or
>*instead* of cfg.y.patch?
>
>Or is your version a patched one which replaces the original
>implementation as a whole? In that case where's cfg.lex.patch?
>
>Alex Mack
>
>Cesc Santasusana schrieb:
>
>
>
>
>>Hi,
>>
>>I really hate to be so pushy, but i dont understand how such an important
piece of code as TLS is not moving on into CVS ... or anywhere else by this
matter. I will keep sending patches till i get tired (soon).
>>
>>Anyway ... i thought someone may be interested in a compilation fix for
cfg.y introduced with the tls_domains (it would not compile if the cfg.y
file had been patched but the tls-core files were not there); a bug fix for
the session caching (fixed by turning session caching and resumption off);
and an extension (the ability to choose the list of allowed ciphers from the
config file). Oh, and all the files have been tabbed, instead of spaced (for
indentation).
>
>Enjoy!
>
>Cesc
>
>
>
>
Unclassified
---------------------------------------------------------------------
---
_______________________________________________
Serdev mailing list
serdev(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serdev
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
7195
days inactive
7196
days old
1 comments
2 participants
participants (2)
-
Alex Mack -
Benny Ben-Ami