[Serusers] TLS...first steps

samuel samu60 at gmail.com
Tue Apr 11 11:26:43 CEST 2006 

I first tried the external configuration file and indeed i had
problems. I afterwards used the modparam operation and tried to set
different keys and certs created in different ways (openser script,
openssl 0.9.7e, openssl 0.9.8a, w/o cyphering the keys....) and no
success...

If I write a wrong path in the SER config file, the error that appears
is "file not found" so I guess the location of certs/keys is properly
set. Even in the log the path is right....

I would say is a parsing problem because if I modify the cert itself
the error that appear in the SER log is different (I have really tried
lots of "strange" things...). If I modify the data, base64 error, if I
add a blank line between CERTIFICATE BEGIN and the cert itself it
complains about "no end line found"....that is why I deducted there is
a problem in the parsing but I ran out of time to continue with
debuging  :(

Can you please send me a working testing cert/key to try in my setup?

Than you,

Samuel.


2006/4/11, Klaus Darilion <klaus.mailinglists at pernau.at>:
> Are you using the simple configuration (in ser.cfg) or the advanced
> version (in a separate configuration file)?
>
> Maybe there are bugs in the configuration part of TLS.
>
> I tried once the external configuration file and it worked as long as I
> only used the default domains. Specifying dedicated TLS domain failed
> due to parser bugs.
>
> regards
> klaus
>
> samuel wrote:
> > Last check I made was to verify my own generated CA and server
> > certs/keys with latest openser-1.0.1.-tls and it properly reads the
> > files. I deducted therefore that there must be something wrong in the
> > cert reading process in the SER's tls module.
> > I can not debug further due to lack of time but I hope to read some
> > mail providing some feedback... it might also been some
> > misconfiguration in my config but I took it from the latest mails Jan
> > sent to the mailing list regarding TLS configuration (see the first
> > mail on this thread for the config file).
> >
> >
> > Thanks,
> > Samuel.
> >
> >
> > 2006/4/10, samuel <samu60 at gmail.com>:
> >> Last call for help....I'll detail steps to see if some guru finds what
> >> I am not doing right:
> >>
> >> I have created the cert/key in the PEM format with the next commands:
> >> Create self CA:
> >> #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365
> >> -out CA98cert.pem -outform PEM
> >> Create the request for our domain:
> >> #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out
> >> ser98req.pem -outform PEM
> >> Sing&issue cert
> >> #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req
> >> -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
> >>
> >> The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after
> >> several "lost" hours...)
> >>
> >> I can check with openssl tools the cert and key and both are OK and
> >> can create connections using the s_server and s_client tools included
> >> in the openssl package. They have the appropriate format, certificate
> >> file:
> >>
> >> -----BEGIN CERTIFICATE-----
> >> askjdfl
> >> -----END CERTIFICATE-----
> >>
> >> and the key:
> >> -----BEGIN RSA PRIVATE KEY-----
> >> Proc-Type: 4,ENCRYPTED
> >> DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
> >>
> >> -----END RSA PRIVATE KEY-----
> >>
> >> I have checked for "strange" characters but everything seems ok except
> >> that when I start SER, it gives me:
> >>
> >>
> >> Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200:
> >> TLSc<default>: Unable to load certificate file
> >> '/usr/local/etc/ser/certs/ser98cert.pem'
> >> Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201:
> >> load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
> >> Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing
> >> module tls
> >>
> >>
> >> Any feedback is highly appreciated...I never thought it would so
> >> difficult to use TLS.....
> >>
> >> Samuel.
> >>
> >> 2006/4/10, samuel <samu60 at gmail.com>:
> >>> I have been able to create a TLS connection with openssl tools
> >>> (s_server and s_client) using the certificates that SER is unable to
> >>> open.
> >>> Can anyone tell me how can I debug this problem and find where the problem is?
> >>>
> >>> Thanks again,
> >>> samuell.
> >>>
> >>>
> >>> 2006/4/7, samuel <samu60 at gmail.com>:
> >>>> It starts with Certificate and the corresponding fields. After this
> >>>> information, the cert itself begins with the BEGIN statement.
> >>>>
> >>>> As I said, I am just starting with TLS and probably I did not create
> >>>> the cert properly. I'll try to read more information meanwhile.
> >>>>
> >>>> Thanks,
> >>>> Samuel.
> >>>>
> >>>>
> >>>> 2006/4/7, Vaclav Kubart <vaclav.kubart at iptel.org>:
> >>>>> Is the certificate really in PEM format? Try to look on it with openssl
> >>>>> or try look into the file if starts with something like
> >>>>> "-----BEGIN CERTIFICATE-----".
> >>>>>
> >>>>> If it is not in PEM format you can use openssl to convert it...
> >>>>>
> >>>>>         Vaclav
> >>>>>
> >>>>> On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
> >>>>>> Yes....I even increased permissions up to the next level:
> >>>>>>
> >>>>>> -rwxrwxrwx  1 root ser   1.7K 2006-04-07 12:51 cert.pem
> >>>>>> -rwxrwxrwx  1 root ser   1.7K 2006-04-07 12:51 key.pem
> >>>>>> -rwxrwxrwx  1 root ser   1.4K 2006-04-07 12:26 user-calist.pem
> >>>>>> -rwxrwxrwx  1 root ser   3.0K 2006-04-07 12:26 user-cert.pem
> >>>>>> -rwxrwxrwx  1 root ser    530 2006-04-07 12:26 user-cert_req.pem
> >>>>>> -rwxrwxrwx  1 root ser    493 2006-04-07 12:26 user-privkey.
> >>>>>>
> >>>>>>
> >>>>>> 2006/4/7, Klaus Darilion <klaus.mailinglists at pernau.at>:
> >>>>>>> Does have ser permissions to read the cert files?
> >>>>>>>
> >>>>>>> klaus
> >>>>>>>
> >>>>>>> samuel wrote:
> >>>>>>>> Hi folks!!
> >>>>>>>>
> >>>>>>>> Finally I had time to test the new TLS module and faced lots of
> >>>>>>>> problems...probably due to my lack of security knowledge. If somebody
> >>>>>>>> can point me few links where I can gain some knowledge I'll appreciate
> >>>>>>>> it..
> >>>>>>>>
> >>>>>>>> The problem:
> >>>>>>>>
> >>>>>>>> I create the cert,key and ca-list using the scripts present in
> >>>>>>>> openser's TLS module. I am using the latest CVS version and SER does
> >>>>>>>> not start giving the next error:
> >>>>>>>>
> >>>>>>>>  ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load
> >>>>>>>> certificate file '/usr/local/etc/ser/certs/user-cert.pem'
> >>>>>>>> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM
> >>>>>>>> routines:PEM_read_bio:no start line
> >>>>>>>>
> >>>>>>>> Probably I did something wrong in the key creation or configure
> >>>>>>>> something wrong in ser.cfg....The config is taken from a thread
> >>>>>>>> present in serdev about the status of the SER TLS module and it's
> >>>>>>>> really simple so I don't think it's wrong but anyway, here it is:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> loadmodule "/usr/local/lib/ser/modules/tls.so"
> >>>>>>>> loadmodule "/usr/local/lib/ser/modules/sl.so"
> >>>>>>>> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
> >>>>>>>>
> >>>>>>>> listen=tls:a.b.c.d:5061
> >>>>>>>> listen=tcp:a.b.c.d:5060
> >>>>>>>> listen=udp:a.b.c.d:5060
> >>>>>>>>
> >>>>>>>> alias=mydomain.com
> >>>>>>>>
> >>>>>>>> #modparam("tls", "tls_method", "TLSv1")
> >>>>>>>> modparam("tls", "tls_method", "SSLv23")
> >>>>>>>> modparam("tls", "verify_certificate", 1)
> >>>>>>>> modparam("tls", "require_certificate", 0)
> >>>>>>>> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem")
> >>>>>>>> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem")
> >>>>>>>> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem")
> >>>>>>>> #modparam("tls", "config", "tls.cfg")
> >>>>>>>>
> >>>>>>>> route {
> >>>>>>>>    if (proto == TLS && (method == "POST" || method == "GET")) {
> >>>>>>>>        create_via(); # XMLRPC requests do not contain via, create it
> >>>>>>>>
> >>>>>>>>        if (!@tls.peer.verified) {
> >>>>>>>>            # Client did not provide certificate or it is not valid
> >>>>>>>>            xmlrpc_reply("400", "Unauthorized");
> >>>>>>>>            break;
> >>>>>>>>        }
> >>>>>>>>
> >>>>>>>>        if (@xmlrpc.method == "core.kill") {
> >>>>>>>>             # Make sure the client has the permission to execute the command
> >>>>>>>>             if (@tls.peer != "SER-Killer") {
> >>>>>>>>                 xmlrpc_reply("400", "Access to core.kill denied");
> >>>>>>>>                 break;
> >>>>>>>>            }
> >>>>>>>>        }
> >>>>>>>>
> >>>>>>>>        dispatch_rpc();
> >>>>>>>>        break;
> >>>>>>>>    }
> >>>>>>>> }
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Any comments are highly appreciated, thanks!
> >>>>>>>>
> >>>>>>>> Samuel.
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Serusers mailing list
> >>>>>>>> serusers at lists.iptel.org
> >>>>>>>> http://lists.iptel.org/mailman/listinfo/serusers
> >>>>>>>
> >>>>>> _______________________________________________
> >>>>>> Serusers mailing list
> >>>>>> serusers at lists.iptel.org
> >>>>>> http://lists.iptel.org/mailman/listinfo/serusers
>
>

More information about the sr-users mailing list