[Serusers] TLS...first steps

samuel samu60 at gmail.com
Fri Apr 7 13:59:53 CEST 2006 

Yes....I even increased permissions up to the next level:

-rwxrwxrwx  1 root ser   1.7K 2006-04-07 12:51 cert.pem
-rwxrwxrwx  1 root ser   1.7K 2006-04-07 12:51 key.pem
-rwxrwxrwx  1 root ser   1.4K 2006-04-07 12:26 user-calist.pem
-rwxrwxrwx  1 root ser   3.0K 2006-04-07 12:26 user-cert.pem
-rwxrwxrwx  1 root ser    530 2006-04-07 12:26 user-cert_req.pem
-rwxrwxrwx  1 root ser    493 2006-04-07 12:26 user-privkey.


2006/4/7, Klaus Darilion <klaus.mailinglists at pernau.at>:
> Does have ser permissions to read the cert files?
>
> klaus
>
> samuel wrote:
> > Hi folks!!
> >
> > Finally I had time to test the new TLS module and faced lots of
> > problems...probably due to my lack of security knowledge. If somebody
> > can point me few links where I can gain some knowledge I'll appreciate
> > it..
> >
> > The problem:
> >
> > I create the cert,key and ca-list using the scripts present in
> > openser's TLS module. I am using the latest CVS version and SER does
> > not start giving the next error:
> >
> >  ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load
> > certificate file '/usr/local/etc/ser/certs/user-cert.pem'
> > ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM
> > routines:PEM_read_bio:no start line
> >
> > Probably I did something wrong in the key creation or configure
> > something wrong in ser.cfg....The config is taken from a thread
> > present in serdev about the status of the SER TLS module and it's
> > really simple so I don't think it's wrong but anyway, here it is:
> >
> >
> >
> > loadmodule "/usr/local/lib/ser/modules/tls.so"
> > loadmodule "/usr/local/lib/ser/modules/sl.so"
> > loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
> >
> > listen=tls:a.b.c.d:5061
> > listen=tcp:a.b.c.d:5060
> > listen=udp:a.b.c.d:5060
> >
> > alias=mydomain.com
> >
> > #modparam("tls", "tls_method", "TLSv1")
> > modparam("tls", "tls_method", "SSLv23")
> > modparam("tls", "verify_certificate", 1)
> > modparam("tls", "require_certificate", 0)
> > modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem")
> > modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem")
> > modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem")
> > #modparam("tls", "config", "tls.cfg")
> >
> > route {
> >    if (proto == TLS && (method == "POST" || method == "GET")) {
> >        create_via(); # XMLRPC requests do not contain via, create it
> >
> >        if (!@tls.peer.verified) {
> >            # Client did not provide certificate or it is not valid
> >            xmlrpc_reply("400", "Unauthorized");
> >            break;
> >        }
> >
> >        if (@xmlrpc.method == "core.kill") {
> >             # Make sure the client has the permission to execute the command
> >             if (@tls.peer != "SER-Killer") {
> >                 xmlrpc_reply("400", "Access to core.kill denied");
> >                 break;
> >            }
> >        }
> >
> >        dispatch_rpc();
> >        break;
> >    }
> > }
> >
> >
> > Any comments are highly appreciated, thanks!
> >
> > Samuel.
> >
> > _______________________________________________
> > Serusers mailing list
> > serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
>
>

More information about the sr-users mailing list