[Serusers] TLS configuration problem (was TLS comments)

Klaus Darilion klaus.mailinglists at pernau.at
Wed Feb 1 14:41:37 CET 2006 

Hi!

I guess the problem is caused by wrong configuration. I want ser to use 
just the same certificate in all cases. I've configured ser:

modparam("tls", "tls_log", 3)
modparam("tls", "method", "TLSv1")
modparam("tls", "verify_certificate",  "0")
modparam("tls", "require_certificate", "0")
modparam("tls", "certificate", "/etc/proxyCert2/cert.pem")
modparam("tls", "private_key", "/etc/proxyCert2/privkey.pem")
modparam("tls", "ca_list",     "/etc/demoCA/cacert.pem")
modparam("tls", "send_timeout",        15)
modparam("tls", "handshake_timeout",   15)
modparam("tls", "connection_timeout", 120)

But this does not work:
INFO: tls_domain.c:228: TLSs<default>: Cipher list not configured, using 
default value (null)
INFO: tls_domain.c:210: TLSc<default>: No certificate configured, using 
default '(null)'
INFO: tls_domain.c:216: TLSc<default>: No CA list configured, using 
default '(null)'
INFO: tls_domain.c:228: TLSc<default>: Cipher list not configured, using 
default value (null)
INFO: tls_domain.c:234: TLSc<default>: No private key configured, using 
default '(null)'

Viewing the code I found:
         if (*s.s == '@') {
                 *type |= TLS_DOMAIN_CLI;

Thus it tried adding '@' in front of the value but this does not work too.
modparam("tls", "private_key", "@/etc/proxyCert2/privkey.pem")

ERROR: tls_init.c:253: TLSc<default>: Unable to load certificate file 
'@/etc/proxyCert1/cert.pem'

Maybe I'm to stupid, but I can't figure out how to set the default TLS 
domains. How is it done correct?

regards
klaus




Cesc wrote:
> On 2/1/06, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> 
>>Hi!
>>
>>I've tried the new TLS module:
>>
>>1. It breaks compatibility with old TLS stack: Even when configured to
>>use TLSv1, it sends an SSLv2 compatible HELLO:
>>
>>server2:~# ssldump
>>New TCP connection #1: 10.10.0.41(33107) <-> 10.10.0.42(5063)
>>1 1  0.0088 (0.0088)  C>S SSLv2 compatible client hello
>>   Version 3.1
>>
>>
>>I do not know if this is a problem with the new or the old stack.
>>Further I do not know what other TLS enabled SIP products use. Do they
>>accept SSL compatible HELLOs?
>>
> 
> Klaus, i don't think this is a bug ... i think that the hello is
> always v2 and then (with the server hello message) the handshake is
> upgraded to v3 or tlsv1. This way, you can have an sslv2-only client
> try connecting to  any server, but the server will send back sslv3 or
> tlsv1 server hello, thus disconnecting the client.
> Have not checked this ... but i think it is the way it is supposed to work.
> 
> Cesc

More information about the sr-users mailing list