[SR-Users] 2 TLS issues/questions: per-client config & IPv6 client
Daniel-Constantin Mierla
miconda at gmail.com
Mon Feb 23 23:31:27 CET 2015
I just pushed a patch to lookup client tls profile using bind address
(if available), instead of local source address for the connection,
trying to avoid matching on a randomly allocated port by os.
Let me know if works fine.
Cheers,
Daniel
On 23/02/15 11:26, Daniel-Constantin Mierla wrote:
> Hello,
>
> can you try with latest master? After just quick view of sources, I
> spotted some issue identifying ipv6 address and pushed a small patch
> for it, but no time to test it for now.
>
> Cheers,
> Daniel
>
> On 23/02/15 10:01, Daniel-Constantin Mierla wrote:
>> Hello,
>>
>> On 23/02/15 02:16, Anthony Messina wrote:
>>> I'm wondering if anyone can point me in the right direction for the following
>>> two issues with Kamailio and tls.cfg
>>>
>>> 1. When attempting to configure TLS settings for connecting to a specific IPv4
>>> client, it seems that the ca_list indicated in [client:default] overrides the
>>> one in the client-specific config. If I don't include the client's CA in the
>>> [client:default] section, I get the following, regardless of what is in
>>> [client:204.74.213.5:5061].
>>>
>>> ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>
>>> [client:default]
>>> method = TLSv1+
>>> verify_certificate = yes
>>> require_certificate = no
>>> private_key = /etc/kamailio/key.pem
>>> certificate = /etc/kamailio/crt.pem
>>> verify_depth = 2
>>> # In order for the client below to work, the ca_list here needs to support #
>>> contain the CA for the specific client. Not sure why, maybe a bug?
>>> #ca_list = /etc/pki/CA/myownCA.pem # Can't use this one
>>> ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
>>>
>>> [client:204.74.213.5:5061]
>>> method = TLSv1+
>>> verify_certificate = yes
>>> require_certificate = yes
>>> verify_depth = 2
>>> ca_list = /etc/kamailio/204.74.213.5.crt.pem
>>
>> I noticed that this one is hard to match because it specifies the
>> local socket, but the kernel returns a random local port when doing a
>> connect. The matching should be changed to be done on an xavp or the
>> forced socket. I made a note on the commit:
>>
>> -
>> https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2eebfd8c36
>>
>> It is on my list to solve it, but no time so far.
>>
>>> 2. When attempting to configure TLS settings for connecting to a specific IPv6
>>> client, I cannot figure out the syntax needed to specify the IPv6 client.
>>> What is the proper syntax?
>>>
>>> With [client:[2607:5300:60:1f93::0]:5061], I get:
>>> ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 address
>>
>> Perhaps it is an issue in the parser of the config, I will look at it.
>>
>> Cheers,
>> Daniel
>>
>>> Any guidance is appreciated. Thanks. -A
>>>
>>>
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users at lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>> --
>> Daniel-Constantin Mierla
>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
>> Kamailio World Conference, May 27-29, 2015
>> Berlin, Germany - http://www.kamailioworld.com
>
> --
> Daniel-Constantin Mierla
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> Kamailio World Conference, May 27-29, 2015
> Berlin, Germany - http://www.kamailioworld.com
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150223/44efdbf3/attachment.html>
More information about the sr-users
mailing list