[SR-Users] TLS Certificate Verification Issue

Kamal Palei palei.kamal at gmail.com
Thu Oct 25 16:23:54 CEST 2012 

Dear Klaus
The certificate verification I have disabled.

Facing a new problem.
When there is a connection reset, that time Kamailio is crashing.
During crash, I get below logs. Any idea why it is crashing and how can I
avoid it.

*oot at B2BUA:/usr/local/src/scripts#  9(9557) : <core> [mem/q_malloc.c:431]:
BUG: qm_free: bad pointer (nil) (out of memory block!) - aborting
 0(9548) ALERT: <core> [main.c:742]: child process 9557 exited by a signal 6
 0(9548) ALERT: <core> [main.c:745]: core was generated
 0(9548) INFO: <core> [main.c:757]: INFO: terminating due to SIGCHLD
 6(9554) INFO: <core> [main.c:808]: INFO: signal 15 received
 8(9556) INFO: <core> [main.c:808]: INFO: signal 15 received
 4(9552) INFO: <core> [main.c:808]: INFO: signal 15 received
 5(9553) INFO: <core> [main.c:808]: INFO: signal 15 received
 3(9551) INFO: <core> [main.c:808]: INFO: signal 15 received
 7(9555) INFO: <core> [main.c:808]: INFO: signal 15 received
 1(9549) INFO: <core> [main.c:808]: INFO: signal 15 received
 2(9550) INFO: <core> [main.c:808]: INFO: signal 15 received
 0(9548) : <core> [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil)
(out of memory block!) - aborting


THANKS
kamal
*
On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion <
klaus.mailinglists at pernau.at> wrote:

> Hi Kamal!
>
> Are you familiar with SSL/TLS and certificates? With TLS the trust between
> TLS server and TLS client is usually via a trusted certification authority
> (CA). For example, if the intermediate proxy uses a certificate which is
> issued by CA FOOBAR-XYZ, the you have to configure Kamailio to accept
> certificates singed by FOOBAR-XYZ. This is done by copying the public root
> certificate of FOOBAR-XYZ to the Kamailio server and configure Kamailio to
> use the FOOBAR-XYZ certificate as trusted CA. Of course then you
> automatically also trust all others certificates issued by FOOBAR-XYZ.
>
> To configure the trusted CAs use:
> http://kamailio.org/docs/**modules/3.3.x/modules/tls.**html#ca_list<http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list>
>
> You could also disable the certificate validation with:
> http://kamailio.org/docs/**modules/3.3.x/modules/tls.**
> html#verify_certificate<http://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate>
>
> But of course this reduces TLS benefits to encryption-only.
>
> regards
> Klaus
>
>
> On 22.10.2012 13:53, Kamal Palei wrote:
>
>> Dear All
>> I have modified kamailio,cfg and compiled all the modules with TLS
>> enabled, and able to bring up the kamailio proxy properly.
>>
>> Kamailio proxy will receive the REGISTER message from endpoints in UDP ,
>> and want to send this REGISTER message to another intermediate proxy in
>> TLS. For this purpose, I have added few lines in kamailio.cfg file as
>> below.
>>
>> I have created the certificates, private keys as explained by README
>> file in kamailio-3.1.5/modules/tls/ path.
>>
>>          if(is_method("REGISTER"))
>>          {
>>                  t_relay_to("tls:115.114.48.75:**443<http://115.114.48.75:443>
>> <http://115.114.48.75:443>");
>>
>>                  exit();
>>          }
>>
>> Looks like this is taking effect. When Kamailio receives REGISTER
>> message it is trying to do handshake with intermediate proxy.
>> I used wireshark to see the handshake messages.
>>
>> 1. From Kamailio proxy, a TCP SYNC message is going to intermediate proxy.
>> 2. intermediate proxy sends SYNC + ACK
>> 3. Kamailio sends CLIENT HELLO
>> 4. intermediate proxy sends SERVER HELLO, CERTIFICATE and SERVER HELLO
>> DONE
>> 5. The Kamailio sends ALERT (Level: Fatal, Description: Unknown CA)
>> --->  IS something going wrong here..............
>> 6. Then Kamailio sends FIN + ACK
>>
>> Can somebody please let me know why the certificate verification fails
>> (I get this log in console).
>> How can I put a work around to avoid certification verification failure.
>>
>> Best Regards
>> kamal
>>
>>
>>
>>
>> ______________________________**_________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/**cgi-bin/mailman/listinfo/sr-**users<http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20121025/1bb174ad/attachment.htm>

More information about the sr-users mailing list