[Serusers] TLS...first steps

Klaus Darilion klaus.mailinglists at pernau.at
Tue Apr 11 11:16:30 CEST 2006 

Are you using the simple configuration (in ser.cfg) or the advanced 
version (in a separate configuration file)?

Maybe there are bugs in the configuration part of TLS.

I tried once the external configuration file and it worked as long as I 
only used the default domains. Specifying dedicated TLS domain failed 
due to parser bugs.

regards
klaus

samuel wrote:
> Last check I made was to verify my own generated CA and server
> certs/keys with latest openser-1.0.1.-tls and it properly reads the
> files. I deducted therefore that there must be something wrong in the
> cert reading process in the SER's tls module.
> I can not debug further due to lack of time but I hope to read some
> mail providing some feedback... it might also been some
> misconfiguration in my config but I took it from the latest mails Jan
> sent to the mailing list regarding TLS configuration (see the first
> mail on this thread for the config file).
> 
> 
> Thanks,
> Samuel.
> 
> 
> 2006/4/10, samuel <samu60 at gmail.com>:
>> Last call for help....I'll detail steps to see if some guru finds what
>> I am not doing right:
>>
>> I have created the cert/key in the PEM format with the next commands:
>> Create self CA:
>> #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365
>> -out CA98cert.pem -outform PEM
>> Create the request for our domain:
>> #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out
>> ser98req.pem -outform PEM
>> Sing&issue cert
>> #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req
>> -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
>>
>> The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after
>> several "lost" hours...)
>>
>> I can check with openssl tools the cert and key and both are OK and
>> can create connections using the s_server and s_client tools included
>> in the openssl package. They have the appropriate format, certificate
>> file:
>>
>> -----BEGIN CERTIFICATE-----
>> askjdfl
>> -----END CERTIFICATE-----
>>
>> and the key:
>> -----BEGIN RSA PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
>>
>> -----END RSA PRIVATE KEY-----
>>
>> I have checked for "strange" characters but everything seems ok except
>> that when I start SER, it gives me:
>>
>>
>> Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200:
>> TLSc<default>: Unable to load certificate file
>> '/usr/local/etc/ser/certs/ser98cert.pem'
>> Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201:
>> load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
>> Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing
>> module tls
>>
>>
>> Any feedback is highly appreciated...I never thought it would so
>> difficult to use TLS.....
>>
>> Samuel.
>>
>> 2006/4/10, samuel <samu60 at gmail.com>:
>>> I have been able to create a TLS connection with openssl tools
>>> (s_server and s_client) using the certificates that SER is unable to
>>> open.
>>> Can anyone tell me how can I debug this problem and find where the problem is?
>>>
>>> Thanks again,
>>> samuell.
>>>
>>>
>>> 2006/4/7, samuel <samu60 at gmail.com>:
>>>> It starts with Certificate and the corresponding fields. After this
>>>> information, the cert itself begins with the BEGIN statement.
>>>>
>>>> As I said, I am just starting with TLS and probably I did not create
>>>> the cert properly. I'll try to read more information meanwhile.
>>>>
>>>> Thanks,
>>>> Samuel.
>>>>
>>>>
>>>> 2006/4/7, Vaclav Kubart <vaclav.kubart at iptel.org>:
>>>>> Is the certificate really in PEM format? Try to look on it with openssl
>>>>> or try look into the file if starts with something like
>>>>> "-----BEGIN CERTIFICATE-----".
>>>>>
>>>>> If it is not in PEM format you can use openssl to convert it...
>>>>>
>>>>>         Vaclav
>>>>>
>>>>> On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
>>>>>> Yes....I even increased permissions up to the next level:
>>>>>>
>>>>>> -rwxrwxrwx  1 root ser   1.7K 2006-04-07 12:51 cert.pem
>>>>>> -rwxrwxrwx  1 root ser   1.7K 2006-04-07 12:51 key.pem
>>>>>> -rwxrwxrwx  1 root ser   1.4K 2006-04-07 12:26 user-calist.pem
>>>>>> -rwxrwxrwx  1 root ser   3.0K 2006-04-07 12:26 user-cert.pem
>>>>>> -rwxrwxrwx  1 root ser    530 2006-04-07 12:26 user-cert_req.pem
>>>>>> -rwxrwxrwx  1 root ser    493 2006-04-07 12:26 user-privkey.
>>>>>>
>>>>>>
>>>>>> 2006/4/7, Klaus Darilion <klaus.mailinglists at pernau.at>:
>>>>>>> Does have ser permissions to read the cert files?
>>>>>>>
>>>>>>> klaus
>>>>>>>
>>>>>>> samuel wrote:
>>>>>>>> Hi folks!!
>>>>>>>>
>>>>>>>> Finally I had time to test the new TLS module and faced lots of
>>>>>>>> problems...probably due to my lack of security knowledge. If somebody
>>>>>>>> can point me few links where I can gain some knowledge I'll appreciate
>>>>>>>> it..
>>>>>>>>
>>>>>>>> The problem:
>>>>>>>>
>>>>>>>> I create the cert,key and ca-list using the scripts present in
>>>>>>>> openser's TLS module. I am using the latest CVS version and SER does
>>>>>>>> not start giving the next error:
>>>>>>>>
>>>>>>>>  ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load
>>>>>>>> certificate file '/usr/local/etc/ser/certs/user-cert.pem'
>>>>>>>> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM
>>>>>>>> routines:PEM_read_bio:no start line
>>>>>>>>
>>>>>>>> Probably I did something wrong in the key creation or configure
>>>>>>>> something wrong in ser.cfg....The config is taken from a thread
>>>>>>>> present in serdev about the status of the SER TLS module and it's
>>>>>>>> really simple so I don't think it's wrong but anyway, here it is:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> loadmodule "/usr/local/lib/ser/modules/tls.so"
>>>>>>>> loadmodule "/usr/local/lib/ser/modules/sl.so"
>>>>>>>> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
>>>>>>>>
>>>>>>>> listen=tls:a.b.c.d:5061
>>>>>>>> listen=tcp:a.b.c.d:5060
>>>>>>>> listen=udp:a.b.c.d:5060
>>>>>>>>
>>>>>>>> alias=mydomain.com
>>>>>>>>
>>>>>>>> #modparam("tls", "tls_method", "TLSv1")
>>>>>>>> modparam("tls", "tls_method", "SSLv23")
>>>>>>>> modparam("tls", "verify_certificate", 1)
>>>>>>>> modparam("tls", "require_certificate", 0)
>>>>>>>> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem")
>>>>>>>> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem")
>>>>>>>> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem")
>>>>>>>> #modparam("tls", "config", "tls.cfg")
>>>>>>>>
>>>>>>>> route {
>>>>>>>>    if (proto == TLS && (method == "POST" || method == "GET")) {
>>>>>>>>        create_via(); # XMLRPC requests do not contain via, create it
>>>>>>>>
>>>>>>>>        if (!@tls.peer.verified) {
>>>>>>>>            # Client did not provide certificate or it is not valid
>>>>>>>>            xmlrpc_reply("400", "Unauthorized");
>>>>>>>>            break;
>>>>>>>>        }
>>>>>>>>
>>>>>>>>        if (@xmlrpc.method == "core.kill") {
>>>>>>>>             # Make sure the client has the permission to execute the command
>>>>>>>>             if (@tls.peer != "SER-Killer") {
>>>>>>>>                 xmlrpc_reply("400", "Access to core.kill denied");
>>>>>>>>                 break;
>>>>>>>>            }
>>>>>>>>        }
>>>>>>>>
>>>>>>>>        dispatch_rpc();
>>>>>>>>        break;
>>>>>>>>    }
>>>>>>>> }
>>>>>>>>
>>>>>>>>
>>>>>>>> Any comments are highly appreciated, thanks!
>>>>>>>>
>>>>>>>> Samuel.
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Serusers mailing list
>>>>>>>> serusers at lists.iptel.org
>>>>>>>> http://lists.iptel.org/mailman/listinfo/serusers
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Serusers mailing list
>>>>>> serusers at lists.iptel.org
>>>>>> http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list