[SR-Users] 2 TLS issues/questions: per-client config & IPv6 client

Anthony Messina amessina at messinet.com
Mon Feb 23 02:16:12 CET 2015


I'm wondering if anyone can point me in the right direction for the following 
two issues with Kamailio and tls.cfg

1. When attempting to configure TLS settings for connecting to a specific IPv4 
client, it seems that the ca_list indicated in [client:default] overrides the 
one in the client-specific config.  If I don't include the client's CA in the 
[client:default] section, I get the following, regardless of what is in 
[client:204.74.213.5:5061].

ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[client:default]
method = TLSv1+
verify_certificate = yes
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/crt.pem
verify_depth = 2
# In order for the client below to work, the ca_list here needs to support # 
contain the CA for the specific client. Not sure why, maybe a bug?
#ca_list = /etc/pki/CA/myownCA.pem # Can't use this one
ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's

[client:204.74.213.5:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
verify_depth = 2
ca_list = /etc/kamailio/204.74.213.5.crt.pem


2. When attempting to configure TLS settings for connecting to a specific IPv6 
client, I cannot figure out the syntax needed to specify the IPv6 client.  
What is the proper syntax?

With [client:[2607:5300:60:1f93::0]:5061], I get:
ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address


Any guidance is appreciated.  Thanks.  -A

-- 
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150222/1eaf4a67/attachment.sig>


More information about the sr-users mailing list