[SR-Users] Kamailio TLS configuration

Alexandru Covalschi 568691 at gmail.com
Fri Aug 28 23:13:11 CEST 2015


And server is under Amazon EC2, but that shouldn't really make any sense

2015-08-29 0:11 GMT+03:00 Alexandru Covalschi <568691 at gmail.com>:

> Forgot to add
> cat /etc/issue
> Debian GNU/Linux 8 \n \l
>
>
> kamailio -V
> version: kamailio 4.3.1 (x86_64/linux)
> flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS,
> DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
> F_MALLOC, DBG_F_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
> USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
> MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
> id: unknown
> compiled with gcc 4.9.2
>
> openssl version
> OpenSSL 1.0.1k 8 Jan 2015
>
>
> 2015-08-28 20:01 GMT+03:00 Alexandru Covalschi <568691 at gmail.com>:
>
>> Hello!
>>
>> I'm having problems with Kamailio configuration with TLS. Or, maybe,
>> that's my misunderstanding about how it should work.
>> So, the issue - inbound TLS works just great, I can call everyone in my
>> domain. I have PositiveSSL certificate, so I have such files:
>> calist.crt  AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt +
>> COMODORSADomainValidationSecureServerCA.crt divided by \n
>> server.key  - key
>> server.crt - cert
>> The configuration of tls.cfg
>>
>> [server:default]
>> method = SSLv23
>> verify_certificate = no
>> require_certificate = no
>> private_key = /etc/ssl/sectel.io.ssl/sip/server.key
>> certificate = /etc/ssl/sectel.io.ssl/sip/server.crt
>> ca_list = /etc/ssl/sectel.io.ssl/sip/calist.crt
>> #crl = /etc/kamailio/crl.pem
>> (however with or without ca_list nothing changes)
>>
>> [client:default]
>> verify_certificate = yes
>> require_certificate = yes
>>
>>
>> And with that configuration when I'm trying to call to ostel.co (public
>> SIP service supporting TLS) from my server I get such error:
>> ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>
>>
>> Putting that in tls.cfg:
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>>
>> Make everything work.
>> Cross-domain calling is essential and I'm just trying to figure out -
>> what's the problem? Is that my certificate, is that ostel.co certificate
>> or it is just the way it should be?
>>
>> Thanks!
>>
>> --
>> Alexandru Covalschi
>> ABRISS-Solutions
>> VoIP engineer and system administrator
>> phone: +37367398493
>> web: http://abs-telecom.com/
>>
>
>
>
> --
> Alexandru Covalschi
> ABRISS-Solutions
> VoIP engineer and system administrator
> phone: +37367398493
> web: http://abs-telecom.com/
>



-- 
Alexandru Covalschi
ABRISS-Solutions
VoIP engineer and system administrator
phone: +37367398493
web: http://abs-telecom.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150829/816afdc3/attachment.html>


More information about the sr-users mailing list