[Serusers] TLS...first steps

samuel samu60 at gmail.com
Fri Apr 7 13:02:56 CEST 2006 

Hi folks!!

Finally I had time to test the new TLS module and faced lots of
problems...probably due to my lack of security knowledge. If somebody
can point me few links where I can gain some knowledge I'll appreciate
it..

The problem:

I create the cert,key and ca-list using the scripts present in
openser's TLS module. I am using the latest CVS version and SER does
not start giving the next error:

 ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load
certificate file '/usr/local/etc/ser/certs/user-cert.pem'
ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM
routines:PEM_read_bio:no start line

Probably I did something wrong in the key creation or configure
something wrong in ser.cfg....The config is taken from a thread
present in serdev about the status of the SER TLS module and it's
really simple so I don't think it's wrong but anyway, here it is:



loadmodule "/usr/local/lib/ser/modules/tls.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"

listen=tls:a.b.c.d:5061
listen=tcp:a.b.c.d:5060
listen=udp:a.b.c.d:5060

alias=mydomain.com

#modparam("tls", "tls_method", "TLSv1")
modparam("tls", "tls_method", "SSLv23")
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 0)
modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem")
modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem")
modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem")
#modparam("tls", "config", "tls.cfg")

route {
   if (proto == TLS && (method == "POST" || method == "GET")) {
       create_via(); # XMLRPC requests do not contain via, create it

       if (!@tls.peer.verified) {
           # Client did not provide certificate or it is not valid
           xmlrpc_reply("400", "Unauthorized");
           break;
       }

       if (@xmlrpc.method == "core.kill") {
            # Make sure the client has the permission to execute the command
            if (@tls.peer != "SER-Killer") {
                xmlrpc_reply("400", "Access to core.kill denied");
                break;
           }
       }

       dispatch_rpc();
       break;
   }
}


Any comments are highly appreciated, thanks!

Samuel.

More information about the sr-users mailing list