It's working Re: [Serusers] SER with TLS

Katty Xiong cyyxiong at yahoo.com
Wed Apr 4 02:21:19 CEST 2007 

I replace the function
SSL_CTX_use_certificate_chain_file() with
SSL_CTX_use_certificate_file() in tls_domain.c, and
it's working now.

 227                  //if
(!SSL_CTX_use_certificate_chain_file(d->ctx[i],
d->cert_file)) {
   228                  if
(!SSL_CTX_use_certificate_file(d->ctx[i],
d->cert_file, SSL_FILETYPE_PEM)) {

For SSL_CTX_use_certificate_chain_file(), I tried
different CA, it didn't work.

thanks,
Joy


--- Katty Xiong <cyyxiong at yahoo.com> wrote:

> 
> After I dig a bit, it seems the problem is related
> with certificate. 
> 
> When I comment out the line in the configuration
> file,
> #modparam("tls", "cipher_list", "HIGH");
> fill_missing (in tls_domain.c) returns -1 since the
> following condition becomes true.
> 193     if (!d->cipher_list &&
> 194       shm_asciiz_dup(&d->cipher_list,
> parent->cipher_list) < 0) return -1;
> 195     LOG(L_INFO, "%s: cipher_list='%s'\n",
> tls_domain_str(d), d->cipher_list);
> 
> So though SER starts, certificate and private key is
> not loaded. 
> 
> To avoid this issue, I set up the cipher_list to
> HIGH.
> But somehow, SER complains that:
> tls_domain.c:229: Unable to load certificate file
> tls_domain.c:230 load_cert:error...
> 
> So I guess there is something wrong with the
> certificate. What I did is as follows. Could you
> check
> if I made mistakes in generating CA? 
> 
> 1. Create CA private key
> #openssl genrsa -out ./private/cakey.pem 2048
> 2. Create self-signed certificate
> #openssl req -out ./cacert.pem -x509 -new -key
> ./private/cakey.pem
> 3. Create a certificate request
> #openssl req -out ser1_cert_req.pem -new -nodes
> 4. Sign it with the CA certificate
> #openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
> 5. Copy ser1_cert.pem and privkey.pem to ser
> configuration directory
> 
> thanks,
> Joy
> 
> 
> --- Jan Janak <jan at iptel.org> wrote:
> 
> > Is there anything in syslog?
> > 
> >   Jan.
> > 
> > Katty Xiong wrote:
> > > 
> > > Yes. I configured SER to listen on tls using
> > > listen parameter.
> > > 
> > > listen=tls:199.199.2.50:5061
> > > 
> > > Actually from the system I can see TCP
> connection
> > for
> > > this tls is established. But somehow the tls
> > process
> > > does not responde to the ClientHello message.
> > > 
> > > thanks,
> > > Joy
> > > 
> > > 
> > > --- Jan Janak <jan at iptel.org> wrote:
> > > 
> > >> Katty Xiong wrote:
> > >>> I am using SER ottendorf with TLS protocol and
> > >> have
> > >>> the following issues. Does anybody experience
> > >> similar
> > >>> problems? 
> > >>>
> > >>> SER cannot run with the following setup in the
> > >>> configuration file: (I follow this link to
> setup
> > >> key
> > >>> and certificate:
> > >>>
> > >
> >
>
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?rev=1.1&content-type=text/plain)
> > >>> modparam("tls", "private_key", "cakey.pem")
> > >>> modparam("tls", "certificate", "cacert.pem")
> > >>> modparam("tls", "ca_list", "calist.pem") 
> > >>> modparam("tls", "cipher_list", "HIGH");
> > >>   You don't need that option unless you want to
> > >> restrict thee
> > >>   list of ciphers that are available. openssl
> > uses
> > >> all available
> > >>   ciphers by default.
> > >>
> > >>> With the last line commented out:
> > >>> #modparam("tls", "cipher_list", "HIGH");
> > >>> SER can start, but the tls connection cannot
> be
> > >>> established. Network trace shows SER does not
> > >> responde
> > >>> to ClientHello sent by client.
> > >>   A couple of quick questions:
> > >>
> > >>   - Have you configured SER to listen on tls
> > using
> > >> listen parameter?
> > >>   - Are you connecting to the right port (i.e.
> > 5061
> > >> and not 5060) ?
> > >>
> > >>     Jan.
> > >>
> > > 
> > > 
> > > 
> > >  
> > >
> >
>
____________________________________________________________________________________
> > > Finding fabulous fares is fun.  
> > > Let Yahoo! FareChase search your favorite travel
> > sites to find flight and hotel bargains.
> > >
> http://farechase.yahoo.com/promo-generic-14795097
> > > 
> > 
> > 
> 
> 
> 
>  
>
____________________________________________________________________________________
> Looking for earth-friendly autos? 
> Browse Top Cars by "Green Rating" at Yahoo! Autos'
> Green Center.
> http://autos.yahoo.com/green_center/
> _______________________________________________
> Serusers mailing list
> Serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
> 



 
____________________________________________________________________________________
Now that's room service!  Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097

More information about the sr-users mailing list