[Kamailio-Users] Error in Registration with TLS on
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Feb 22 16:42:36 CET 2010
Hi!
Talking about "certificate" is too unspecific to understand your
configuration. Please say exactly "server certificate" or "client
certificate".
Usually, when using SIP over TLS, only the server uses a certificate.
This means, the SIP proxy authenticates to the SIP client using its TLS
certificate (server certificate), and the SIP clients authenticates to
the SIP proxy with digest authentication. This is basically the same as
when login to your e-banking website (web-server: certificate, browser:
username+password).
To configure this, you have to:
- configure the SIP proxy a "server certificate", private key of this
server certificate and the CA certificate.
- configure the SIP client the the CA certificate (to validate the
server certificate)
- configure the SIP proxy (server domain) with:
- require client certificate: no
- verify_certificate: no
regards
klaus
Am 22.02.2010 05:32, schrieb Hemanshu Patel:
>
> Dear friends,
>
> Since last few days i am working on Kamailio with TLS support. I had
> followed each and every steps in installation docs...created certificates
> as well.
>
> Then i started testing the server with TLS on using SIPP. First i didnt
> added any certificate to SIPP, and Registration wasnt happening...
> When i added a certificate and key to SIPP....it started working fine....i
> was been able to test Registrations Successfully.
>
> Then i started working with one open source soft phone supporting TLS
> named mumble. IT Supports. Now i hadnt added any certificate to Mumblem.
>
> In my settings of kamailio i have set clietn_verify = 0 and
> require_client_certificate = 0. So without certificate as well i should be
> able to Authenticate my self successfully.
> Instead it gives following error in kamailio log:
>
>
>
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]: DBG:core:print_ip:
> tcpconn_new: new tcp connection to: 172.16.16.218
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]: DBG:core:tcpconn_new: on
> port 58125, type 3
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_tcpconn_init: entered: Creating a whole new ssl connection
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_tcpconn_init: looking up socket based TLS server domain
> [172.16.16.218:5091]
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_find_server_domain: socket based TLS server domain found
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_tcpconn_init: found socket based TLS server domain
> [172.16.16.218:5091]
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_tcpconn_init: Setting in ACCEPT mode (server)
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]: DBG:core:tcpconn_add:
> hashes: 929, 1
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]:
> DBG:core:handle_new_connect: new connection: 0x7fd6f4a58208 23 flags: 0002
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]: DBG:core:send2child: to
> tcp child 0 0(3296), 0x7fd6f4a58208
> Feb 22 09:50:51 localhost ./sbin/kamailio[3296]: DBG:core:handle_io:
> received n=8 con=0x7fd6f4a58208, fd=18
> Feb 22 09:50:51 localhost ./sbin/kamailio[3296]: DBG:core:io_watch_add:
> io_watch_add(0x73a0a0, 18, 2, 0x7fd6f4a58208), fd_no=1
> Feb 22 09:50:51 localhost ./sbin/kamailio[3296]: DBG:core:tls_update_fd:
> New fd is 18
> Feb 22 09:50:51 localhost ./sbin/kamailio[3296]: ERROR:core:tls_accept:
> SSL_accept failed: SSL_ERROR_SSL
> Feb 22 09:50:51 localhost ./sbin/kamailio[3296]: DBG:core:io_watch_del:
> io_watch_del (0x73a0a0, 18, -1, 0x10) fd_no=2 called
> Feb 22 09:50:51 localhost ./sbin/kamailio[3296]: DBG:core:release_tcpconn:
> releasing con 0x7fd6f4a58208, state -2, fd=18, id=1
> Feb 22 09:50:51 localhost ./sbin/kamailio[3296]: DBG:core:release_tcpconn:
> extra_data 0x7fd6f4a683a0
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]:
> DBG:core:handle_tcp_child: reader response= 7fd6f4a58208, -2 from 0
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]: DBG:core:tcpconn_destroy:
> destroying connection 0x7fd6f4a58208, flags 0002
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]: DBG:core:tls_close:
> closing SSL connection
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]: DBG:core:tls_update_fd:
> New fd is 23
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]: DBG:core:tls_shutdown:
> shutdown successful
> Feb 22 09:50:51 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_tcpconn_clean: Cleanup function entered
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]: DBG:core:print_ip:
> tcpconn_new: new tcp connection to: 172.16.16.218
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]: DBG:core:tcpconn_new: on
> port 58126, type 3
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_tcpconn_init: entered: Creating a whole new ssl connection
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_tcpconn_init: looking up socket based TLS server domain
> [172.16.16.218:5091]
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_find_server_domain: socket based TLS server domain found
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_tcpconn_init: found socket based TLS server domain
> [172.16.16.218:5091]
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_tcpconn_init: Setting in ACCEPT mode (server)
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]: DBG:core:tcpconn_add:
> hashes: 930, 2
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]:
> DBG:core:handle_new_connect: new connection: 0x7fd6f4a58208 23 flags: 0002
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]: DBG:core:send2child: to
> tcp child 0 0(3296), 0x7fd6f4a58208
> Feb 22 09:51:01 localhost ./sbin/kamailio[3296]: DBG:core:handle_io:
> received n=8 con=0x7fd6f4a58208, fd=18
> Feb 22 09:51:01 localhost ./sbin/kamailio[3296]: DBG:core:io_watch_add:
> io_watch_add(0x73a0a0, 18, 2, 0x7fd6f4a58208), fd_no=1
> Feb 22 09:51:01 localhost ./sbin/kamailio[3296]: DBG:core:tls_update_fd:
> New fd is 18
> Feb 22 09:51:01 localhost ./sbin/kamailio[3296]: ERROR:core:tls_accept:
> SSL_accept failed: SSL_ERROR_SSL
> Feb 22 09:51:01 localhost ./sbin/kamailio[3296]: DBG:core:io_watch_del:
> io_watch_del (0x73a0a0, 18, -1, 0x10) fd_no=2 called
> Feb 22 09:51:01 localhost ./sbin/kamailio[3296]: DBG:core:release_tcpconn:
> releasing con 0x7fd6f4a58208, state -2, fd=18, id=2
> Feb 22 09:51:01 localhost ./sbin/kamailio[3296]: DBG:core:release_tcpconn:
> extra_data 0x7fd6f4a683a0
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]:
> DBG:core:handle_tcp_child: reader response= 7fd6f4a58208, -2 from 0
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]: DBG:core:tcpconn_destroy:
> destroying connection 0x7fd6f4a58208, flags 0002
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]: DBG:core:tls_close:
> closing SSL connection
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]: DBG:core:tls_update_fd:
> New fd is 23
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]: DBG:core:tls_shutdown:
> shutdown successful
> Feb 22 09:51:01 localhost ./sbin/kamailio[3300]:
> DBG:core:tls_tcpconn_clean: Cleanup function entered
>
>
> And in Mumble soft phone log it gives me following Error:
>
> [9:50 AM] Welcome to Mumble.
> [9:50 AM] Server connection failed: Error during SSL handshake:
> error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure.
> [9:51 AM] Reconnecting.
> [9:51 AM] Server connection failed: Error during SSL handshake:
> error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure.
> [9:51 AM] Reconnecting.
> [9:51 AM] Server connection failed: Error during SSL handshake:
> error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure.
> [9:51 AM] Reconnecting.
> [9:51 AM] Server connection failed: Error during SSL handshake:
> error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure.
>
>
> Can any one suggest what could be the problem?
> My Server works great with SIPP with TLS....so i dont think theres any
> config related error and i have set client_require_certificate = 0 thats
> for sure....
>
> In real life scenario, hard or soft phones wont have certificates...so
> they should be able to connect to server and authenticate/Authorize
> themselves if server has valid certificate.But its not happening. So i
> need help from experienced guys....
>
>
>
More information about the sr-users
mailing list