[SR-Users] Kamailio TLS configuration

Ding Ma mading087 at gmail.com
Sat Aug 29 19:54:12 CEST 2015 

When your server contacts the public server, your server acts as a tls client. So you may need to copy the server section settings (at least the calist) into the client section of tls.cfg.

Sent from my iPhone

> On Aug 28, 2015, at 12:01 PM, Alexandru Covalschi <568691 at gmail.com> wrote:
> 
> Hello!
> 
> I'm having problems with Kamailio configuration with TLS. Or, maybe, that's my misunderstanding about how it should work.
> So, the issue - inbound TLS works just great, I can call everyone in my domain. I have PositiveSSL certificate, so I have such files:
> calist.crt  AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt divided by \n
> server.key  - key
> server.crt - cert
> The configuration of tls.cfg
> 
> [server:default]
> method = SSLv23
> verify_certificate = no
> require_certificate = no
> private_key = /etc/ssl/sectel.io.ssl/sip/server.key
> certificate = /etc/ssl/sectel.io.ssl/sip/server.crt
> ca_list = /etc/ssl/sectel.io.ssl/sip/calist.crt
> #crl = /etc/kamailio/crl.pem
> (however with or without ca_list nothing changes)
> 
> [client:default]
> verify_certificate = yes
> require_certificate = yes
> 
> 
> And with that configuration when I'm trying to call to ostel.co (public SIP service supporting TLS) from my server I get such error:
> ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> 
> Putting that in tls.cfg:
> [client:default]
> verify_certificate = no
> require_certificate = no
> 
> Make everything work.
> Cross-domain calling is essential and I'm just trying to figure out - what's the problem? Is that my certificate, is that ostel.co certificate or it is just the way it should be?
> 
> Thanks!
> 
> -- 
> Alexandru Covalschi
> ABRISS-Solutions
> VoIP engineer and system administrator
> phone: +37367398493
> web: http://abs-telecom.com/
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150829/349cbf85/attachment.html>

More information about the sr-users mailing list