[SR-Users] Kamailio TLS configuration

Alexandru Covalschi 568691 at gmail.com
Fri Aug 28 23:11:37 CEST 2015


Forgot to add
cat /etc/issue
Debian GNU/Linux 8 \n \l


kamailio -V
version: kamailio 4.3.1 (x86_64/linux)
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS,
DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
F_MALLOC, DBG_F_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled with gcc 4.9.2

openssl version
OpenSSL 1.0.1k 8 Jan 2015


2015-08-28 20:01 GMT+03:00 Alexandru Covalschi <568691 at gmail.com>:

> Hello!
>
> I'm having problems with Kamailio configuration with TLS. Or, maybe,
> that's my misunderstanding about how it should work.
> So, the issue - inbound TLS works just great, I can call everyone in my
> domain. I have PositiveSSL certificate, so I have such files:
> calist.crt  AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt +
> COMODORSADomainValidationSecureServerCA.crt divided by \n
> server.key  - key
> server.crt - cert
> The configuration of tls.cfg
>
> [server:default]
> method = SSLv23
> verify_certificate = no
> require_certificate = no
> private_key = /etc/ssl/sectel.io.ssl/sip/server.key
> certificate = /etc/ssl/sectel.io.ssl/sip/server.crt
> ca_list = /etc/ssl/sectel.io.ssl/sip/calist.crt
> #crl = /etc/kamailio/crl.pem
> (however with or without ca_list nothing changes)
>
> [client:default]
> verify_certificate = yes
> require_certificate = yes
>
>
> And with that configuration when I'm trying to call to ostel.co (public
> SIP service supporting TLS) from my server I get such error:
> ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
>
> Putting that in tls.cfg:
> [client:default]
> verify_certificate = no
> require_certificate = no
>
> Make everything work.
> Cross-domain calling is essential and I'm just trying to figure out -
> what's the problem? Is that my certificate, is that ostel.co certificate
> or it is just the way it should be?
>
> Thanks!
>
> --
> Alexandru Covalschi
> ABRISS-Solutions
> VoIP engineer and system administrator
> phone: +37367398493
> web: http://abs-telecom.com/
>



-- 
Alexandru Covalschi
ABRISS-Solutions
VoIP engineer and system administrator
phone: +37367398493
web: http://abs-telecom.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150829/c4382aef/attachment.html>


More information about the sr-users mailing list