[SR-Users] 2 TLS issues/questions: per-client config & IPv6 client

Daniel-Constantin Mierla miconda at gmail.com
Mon Feb 23 10:01:06 CET 2015


Hello,

On 23/02/15 02:16, Anthony Messina wrote:
> I'm wondering if anyone can point me in the right direction for the following 
> two issues with Kamailio and tls.cfg
>
> 1. When attempting to configure TLS settings for connecting to a specific IPv4 
> client, it seems that the ca_list indicated in [client:default] overrides the 
> one in the client-specific config.  If I don't include the client's CA in the 
> [client:default] section, I get the following, regardless of what is in 
> [client:204.74.213.5:5061].
>
> ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> [client:default]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = no
> private_key = /etc/kamailio/key.pem
> certificate = /etc/kamailio/crt.pem
> verify_depth = 2
> # In order for the client below to work, the ca_list here needs to support # 
> contain the CA for the specific client. Not sure why, maybe a bug?
> #ca_list = /etc/pki/CA/myownCA.pem # Can't use this one
> ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
>
> [client:204.74.213.5:5061]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = yes
> verify_depth = 2
> ca_list = /etc/kamailio/204.74.213.5.crt.pem

I noticed that this one is hard to match because it specifies the local
socket, but the kernel returns a random local port when doing a connect.
The matching should be changed to be done on an xavp or the forced
socket. I made a note on the commit:

-
https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2eebfd8c36

It is on my list to solve it, but no time so far.

>
>
> 2. When attempting to configure TLS settings for connecting to a specific IPv6 
> client, I cannot figure out the syntax needed to specify the IPv6 client.  
> What is the proper syntax?
>
> With [client:[2607:5300:60:1f93::0]:5061], I get:
> ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address

Perhaps it is an issue in the parser of the config, I will look at it.

Cheers,
Daniel

>
>
> Any guidance is appreciated.  Thanks.  -A
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150223/7a6d5f3f/attachment.html>


More information about the sr-users mailing list