[SR-Users] TLS Certificate Verification Issue
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Oct 25 16:13:59 CEST 2012
Hi Kamal!
Are you familiar with SSL/TLS and certificates? With TLS the trust
between TLS server and TLS client is usually via a trusted certification
authority (CA). For example, if the intermediate proxy uses a
certificate which is issued by CA FOOBAR-XYZ, the you have to configure
Kamailio to accept certificates singed by FOOBAR-XYZ. This is done by
copying the public root certificate of FOOBAR-XYZ to the Kamailio server
and configure Kamailio to use the FOOBAR-XYZ certificate as trusted CA.
Of course then you automatically also trust all others certificates
issued by FOOBAR-XYZ.
To configure the trusted CAs use:
http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list
You could also disable the certificate validation with:
http://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate
But of course this reduces TLS benefits to encryption-only.
regards
Klaus
On 22.10.2012 13:53, Kamal Palei wrote:
> Dear All
> I have modified kamailio,cfg and compiled all the modules with TLS
> enabled, and able to bring up the kamailio proxy properly.
>
> Kamailio proxy will receive the REGISTER message from endpoints in UDP ,
> and want to send this REGISTER message to another intermediate proxy in
> TLS. For this purpose, I have added few lines in kamailio.cfg file as below.
>
> I have created the certificates, private keys as explained by README
> file in kamailio-3.1.5/modules/tls/ path.
>
> if(is_method("REGISTER"))
> {
> t_relay_to("tls:115.114.48.75:443
> <http://115.114.48.75:443>");
> exit();
> }
>
> Looks like this is taking effect. When Kamailio receives REGISTER
> message it is trying to do handshake with intermediate proxy.
> I used wireshark to see the handshake messages.
>
> 1. From Kamailio proxy, a TCP SYNC message is going to intermediate proxy.
> 2. intermediate proxy sends SYNC + ACK
> 3. Kamailio sends CLIENT HELLO
> 4. intermediate proxy sends SERVER HELLO, CERTIFICATE and SERVER HELLO DONE
> 5. The Kamailio sends ALERT (Level: Fatal, Description: Unknown CA)
> ---> IS something going wrong here..............
> 6. Then Kamailio sends FIN + ACK
>
> Can somebody please let me know why the certificate verification fails
> (I get this log in console).
> How can I put a work around to avoid certification verification failure.
>
> Best Regards
> kamal
>
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
More information about the sr-users
mailing list