[Serusers] TLS...first steps

Klaus Darilion klaus.mailinglists at pernau.at
Tue Apr 11 12:46:15 CEST 2006 

samuel wrote:
> I first tried the external configuration file and indeed i had
> problems. I afterwards used the modparam operation and tried to set
> different keys and certs created in different ways (openser script,
> openssl 0.9.7e, openssl 0.9.8a, w/o cyphering the keys....) and no
> success...
> 
> If I write a wrong path in the SER config file, the error that appears
> is "file not found" so I guess the location of certs/keys is properly
> set. Even in the log the path is right....
> 
> I would say is a parsing problem because if I modify the cert itself
> the error that appear in the SER log is different (I have really tried
> lots of "strange" things...). If I modify the data, base64 error, if I
> add a blank line between CERTIFICATE BEGIN and the cert itself it
> complains about "no end line found"....that is why I deducted there is
> a problem in the parsing but I ran out of time to continue with
> debuging  :(
> 
> Can you please send me a working testing cert/key to try in my setup?

If your certs work with openser I think they should be fine.

Try to rename the certs and put them into the default location. (To find 
out the default location and name for the certs just start TLS withouth 
cert configuration and watch the logs.

regards
klaus


> 
> Than you,
> 
> Samuel.
> 
> 
> 2006/4/11, Klaus Darilion <klaus.mailinglists at pernau.at>:
>> Are you using the simple configuration (in ser.cfg) or the advanced
>> version (in a separate configuration file)?
>>
>> Maybe there are bugs in the configuration part of TLS.
>>
>> I tried once the external configuration file and it worked as long as I
>> only used the default domains. Specifying dedicated TLS domain failed
>> due to parser bugs.
>>
>> regards
>> klaus
>>
>> samuel wrote:
>>> Last check I made was to verify my own generated CA and server
>>> certs/keys with latest openser-1.0.1.-tls and it properly reads the
>>> files. I deducted therefore that there must be something wrong in the
>>> cert reading process in the SER's tls module.
>>> I can not debug further due to lack of time but I hope to read some
>>> mail providing some feedback... it might also been some
>>> misconfiguration in my config but I took it from the latest mails Jan
>>> sent to the mailing list regarding TLS configuration (see the first
>>> mail on this thread for the config file).
>>>
>>>
>>> Thanks,
>>> Samuel.
>>>
>>>
>>> 2006/4/10, samuel <samu60 at gmail.com>:
>>>> Last call for help....I'll detail steps to see if some guru finds what
>>>> I am not doing right:
>>>>
>>>> I have created the cert/key in the PEM format with the next commands:
>>>> Create self CA:
>>>> #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365
>>>> -out CA98cert.pem -outform PEM
>>>> Create the request for our domain:
>>>> #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out
>>>> ser98req.pem -outform PEM
>>>> Sing&issue cert
>>>> #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req
>>>> -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
>>>>
>>>> The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after
>>>> several "lost" hours...)
>>>>
>>>> I can check with openssl tools the cert and key and both are OK and
>>>> can create connections using the s_server and s_client tools included
>>>> in the openssl package. They have the appropriate format, certificate
>>>> file:
>>>>
>>>> -----BEGIN CERTIFICATE-----
>>>> askjdfl
>>>> -----END CERTIFICATE-----
>>>>
>>>> and the key:
>>>> -----BEGIN RSA PRIVATE KEY-----
>>>> Proc-Type: 4,ENCRYPTED
>>>> DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
>>>>
>>>> -----END RSA PRIVATE KEY-----
>>>>
>>>> I have checked for "strange" characters but everything seems ok except
>>>> that when I start SER, it gives me:
>>>>
>>>>
>>>> Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200:
>>>> TLSc<default>: Unable to load certificate file
>>>> '/usr/local/etc/ser/certs/ser98cert.pem'
>>>> Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201:
>>>> load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
>>>> Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing
>>>> module tls
>>>>
>>>>
>>>> Any feedback is highly appreciated...I never thought it would so
>>>> difficult to use TLS.....
>>>>
>>>> Samuel.
>>>>
>>>> 2006/4/10, samuel <samu60 at gmail.com>:
>>>>> I have been able to create a TLS connection with openssl tools
>>>>> (s_server and s_client) using the certificates that SER is unable to
>>>>> open.
>>>>> Can anyone tell me how can I debug this problem and find where the problem is?
>>>>>
>>>>> Thanks again,
>>>>> samuell.
>>>>>
>>>>>
>>>>> 2006/4/7, samuel <samu60 at gmail.com>:
>>>>>> It starts with Certificate and the corresponding fields. After this
>>>>>> information, the cert itself begins with the BEGIN statement.
>>>>>>
>>>>>> As I said, I am just starting with TLS and probably I did not create
>>>>>> the cert properly. I'll try to read more information meanwhile.
>>>>>>
>>>>>> Thanks,
>>>>>> Samuel.
>>>>>>
>>>>>>
>>>>>> 2006/4/7, Vaclav Kubart <vaclav.kubart at iptel.org>:
>>>>>>> Is the certificate really in PEM format? Try to look on it with openssl
>>>>>>> or try look into the file if starts with something like
>>>>>>> "-----BEGIN CERTIFICATE-----".
>>>>>>>
>>>>>>> If it is not in PEM format you can use openssl to convert it...
>>>>>>>
>>>>>>>         Vaclav
>>>>>>>
>>>>>>> On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
>>>>>>>> Yes....I even increased permissions up to the next level:
>>>>>>>>
>>>>>>>> -rwxrwxrwx  1 root ser   1.7K 2006-04-07 12:51 cert.pem
>>>>>>>> -rwxrwxrwx  1 root ser   1.7K 2006-04-07 12:51 key.pem
>>>>>>>> -rwxrwxrwx  1 root ser   1.4K 2006-04-07 12:26 user-calist.pem
>>>>>>>> -rwxrwxrwx  1 root ser   3.0K 2006-04-07 12:26 user-cert.pem
>>>>>>>> -rwxrwxrwx  1 root ser    530 2006-04-07 12:26 user-cert_req.pem
>>>>>>>> -rwxrwxrwx  1 root ser    493 2006-04-07 12:26 user-privkey.
>>>>>>>>
>>>>>>>>
>>>>>>>> 2006/4/7, Klaus Darilion <klaus.mailinglists at pernau.at>:
>>>>>>>>> Does have ser permissions to read the cert files?
>>>>>>>>>
>>>>>>>>> klaus
>>>>>>>>>
>>>>>>>>> samuel wrote:
>>>>>>>>>> Hi folks!!
>>>>>>>>>>
>>>>>>>>>> Finally I had time to test the new TLS module and faced lots of
>>>>>>>>>> problems...probably due to my lack of security knowledge. If somebody
>>>>>>>>>> can point me few links where I can gain some knowledge I'll appreciate
>>>>>>>>>> it..
>>>>>>>>>>
>>>>>>>>>> The problem:
>>>>>>>>>>
>>>>>>>>>> I create the cert,key and ca-list using the scripts present in
>>>>>>>>>> openser's TLS module. I am using the latest CVS version and SER does
>>>>>>>>>> not start giving the next error:
>>>>>>>>>>
>>>>>>>>>>  ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load
>>>>>>>>>> certificate file '/usr/local/etc/ser/certs/user-cert.pem'
>>>>>>>>>> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM
>>>>>>>>>> routines:PEM_read_bio:no start line
>>>>>>>>>>
>>>>>>>>>> Probably I did something wrong in the key creation or configure
>>>>>>>>>> something wrong in ser.cfg....The config is taken from a thread
>>>>>>>>>> present in serdev about the status of the SER TLS module and it's
>>>>>>>>>> really simple so I don't think it's wrong but anyway, here it is:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> loadmodule "/usr/local/lib/ser/modules/tls.so"
>>>>>>>>>> loadmodule "/usr/local/lib/ser/modules/sl.so"
>>>>>>>>>> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
>>>>>>>>>>
>>>>>>>>>> listen=tls:a.b.c.d:5061
>>>>>>>>>> listen=tcp:a.b.c.d:5060
>>>>>>>>>> listen=udp:a.b.c.d:5060
>>>>>>>>>>
>>>>>>>>>> alias=mydomain.com
>>>>>>>>>>
>>>>>>>>>> #modparam("tls", "tls_method", "TLSv1")
>>>>>>>>>> modparam("tls", "tls_method", "SSLv23")
>>>>>>>>>> modparam("tls", "verify_certificate", 1)
>>>>>>>>>> modparam("tls", "require_certificate", 0)
>>>>>>>>>> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem")
>>>>>>>>>> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem")
>>>>>>>>>> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem")
>>>>>>>>>> #modparam("tls", "config", "tls.cfg")
>>>>>>>>>>
>>>>>>>>>> route {
>>>>>>>>>>    if (proto == TLS && (method == "POST" || method == "GET")) {
>>>>>>>>>>        create_via(); # XMLRPC requests do not contain via, create it
>>>>>>>>>>
>>>>>>>>>>        if (!@tls.peer.verified) {
>>>>>>>>>>            # Client did not provide certificate or it is not valid
>>>>>>>>>>            xmlrpc_reply("400", "Unauthorized");
>>>>>>>>>>            break;
>>>>>>>>>>        }
>>>>>>>>>>
>>>>>>>>>>        if (@xmlrpc.method == "core.kill") {
>>>>>>>>>>             # Make sure the client has the permission to execute the command
>>>>>>>>>>             if (@tls.peer != "SER-Killer") {
>>>>>>>>>>                 xmlrpc_reply("400", "Access to core.kill denied");
>>>>>>>>>>                 break;
>>>>>>>>>>            }
>>>>>>>>>>        }
>>>>>>>>>>
>>>>>>>>>>        dispatch_rpc();
>>>>>>>>>>        break;
>>>>>>>>>>    }
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Any comments are highly appreciated, thanks!
>>>>>>>>>>
>>>>>>>>>> Samuel.
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Serusers mailing list
>>>>>>>>>> serusers at lists.iptel.org
>>>>>>>>>> http://lists.iptel.org/mailman/listinfo/serusers
>>>>>>>> _______________________________________________
>>>>>>>> Serusers mailing list
>>>>>>>> serusers at lists.iptel.org
>>>>>>>> http://lists.iptel.org/mailman/listinfo/serusers
>>

More information about the sr-users mailing list