[SR-Users] please help to register sip phone to kamailio server via tls support.

peter_green lion betergreen at live.com
Sat Sep 4 07:21:23 CEST 2010 

hi all,
I have configured tls support in kamailio, but i cannot register sip phone.

my configure :

I create cert and private key as:

"kamctl tls userCERT user"

log show :

Creating directory /usr/local/etc/kamailio//tls/user
Creating user certificate request
Generating a 512 bit RSA private key
..++++++++++++
...................++++++++++++
writing new private key to '/usr/local/etc/kamailio//tls/user/user-privkey.pem'
-----
Signing certificate request
Using configuration from /usr/local/etc/kamailio//tls/request.conf
Enter pass phrase for ./rootCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'somename.somewhere.com'
stateOrProvinceName   :PRINTABLE:'Some State'
countryName           :PRINTABLE:'XY'
emailAddress          :IA5STRING:'root at somename.somewhere.com'
organizationName      :PRINTABLE:'My Large Organization Name'
organizationalUnitName:PRINTABLE:'My Subunit of Large Organization'
Certificate is to be certified until Sep  4 09:13:58 2011 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Generating CA list
DONE
INFO: Private key is locate at /usr/local/etc/kamailio//tls/user/user-privkey.pem
INFO: Certificate is locate at /usr/local/etc/kamailio//tls/user/user-cert.pem
INFO: CA-List is locate at /usr/local/etc/kamailio//tls/user/user-calist.pem


I add to kamailio.cfg

enable_tls=1
tcp_async=no

modparam("tls", "tls_method", "TLSv1")
modparam("tls", "certificate", "/usr/local/etc/kamailio//tls/user/user-cert.pem")
modparam("tls", "private_key", "/usr/local/etc/kamailio//tls/user/user-privkey.pem")
modparam("tls", "ca_list", "/usr/local/etc/kamailio//tls/user/user-calist.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)

i restart kamailio:

"kamctl restart"

log in tail -f /var/log/message

Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:175]: TLSc<default>: tls_method=9
Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:185]: TLSc<default>: certificate='/usr/local/etc/kamailio//tls/user/user-cert.pem'
Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:190]: TLSc<default>: ca_list='/usr/local/etc/kamailio//tls/user/user-calist.pem'
Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:193]: TLSc<default>: require_certificate=1
Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:198]: TLSc<default>: cipher_list='(null)'
Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:203]: TLSc<default>: private_key='/usr/local/etc/kamailio//tls/user/user-privkey.pem'
Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:206]: TLSc<default>: verify_certificate=1
Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:209]: TLSc<default>: verify_depth=9
Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:331]: TLSc<default>: Server MUST present valid certificate
Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: WARNING: tls [tls_domain.c:395]: tls: set_ssl_options: openssl SSL_OP_TLS_BLOCK_PADDING bug workaround enabled (openssl version 90802f)
Sep  4 05:17:42 appliance /usr/local/sbin/kamailio[3116]: INFO: ctl [io_listener.c:224]: io_listen_loop:  using epoll_lt io watch method (config)


i see that kamailio start okie, but sip phone cannot register.

log in :tail -f /var/log/message:

Sep  4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

in portgo : certificate validation failure.

please suggest to fix it,
thanks.
Peter green



 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100904/0dd99839/attachment-0001.htm>

More information about the sr-users mailing list