[SR-Users] help with tls error :sslv3 alert bad certificate

peter_green lion betergreen at live.com
Thu Sep 9 20:06:32 CEST 2010




> Date: Thu, 9 Sep 2010 16:17:18 +0200
> From: klaus.mailinglists at pernau.at
> To: betergreen at live.com
> CC: sr-users at lists.sip-router.org
> Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
> 
> 
> 
> Am 09.09.2010 12:00, schrieb peter_green lion:
> >
> >  > Date: Thu, 9 Sep 2010 11:13:19 +0200
> >  > From: klaus.mailinglists at pernau.at
> >  > To: betergreen at live.com
> >  > CC: sr-users at lists.sip-router.org
> >  > Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
> >  >
> >  >
> >  >
> >  > Am 09.09.2010 10:17, schrieb peter_green lion:
> >  > > hi all,
> >  > > i have configure tls support as this link:
> >  > > http://www.kamailio.org/docs/tls-devel.html#id2451496
> >  > > and i add certificate to 3CX sip phone is "cacert.pem" but when i
> >  > > register sip phone, the log file in kamailio server is :
> >  > >
> >  > > Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls
> >  > > [tls_server.c:392]: SSL error:error:14094412:SSL
> >  > > routines:SSL3_READ_BYTES:sslv3 alert bad certificate
> >  >
> >  > I think the means that the SIP phone sends the ALERT because the it does
> >  > not accept the certificate of the server. So you h ave to debug why the
> >  > SIP phone does not accept the certificate.
> >  >
> >  > You really should test with another SIP client first.
> >  >
> >  > regards
> >  > Klaus
> >  >
> >  > >
> >  > > my configure in kamailio.cfg as :
> >  > >
> >  > > modparam("tls", "tls_method", "TLSv1")
> >  > > modparam("tls", "tls_method", "SSLv23")
> >  > > modparam("tls", "certificate",
> >  > > "/usr/local/etc/kamailio//tls/user/user-cert.pem")
> >  > > modparam("tls", "private_key",
> >  > > "/usr/local/etc/kamailio//tls/user/user-privkey.pem")
> >  > > modparam("tls", "ca_list",
> >  > > "/usr/local/etc/kamailio//tls/user/user-calist.pem")
> >  > > modparam("tls", "verify_certificate",0 )
> >  > > modparam("tls", "require_certificate",0 )
> >  > >
> >  > >
> >  > > please suggest to fix this error.
> >  > > thanks and regards.
> >  > > Peter Green.
> >  > >
> >  > >
> >  > >
> >  > > _ ______________________________________________
> >  > > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> >  > > sr-users at lists.sip-router.org
> >  > > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >
> >
> > hi Klaus,
> > i add certificate to internet explorer, but it fail:
> > when i view this certificate i see that error:
> >
> > "this certificate has expired or is not yet valid"
> >
> > is mean this certificate is wrong ?
> 
> Yes. It is either expired or not yet valid!
> >
> > so how do i make it correct ?
> 
> Hope this ends this endless conversation
> 
> http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates
> 
> regards
> klaus
> 

hi Klaus,
I hope i could close this question, but i cannot make it work.
i did as the document which you send me. 
and when i test certificate with command as:

[root at appliance kamailio]# openssl s_client -connect localhost:5061 -tls1 -CAfile /etc/certs/demoCA/cert.pem
CONNECTED(00000003)
depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA
verify return:1
depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com
verify return:1
2962:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
2962:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:


[root at appliance kamailio]# openssl s_client -connect localhost:5061 -ssl2 -CAfile /etc/certs/demoCA/cert.pem
CONNECTED(00000003)
depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA
verify return:1
depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com
verify return:1
2963:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:


[root at appliance kamailio]# openssl s_client -connect localhost:5061 -ssl3 -CAfile /etc/certs/demoCA/cert.pem
CONNECTED(00000003)
depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA
verify return:1
depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com
verify return:1
2964:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
2964:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

and i have the same error as last email.

please help me to handle this error.
thanks for help me.
regards,
Peter Green.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100910/bc9a1037/attachment.htm>


More information about the sr-users mailing list