[Serusers] TLS...first steps

Klaus Darilion klaus.mailinglists at pernau.at
Fri Apr 7 13:51:36 CEST 2006 

Does have ser permissions to read the cert files?

klaus

samuel wrote:
> Hi folks!!
> 
> Finally I had time to test the new TLS module and faced lots of
> problems...probably due to my lack of security knowledge. If somebody
> can point me few links where I can gain some knowledge I'll appreciate
> it..
> 
> The problem:
> 
> I create the cert,key and ca-list using the scripts present in
> openser's TLS module. I am using the latest CVS version and SER does
> not start giving the next error:
> 
>  ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load
> certificate file '/usr/local/etc/ser/certs/user-cert.pem'
> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM
> routines:PEM_read_bio:no start line
> 
> Probably I did something wrong in the key creation or configure
> something wrong in ser.cfg....The config is taken from a thread
> present in serdev about the status of the SER TLS module and it's
> really simple so I don't think it's wrong but anyway, here it is:
> 
> 
> 
> loadmodule "/usr/local/lib/ser/modules/tls.so"
> loadmodule "/usr/local/lib/ser/modules/sl.so"
> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
> 
> listen=tls:a.b.c.d:5061
> listen=tcp:a.b.c.d:5060
> listen=udp:a.b.c.d:5060
> 
> alias=mydomain.com
> 
> #modparam("tls", "tls_method", "TLSv1")
> modparam("tls", "tls_method", "SSLv23")
> modparam("tls", "verify_certificate", 1)
> modparam("tls", "require_certificate", 0)
> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem")
> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem")
> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem")
> #modparam("tls", "config", "tls.cfg")
> 
> route {
>    if (proto == TLS && (method == "POST" || method == "GET")) {
>        create_via(); # XMLRPC requests do not contain via, create it
> 
>        if (!@tls.peer.verified) {
>            # Client did not provide certificate or it is not valid
>            xmlrpc_reply("400", "Unauthorized");
>            break;
>        }
> 
>        if (@xmlrpc.method == "core.kill") {
>             # Make sure the client has the permission to execute the command
>             if (@tls.peer != "SER-Killer") {
>                 xmlrpc_reply("400", "Access to core.kill denied");
>                 break;
>            }
>        }
> 
>        dispatch_rpc();
>        break;
>    }
> }
> 
> 
> Any comments are highly appreciated, thanks!
> 
> Samuel.
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list