[SR-Users] help with tls error :sslv3 alert bad certificate

peter_green lion betergreen at live.com
Mon Sep 13 12:03:28 CEST 2010 



> Date: Mon, 13 Sep 2010 11:40:33 +0200
> From: klaus.mailinglists at pernau.at
> To: betergreen at live.com
> CC: sr-users at lists.sip-router.org
> Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
> 
> 
> 
> Am 13.09.2010 11:10, schrieb peter_green lion:
> > enable_tls=1
> > tcp_async=no
> >
> > listen=tls:192.168.1.81:5060
> 
> The default is for TLS is port 5061.
> 
> >
> > modparam("tls", "tls_method", "TLSv1")
> > modparam("tls", "tls_method", "SSLv23")
> 
> You can not use TLS and SSL - only on e or the other. SIP is 
> standardized with TLSv1. Thus you should remove SSLv23 unless you 
> explicitely know that the client can not handle TLSv1 (then the client 
> would be buggy)
> 
> > modparam("tls", "certificate", "ser1_cert.pem")
> > modparam("tls", "private_key", "privkey.pem")
> > modparam("tls", "ca_list", "cacert.pem")
> > modparam("tls", "verify_certificate", 1)
> 
> 
> > modparam("tls", "require_certificate", 1)
> 
> Here is the problem: You have configured Kamailio to require a client 
> certificate. Usually the SIP client does not have a TLS client 
> certificate, thus Kamailio will terminate the TLS connection with 
> handshake error. Set
>     modparam("tls", "require_certificate", 0)
> and at least it should work with the "openssl s_client" tool.
> 
> 
> regards
> Klaus
> 
> 

hi Klaus and all,

i have changed all thing as you advice,
but it cannot work,
when i run command to check :

[root at appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1
CONNECTED(00000003)
depth=1 /C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a at 192.168.1.40
verify error:num=19:self signed certificate in certificate chain
verify return:0

....................
subject=/C=vn/ST=hcm/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a at 192.168.1.40
issuer=/C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a at 192.168.1.40
---
Acceptable client certificate CA names
/C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a at 192.168.1.40
---
SSL handshake has read 2256 bytes and written 299 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: 08F56E61E88ADF353D6EB77126706E4364F31FB31437153ABAB1A20090F8D77CE0BEA0E0B218DB6E7653FBD873E91735
    Key-Arg   : None
    Krb5 Principal: None
   Compression: 1 (zlib compression)
    Start Time: 1284411539
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
and :

[root at appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1 -CAfile cacert.pem
CONNECTED(00000003)
2223:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

so what is the prolem ?

thanks and regards,
Peter Green.



 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100913/d343a9b2/attachment.htm>

More information about the sr-users mailing list