[Serusers] TLS...first steps

samuel samu60 at gmail.com
Mon Apr 10 18:41:07 CEST 2006 

Last call for help....I'll detail steps to see if some guru finds what
I am not doing right:

I have created the cert/key in the PEM format with the next commands:
Create self CA:
#openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365
-out CA98cert.pem -outform PEM
Create the request for our domain:
#openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out
ser98req.pem -outform PEM
Sing&issue cert
#openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req
-CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem

The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after
several "lost" hours...)

I can check with openssl tools the cert and key and both are OK and
can create connections using the s_server and s_client tools included
in the openssl package. They have the appropriate format, certificate
file:

-----BEGIN CERTIFICATE-----
askjdfl
-----END CERTIFICATE-----

and the key:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF

-----END RSA PRIVATE KEY-----

I have checked for "strange" characters but everything seems ok except
that when I start SER, it gives me:


Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200:
TLSc<default>: Unable to load certificate file
'/usr/local/etc/ser/certs/ser98cert.pem'
Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201:
load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing
module tls


Any feedback is highly appreciated...I never thought it would so
difficult to use TLS.....

Samuel.

2006/4/10, samuel <samu60 at gmail.com>:
> I have been able to create a TLS connection with openssl tools
> (s_server and s_client) using the certificates that SER is unable to
> open.
> Can anyone tell me how can I debug this problem and find where the problem is?
>
> Thanks again,
> samuell.
>
>
> 2006/4/7, samuel <samu60 at gmail.com>:
> > It starts with Certificate and the corresponding fields. After this
> > information, the cert itself begins with the BEGIN statement.
> >
> > As I said, I am just starting with TLS and probably I did not create
> > the cert properly. I'll try to read more information meanwhile.
> >
> > Thanks,
> > Samuel.
> >
> >
> > 2006/4/7, Vaclav Kubart <vaclav.kubart at iptel.org>:
> > > Is the certificate really in PEM format? Try to look on it with openssl
> > > or try look into the file if starts with something like
> > > "-----BEGIN CERTIFICATE-----".
> > >
> > > If it is not in PEM format you can use openssl to convert it...
> > >
> > >         Vaclav
> > >
> > > On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
> > > > Yes....I even increased permissions up to the next level:
> > > >
> > > > -rwxrwxrwx  1 root ser   1.7K 2006-04-07 12:51 cert.pem
> > > > -rwxrwxrwx  1 root ser   1.7K 2006-04-07 12:51 key.pem
> > > > -rwxrwxrwx  1 root ser   1.4K 2006-04-07 12:26 user-calist.pem
> > > > -rwxrwxrwx  1 root ser   3.0K 2006-04-07 12:26 user-cert.pem
> > > > -rwxrwxrwx  1 root ser    530 2006-04-07 12:26 user-cert_req.pem
> > > > -rwxrwxrwx  1 root ser    493 2006-04-07 12:26 user-privkey.
> > > >
> > > >
> > > > 2006/4/7, Klaus Darilion <klaus.mailinglists at pernau.at>:
> > > > > Does have ser permissions to read the cert files?
> > > > >
> > > > > klaus
> > > > >
> > > > > samuel wrote:
> > > > > > Hi folks!!
> > > > > >
> > > > > > Finally I had time to test the new TLS module and faced lots of
> > > > > > problems...probably due to my lack of security knowledge. If somebody
> > > > > > can point me few links where I can gain some knowledge I'll appreciate
> > > > > > it..
> > > > > >
> > > > > > The problem:
> > > > > >
> > > > > > I create the cert,key and ca-list using the scripts present in
> > > > > > openser's TLS module. I am using the latest CVS version and SER does
> > > > > > not start giving the next error:
> > > > > >
> > > > > >  ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load
> > > > > > certificate file '/usr/local/etc/ser/certs/user-cert.pem'
> > > > > > ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM
> > > > > > routines:PEM_read_bio:no start line
> > > > > >
> > > > > > Probably I did something wrong in the key creation or configure
> > > > > > something wrong in ser.cfg....The config is taken from a thread
> > > > > > present in serdev about the status of the SER TLS module and it's
> > > > > > really simple so I don't think it's wrong but anyway, here it is:
> > > > > >
> > > > > >
> > > > > >
> > > > > > loadmodule "/usr/local/lib/ser/modules/tls.so"
> > > > > > loadmodule "/usr/local/lib/ser/modules/sl.so"
> > > > > > loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
> > > > > >
> > > > > > listen=tls:a.b.c.d:5061
> > > > > > listen=tcp:a.b.c.d:5060
> > > > > > listen=udp:a.b.c.d:5060
> > > > > >
> > > > > > alias=mydomain.com
> > > > > >
> > > > > > #modparam("tls", "tls_method", "TLSv1")
> > > > > > modparam("tls", "tls_method", "SSLv23")
> > > > > > modparam("tls", "verify_certificate", 1)
> > > > > > modparam("tls", "require_certificate", 0)
> > > > > > modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem")
> > > > > > modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem")
> > > > > > modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem")
> > > > > > #modparam("tls", "config", "tls.cfg")
> > > > > >
> > > > > > route {
> > > > > >    if (proto == TLS && (method == "POST" || method == "GET")) {
> > > > > >        create_via(); # XMLRPC requests do not contain via, create it
> > > > > >
> > > > > >        if (!@tls.peer.verified) {
> > > > > >            # Client did not provide certificate or it is not valid
> > > > > >            xmlrpc_reply("400", "Unauthorized");
> > > > > >            break;
> > > > > >        }
> > > > > >
> > > > > >        if (@xmlrpc.method == "core.kill") {
> > > > > >             # Make sure the client has the permission to execute the command
> > > > > >             if (@tls.peer != "SER-Killer") {
> > > > > >                 xmlrpc_reply("400", "Access to core.kill denied");
> > > > > >                 break;
> > > > > >            }
> > > > > >        }
> > > > > >
> > > > > >        dispatch_rpc();
> > > > > >        break;
> > > > > >    }
> > > > > > }
> > > > > >
> > > > > >
> > > > > > Any comments are highly appreciated, thanks!
> > > > > >
> > > > > > Samuel.
> > > > > >
> > > > > > _______________________________________________
> > > > > > Serusers mailing list
> > > > > > serusers at lists.iptel.org
> > > > > > http://lists.iptel.org/mailman/listinfo/serusers
> > > > >
> > > > >
> > > >
> > > > _______________________________________________
> > > > Serusers mailing list
> > > > serusers at lists.iptel.org
> > > > http://lists.iptel.org/mailman/listinfo/serusers
> > >
> >
>

More information about the sr-users mailing list