[SR-Users] 2 TLS issues/questions: per-client config & IPv6 client
Anthony Messina
amessina at messinet.com
Mon Feb 23 23:58:35 CET 2015
Thanks, Daniel. I'll be rebuilding with the recent changes this evening. A
few clarification requests inline below...
On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote:
> Hello,
>
> can you try with latest master? After just quick view of sources, I spotted
> some issue identifying ipv6 address and pushed a small patch for it, but no
> time to test it for now.
>
> Cheers,
> Daniel
>
> On 23/02/15 10:01, Daniel-Constantin Mierla wrote:
> Hello,
>
> On 23/02/15 02:16, Anthony Messina wrote:
> I'm wondering if anyone can point me in the right direction for the
> following two issues with Kamailio and tls.cfg
>
> 1. When attempting to configure TLS settings for connecting to a specific
> IPv4 client, it seems that the ca_list indicated in [client:default]
> overrides the one in the client-specific config. If I don't include the
> client's CA in the [client:default] section, I get the following,
> regardless of what is in [client:204.74.213.5:5061].
>
> ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> [client:default]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = no
> private_key = /etc/kamailio/key.pem
> certificate = /etc/kamailio/crt.pem
> verify_depth = 2
> # In order for the client below to work, the ca_list here needs to support #
> contain the CA for the specific client. Not sure why, maybe a bug? #ca_list
> = /etc/pki/CA/myownCA.pem # Can't use this one
> ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's
>
> [client:204.74.213.5:5061]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = yes
> verify_depth = 2
> ca_list = /etc/kamailio/204.74.213.5.crt.pem
>
> I noticed that this one is hard to match because it specifies the local
> socket, but the kernel returns a random local port when doing a connect.
> The matching should be changed to be done on an xavp or the forced socket.
> I made a note on the commit:
>
> -
> https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2
> eebfd8c36
>
> It is on my list to solve it, but no time so far.
I'm not sure I follow you here. Kamailio is sending an outbound connection to
[client:204.74.213.5:5061] -- I'm not specifying the local socket, but the
remote endpoint, as far as I can tell, based on the iptel.org example in the
tls.cfg file below. I have not yet begun to use the new SNI features. How
did this work prior to the SNI implementation? I ask because Kamailio (acting
as the client in this case) is connecting to a TLS server set via LCR with the
destination 204.74.213.5:5061.
# Special settings for the iptel.org public SIP
# server. We do not verify the certificate of the
# server because it can be expired. The server
# implements authentication using SSL client
# certificates so configure the client certificate
# that was given to use by iptel.org staff here.
#
#[client:195.37.77.101:5061]
#verify_certificate = no
#certificate = /etc/kamailio/iptel_client.pem
#private_key = /etc/kamailio/iptel_key.pem
#ca_list = /etc/kamailio/iptel_ca.pem
#crl = /etc/kamailio/iptel_crl.pem
> 2. When attempting to configure TLS settings for connecting to a specific
> IPv6 client, I cannot figure out the syntax needed to specify the IPv6
> client. What is the proper syntax?
>
> With [client:[2607:5300:60:1f93::0]:5061], I get:
> ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6
> address
>
> Perhaps it is an issue in the parser of the config, I will look at it.
So after
https://github.com/kamailio/kamailio/commit/4b682e15fcd14fc3eb153865c2071162c7592220
are the following IPv6 syntax is correct? Is the port necessary? I was unsure
of the nested brackets.
[client:[2607:5300:60:1f93::0]:5061]
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150223/f42ee483/attachment.sig>
More information about the sr-users
mailing list