[sr-dev] [Fwd: Re: AW: AW: AW: AW: [SR-Users] TLS problems]

Klaus Darilion klaus.mailinglists at pernau.at
Fri Jan 22 16:03:02 CET 2010


(forgotten to cc the list)

Andreas Rehbein schrieb:
> Hi Klaus,
> 
> until now (OpenSER 1.3.x without client verification) it was not necessary
> to import certs into snom. 
> To force the snom to send Messages via tls, you need to insert something
> like "192.168.0.89:5061;transport=tls" in the outbound proxy field (but I'm
> sure you already knew)

Looks like SNOMs TLS implementation is a piece of crap.

If the server uses a TLS certificate with depth 1 (CA->server-cert),
then the SNOM phone accepts the certificate and handshake succeeds. If
the certificate has depth 2 (CA->subCA->server-cert), then the SNOM
phone raises an error during handshake.

And strangely, the "trusted certificates" are not used at all for
validation. Thus, SNOM uses the TLS connection solely for encryption,
not for server authentication.

regards
klaus

> 
> regards
> Andreas
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: Klaus Darilion [mailto:klaus.mailinglists at pernau.at] 
> Gesendet: Freitag, 22. Januar 2010 13:17
> An: Andreas Rehbein
> Cc: sr-users at lists.sip-router.org
> Betreff: Re: AW: AW: AW: [SR-Users] TLS problems
> 
> 
> 
> Andreas Rehbein schrieb:
>> Hello Klaus,
>>
>> Linux: Red Hat Enterprise Linux 5; Kernel: 2.6.18-92.1.10.el5
>> OpenSSL: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> 
> Hi Andreas!
> 
> I fail to configure SNOM to accept the certificate. I imported the CA 
> cert as trusted certificates, but TLS handshake is not successful. Is 
> there something else I need to take care of?
> 
> I'm quite sure my certificates are OK as it works with eyebeam and QjSimple.
> 
> regards
> Klaus
> 




More information about the sr-dev mailing list