[SR-Users] Enable session_id in ServerHello for TLS
Kristijan Vrban
vrban.lkml at googlemail.com
Wed Mar 14 19:02:16 CET 2012
>Does it support client certificate?
don't know. never tested.
2012/3/13 Daniel-Constantin Mierla <miconda at gmail.com>:
> On 3/12/12 4:31 PM, Kristijan Vrban wrote:
>>
>> the snom softphone:
>> http://www.chip.de/downloads/360-Softphone_14364878.html
>>
>> it's completely outdated. and therefore good for such backwards
>> compatible tests.
>
> interesting! Does it support client certificate? Or is like with snom
> hardphones, it can use server certificate for encryption, but you cannot set
> a client side certificate for using it to do user authentication.
>
> Cheers,
> Daniel
>
>
>>
>> Kristijan
>>
>> 2012/3/12 Daniel-Constantin Mierla<miconda at gmail.com>:
>>>
>>> Hello,
>>>
>>> thanks for reporting back it's working -- please keep the mailing list
>>> cc-ed, so people looking for same issue will be able to find it when
>>> searching the web archive.
>>>
>>> I am using snom3xx with tls and kamailio 3.x a lot, never had issues, but
>>> I
>>> have no clue about the softphone.exe
>>>
>>> Cheers,
>>> Daniel
>>>
>>>
>>> On 3/11/12 8:09 PM, Kristijan Vrban wrote:
>>>>
>>>> Hello Daniel,
>>>>
>>>> many thanks for the fast reply, And yes, the session_cache option
>>>> solved my problem. Well... the device i used was the immemorial
>>>> snom360 softphone.exe
>>>> running with wine :) The softphone i use since years for TLS testing.
>>>>
>>>> Kristijan
>>>>
>>>> 2012/3/11 Daniel-Constantin Mierla<miconda at gmail.com>:
>>>>>
>>>>> Hello,
>>>>>
>>>>>
>>>>> On 3/11/12 1:28 AM, Kristijan Vrban wrote:
>>>>>>
>>>>>> Hello, how to tell that Kamailio should juse a session_id for tls ?
>>>>>> See ssldump output below. I reckon that this is the reason the
>>>>>> client i use end with "handshake_failure". Because when is use
>>>>>> opensips, there is the session_id, and it's working.
>>>>>>
>>>>>> Kristijan
>>>>>>
>>>>>> 2 1 0.0228 (0.0228) C>S Handshake
>>>>>> ClientHello
>>>>>> Version 3.1
>>>>>> cipher suites
>>>>>> TLS_RSA_WITH_RC4_128_MD5
>>>>>> TLS_RSA_WITH_RC4_128_SHA
>>>>>> TLS_RSA_WITH_NULL_MD5
>>>>>> TLS_RSA_WITH_NULL_SHA
>>>>>> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
>>>>>> TLS_DH_anon_WITH_RC4_128_MD5
>>>>>> TLS_RSA_WITH_DES_CBC_SHA
>>>>>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>>>>>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>>>>>> TLS_DH_anon_WITH_DES_CBC_SHA
>>>>>> compression methods
>>>>>> NULL
>>>>>> 1 0.0519 (0.0519) C>S TCP FIN
>>>>>> 2 2 0.0432 (0.0204) S>C Handshake
>>>>>> ServerHello
>>>>>> Version 3.1
>>>>>> session_id[0]=
>>>>>>
>>>>>> cipherSuite TLS_RSA_WITH_RC4_128_MD5
>>>>>> compressionMethod NULL
>>>>>> 2 3 0.0432 (0.0000) S>C Handshake
>>>>>> Certificate
>>>>>> 2 4 0.0432 (0.0000) S>C Handshake
>>>>>> ServerHelloDone
>>>>>> 2 5 0.0452 (0.0020) C>S Alert
>>>>>> level fatal
>>>>>> value handshake_failure
>>>>>> 1 0.0744 (0.0225) S>C TCP FIN
>>>>>> 2 0.0681 (0.0228) S>C TCP FIN
>>>>>
>>>>> the tls module has now the option to turn on/off session caching, which
>>>>> was
>>>>> on by default in openser 1.x. Now it is off as it does not make much
>>>>> benefits with out multi-process architecture. Try to add to your
>>>>> config:
>>>>>
>>>>> modparam("tls", "session_cache", 1)
>>>>>
>>>>> Let me know if works -- the module parameter is missing from the
>>>>> readme,
>>>>> perhaps the author forgot to add it at the time of development -- I
>>>>> will
>>>>> try
>>>>> to sync the sources and the readme for tls module asap.
>>>>>
>>>>> Cheers,
>>>>> Daniel
>>>>>
>>>>> --
>>>>> Daniel-Constantin Mierla
>>>>> Kamailio Advanced Training, April 23-26, 2012, Berlin, Germany
>>>>> http://www.asipto.com/index.php/kamailio-advanced-training/
>>>>>
>>> --
>>> Daniel-Constantin Mierla
>>> Kamailio Advanced Training, April 23-26, 2012, Berlin, Germany
>>> http://www.asipto.com/index.php/kamailio-advanced-training/
>>>
>
> --
> Daniel-Constantin Mierla
> Kamailio Advanced Training, April 23-26, 2012, Berlin, Germany
> http://www.asipto.com/index.php/kamailio-advanced-training/
>
More information about the sr-users
mailing list