[sr-dev] TLS trouble
M S
shaheryarkh at gmail.com
Tue Oct 26 09:42:56 CEST 2021
Did you add a listener for TLS port?
Also do not add 1 when defining WITH_TLS.
Make sure the TLS version in cfg and certs are correct otherwise the
handshake will fail.
On Tue, Oct 26, 2021, 09:31 Lorenzo Campo <lorenzo at airspot.tech> wrote:
> Hi guys,
>
> We are quite newby about Kamailio and we are trying to use it as a load
> balancer. While installing certificates we started having problems.
>
> We use Kamailio (vers. 5.5) deployed on a VM (Ubuntu, 20.04 LTS).
>
> We cannot connect via TLS Kamailio VM with clients or other TCP VM.
>
> Our Kamailio currently exposes only port 5060 in UDP and TCP.
>
> Even doing a port scan on localhost, port 5061, used for the TLS protocol,
> is instead closed.
>
> There are 3 things worth noting:
>
> - All ports for all protocols are open on the firewall;
> - Before we set the disable_tcp option to "no", the 5060 was only
> reachable in UDP;
> - Even if you put a non-existent certificate, the system does not return
> an error so we cannot understand if the goodness of the certificates
> affects the opening of the door. Furthermore, we did not find any different
> behavior when switching from crt format (key for the private key) to PEM.
>
> If someone can help us would be very appreciated.
>
> Thank you very much
>
> Here is our tls configuration:
>
> kamailio.cfg
>
> #!define WITH_TLS 1
>
> ...
>
> disable_tcp=no
>
> auto_aliases=no
>
> ….
>
> loadmodule "sl.so"
>
> loadmodule "tls.so"
>
> ...
>
> modparam("tls", "private_key", "/etc/kamailio/key.pem")
>
> modparam("tls", "certificate", "/etc/kamailio/crt.pem")
>
> modparam("tls", "ca_list", "/etc/kamailio/ca.pem")
>
> enable_tls=yes
>
>
> tls.config
>
> [server:default]
>
> method = TLSv1.2+
>
> verify_certificate = no
>
> require_certificate = no
>
> private_key = /etc/kamailio/kamailio-selfsigned.key
>
> certificate = /etc/kamailio/kamailio-selfsigned.pem
>
> #ca_list = /etc/kamailio/tls/cacert.pem
>
> #crl = /etc/kamailio/tls/crl.pem
>
> [client:default]
>
> #method = TLSv1.2+
>
> verify_certificate = no
>
> require_certificate = no
>
> *Sent with Shift
> <https://tryshift.com/?utm_source=SentWithShift&utm_campaign=Sent+with+Shift+Signature&utm_medium=Email+Signature&utm_content=General+Email+Group>*
>
> _______________________________________________
> Kamailio (SER) - Development Mailing List
> sr-dev at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20211026/feee3a13/attachment-0001.htm>
More information about the sr-dev
mailing list