[Serusers] TLS...first steps
samuel
samu60 at gmail.com
Tue Apr 18 13:21:17 CEST 2006
Hi folks!
I am trying to set the calist using an own-generated CA cert but I
could not set it.
As soon as I try to set the ca_list parameter in the ser config file,
SER does not start and gives "no start line" error when reading the
certificate.
If I use the external configuration file, I can not set any parameter
containing path, it looks for ^T which gives "no such file" error.
I am using the latest CVS code.
Thanks!
Samuel.
2006/4/11, samuel <samu60 at gmail.com>:
> The problem was in the ca_list. If I left it unset the cert/key is
> properly set and if I set it, SER gives start line error....probably I
> did not create/configure ca_list properly...
>
> Thanks again!
> samuel.
>
> 2006/4/11, samuel <samu60 at gmail.com>:
> > Realy weird staff going on in my host....I copied the cert to the
> > default value ($PREFIX/etc/ser/cert.pem) and it worked. The best thing
> > is that after this successful load, SER can read the cert in another
> > path...and I did not change anything!!!!!!
> >
> > Thanks a lot to everyone (and specially Klaus)!!!
> >
> > Samuel.
> >
> >
> > 2006/4/11, Klaus Darilion <klaus.mailinglists at pernau.at>:
> > > samuel wrote:
> > > > I first tried the external configuration file and indeed i had
> > > > problems. I afterwards used the modparam operation and tried to set
> > > > different keys and certs created in different ways (openser script,
> > > > openssl 0.9.7e, openssl 0.9.8a, w/o cyphering the keys....) and no
> > > > success...
> > > >
> > > > If I write a wrong path in the SER config file, the error that appears
> > > > is "file not found" so I guess the location of certs/keys is properly
> > > > set. Even in the log the path is right....
> > > >
> > > > I would say is a parsing problem because if I modify the cert itself
> > > > the error that appear in the SER log is different (I have really tried
> > > > lots of "strange" things...). If I modify the data, base64 error, if I
> > > > add a blank line between CERTIFICATE BEGIN and the cert itself it
> > > > complains about "no end line found"....that is why I deducted there is
> > > > a problem in the parsing but I ran out of time to continue with
> > > > debuging :(
> > > >
> > > > Can you please send me a working testing cert/key to try in my setup?
> > >
> > > If your certs work with openser I think they should be fine.
> > >
> > > Try to rename the certs and put them into the default location. (To find
> > > out the default location and name for the certs just start TLS withouth
> > > cert configuration and watch the logs.
> > >
> > > regards
> > > klaus
> > >
> > >
> > > >
> > > > Than you,
> > > >
> > > > Samuel.
> > > >
> > > >
> > > > 2006/4/11, Klaus Darilion <klaus.mailinglists at pernau.at>:
> > > >> Are you using the simple configuration (in ser.cfg) or the advanced
> > > >> version (in a separate configuration file)?
> > > >>
> > > >> Maybe there are bugs in the configuration part of TLS.
> > > >>
> > > >> I tried once the external configuration file and it worked as long as I
> > > >> only used the default domains. Specifying dedicated TLS domain failed
> > > >> due to parser bugs.
> > > >>
> > > >> regards
> > > >> klaus
> > > >>
> > > >> samuel wrote:
> > > >>> Last check I made was to verify my own generated CA and server
> > > >>> certs/keys with latest openser-1.0.1.-tls and it properly reads the
> > > >>> files. I deducted therefore that there must be something wrong in the
> > > >>> cert reading process in the SER's tls module.
> > > >>> I can not debug further due to lack of time but I hope to read some
> > > >>> mail providing some feedback... it might also been some
> > > >>> misconfiguration in my config but I took it from the latest mails Jan
> > > >>> sent to the mailing list regarding TLS configuration (see the first
> > > >>> mail on this thread for the config file).
> > > >>>
> > > >>>
> > > >>> Thanks,
> > > >>> Samuel.
> > > >>>
> > > >>>
> > > >>> 2006/4/10, samuel <samu60 at gmail.com>:
> > > >>>> Last call for help....I'll detail steps to see if some guru finds what
> > > >>>> I am not doing right:
> > > >>>>
> > > >>>> I have created the cert/key in the PEM format with the next commands:
> > > >>>> Create self CA:
> > > >>>> #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365
> > > >>>> -out CA98cert.pem -outform PEM
> > > >>>> Create the request for our domain:
> > > >>>> #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out
> > > >>>> ser98req.pem -outform PEM
> > > >>>> Sing&issue cert
> > > >>>> #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req
> > > >>>> -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
> > > >>>>
> > > >>>> The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after
> > > >>>> several "lost" hours...)
> > > >>>>
> > > >>>> I can check with openssl tools the cert and key and both are OK and
> > > >>>> can create connections using the s_server and s_client tools included
> > > >>>> in the openssl package. They have the appropriate format, certificate
> > > >>>> file:
> > > >>>>
> > > >>>> -----BEGIN CERTIFICATE-----
> > > >>>> askjdfl
> > > >>>> -----END CERTIFICATE-----
> > > >>>>
> > > >>>> and the key:
> > > >>>> -----BEGIN RSA PRIVATE KEY-----
> > > >>>> Proc-Type: 4,ENCRYPTED
> > > >>>> DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
> > > >>>>
> > > >>>> -----END RSA PRIVATE KEY-----
> > > >>>>
> > > >>>> I have checked for "strange" characters but everything seems ok except
> > > >>>> that when I start SER, it gives me:
> > > >>>>
> > > >>>>
> > > >>>> Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200:
> > > >>>> TLSc<default>: Unable to load certificate file
> > > >>>> '/usr/local/etc/ser/certs/ser98cert.pem'
> > > >>>> Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201:
> > > >>>> load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
> > > >>>> Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing
> > > >>>> module tls
> > > >>>>
> > > >>>>
> > > >>>> Any feedback is highly appreciated...I never thought it would so
> > > >>>> difficult to use TLS.....
> > > >>>>
> > > >>>> Samuel.
> > > >>>>
> > > >>>> 2006/4/10, samuel <samu60 at gmail.com>:
> > > >>>>> I have been able to create a TLS connection with openssl tools
> > > >>>>> (s_server and s_client) using the certificates that SER is unable to
> > > >>>>> open.
> > > >>>>> Can anyone tell me how can I debug this problem and find where the problem is?
> > > >>>>>
> > > >>>>> Thanks again,
> > > >>>>> samuell.
> > > >>>>>
> > > >>>>>
> > > >>>>> 2006/4/7, samuel <samu60 at gmail.com>:
> > > >>>>>> It starts with Certificate and the corresponding fields. After this
> > > >>>>>> information, the cert itself begins with the BEGIN statement.
> > > >>>>>>
> > > >>>>>> As I said, I am just starting with TLS and probably I did not create
> > > >>>>>> the cert properly. I'll try to read more information meanwhile.
> > > >>>>>>
> > > >>>>>> Thanks,
> > > >>>>>> Samuel.
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> 2006/4/7, Vaclav Kubart <vaclav.kubart at iptel.org>:
> > > >>>>>>> Is the certificate really in PEM format? Try to look on it with openssl
> > > >>>>>>> or try look into the file if starts with something like
> > > >>>>>>> "-----BEGIN CERTIFICATE-----".
> > > >>>>>>>
> > > >>>>>>> If it is not in PEM format you can use openssl to convert it...
> > > >>>>>>>
> > > >>>>>>> Vaclav
> > > >>>>>>>
> > > >>>>>>> On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
> > > >>>>>>>> Yes....I even increased permissions up to the next level:
> > > >>>>>>>>
> > > >>>>>>>> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem
> > > >>>>>>>> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem
> > > >>>>>>>> -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem
> > > >>>>>>>> -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem
> > > >>>>>>>> -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem
> > > >>>>>>>> -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey.
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> 2006/4/7, Klaus Darilion <klaus.mailinglists at pernau.at>:
> > > >>>>>>>>> Does have ser permissions to read the cert files?
> > > >>>>>>>>>
> > > >>>>>>>>> klaus
> > > >>>>>>>>>
> > > >>>>>>>>> samuel wrote:
> > > >>>>>>>>>> Hi folks!!
> > > >>>>>>>>>>
> > > >>>>>>>>>> Finally I had time to test the new TLS module and faced lots of
> > > >>>>>>>>>> problems...probably due to my lack of security knowledge. If somebody
> > > >>>>>>>>>> can point me few links where I can gain some knowledge I'll appreciate
> > > >>>>>>>>>> it..
> > > >>>>>>>>>>
> > > >>>>>>>>>> The problem:
> > > >>>>>>>>>>
> > > >>>>>>>>>> I create the cert,key and ca-list using the scripts present in
> > > >>>>>>>>>> openser's TLS module. I am using the latest CVS version and SER does
> > > >>>>>>>>>> not start giving the next error:
> > > >>>>>>>>>>
> > > >>>>>>>>>> ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load
> > > >>>>>>>>>> certificate file '/usr/local/etc/ser/certs/user-cert.pem'
> > > >>>>>>>>>> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM
> > > >>>>>>>>>> routines:PEM_read_bio:no start line
> > > >>>>>>>>>>
> > > >>>>>>>>>> Probably I did something wrong in the key creation or configure
> > > >>>>>>>>>> something wrong in ser.cfg....The config is taken from a thread
> > > >>>>>>>>>> present in serdev about the status of the SER TLS module and it's
> > > >>>>>>>>>> really simple so I don't think it's wrong but anyway, here it is:
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>> loadmodule "/usr/local/lib/ser/modules/tls.so"
> > > >>>>>>>>>> loadmodule "/usr/local/lib/ser/modules/sl.so"
> > > >>>>>>>>>> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
> > > >>>>>>>>>>
> > > >>>>>>>>>> listen=tls:a.b.c.d:5061
> > > >>>>>>>>>> listen=tcp:a.b.c.d:5060
> > > >>>>>>>>>> listen=udp:a.b.c.d:5060
> > > >>>>>>>>>>
> > > >>>>>>>>>> alias=mydomain.com
> > > >>>>>>>>>>
> > > >>>>>>>>>> #modparam("tls", "tls_method", "TLSv1")
> > > >>>>>>>>>> modparam("tls", "tls_method", "SSLv23")
> > > >>>>>>>>>> modparam("tls", "verify_certificate", 1)
> > > >>>>>>>>>> modparam("tls", "require_certificate", 0)
> > > >>>>>>>>>> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem")
> > > >>>>>>>>>> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem")
> > > >>>>>>>>>> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem")
> > > >>>>>>>>>> #modparam("tls", "config", "tls.cfg")
> > > >>>>>>>>>>
> > > >>>>>>>>>> route {
> > > >>>>>>>>>> if (proto == TLS && (method == "POST" || method == "GET")) {
> > > >>>>>>>>>> create_via(); # XMLRPC requests do not contain via, create it
> > > >>>>>>>>>>
> > > >>>>>>>>>> if (!@tls.peer.verified) {
> > > >>>>>>>>>> # Client did not provide certificate or it is not valid
> > > >>>>>>>>>> xmlrpc_reply("400", "Unauthorized");
> > > >>>>>>>>>> break;
> > > >>>>>>>>>> }
> > > >>>>>>>>>>
> > > >>>>>>>>>> if (@xmlrpc.method == "core.kill") {
> > > >>>>>>>>>> # Make sure the client has the permission to execute the command
> > > >>>>>>>>>> if (@tls.peer != "SER-Killer") {
> > > >>>>>>>>>> xmlrpc_reply("400", "Access to core.kill denied");
> > > >>>>>>>>>> break;
> > > >>>>>>>>>> }
> > > >>>>>>>>>> }
> > > >>>>>>>>>>
> > > >>>>>>>>>> dispatch_rpc();
> > > >>>>>>>>>> break;
> > > >>>>>>>>>> }
> > > >>>>>>>>>> }
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>> Any comments are highly appreciated, thanks!
> > > >>>>>>>>>>
> > > >>>>>>>>>> Samuel.
> > > >>>>>>>>>>
> > > >>>>>>>>>> _______________________________________________
> > > >>>>>>>>>> Serusers mailing list
> > > >>>>>>>>>> serusers at lists.iptel.org
> > > >>>>>>>>>> http://lists.iptel.org/mailman/listinfo/serusers
> > > >>>>>>>> _______________________________________________
> > > >>>>>>>> Serusers mailing list
> > > >>>>>>>> serusers at lists.iptel.org
> > > >>>>>>>> http://lists.iptel.org/mailman/listinfo/serusers
> > > >>
> > >
> > >
> >
>
More information about the sr-users
mailing list