[SR-Users] Q: about CRL list (TLS)

Daniel-Constantin Mierla miconda at gmail.com
Mon Nov 2 09:03:57 CET 2015 

As written in the previous reply I just sent, the error is not related
to crl handling, but to the fact that the client doesn't sent its own
certificate.

Cheers,
Daniel

On 26/10/15 19:37, Vladimer Gabunia wrote:
> problem is urgent
>
> this is my CRL  list file content:
>
> -----BEGIN X509 CRL-----
> MIICVTCCAT0CAQEwDQYJKoZIhvcNAQELBQAwJTEjMCEGA1UEAxMaQ29tcGFueS1M
> ZXZlbDItU3ViQ0EtUHViTkQXDTE1MTAyMzEzMTcwNloXDTE1MTAzMTAxMzcwNlow
> JjAkAhMVAAAABvVGc+kRhlSIAAAAAAAGFw0xNTEwMjAxNDQxMDBaoIG7MIG4MB8G
> A1UdIwQYMBaAFB9sqtM9CJaeyFNqNCP3lEMAB70AMBAGCSsGAQQBgjcVAQQDAgEA
> MAoGA1UdFAQDAgEFMBwGCSsGAQQBgjcVBAQPFw0xNTEwMzAxMzI3MDZaMFkGA1Ud
> LgRSMFAwTqBMoEqGSGh0dHA6Ly9HSVMtU3ViQ0EtUHViTkQuZ2lzLmdlL0NlcnRF
> bnJvbGwvQ29tcGFueS1MZXZlbDItU3ViQ0EtUHViTkQrLmNybDANBgkqhkiG9w0B
> AQsFAAOCAQEAnYROMIC6SdrkESoe07sLrE6KodBBIjSxYlCk4yVomdbyRZoZay+d
> adFf1l6ouJuPhmMFj0iIWZw7GI4CGt+ObvqdkfntSzfDDocVkXtJKwjNbLVWfQaV
> UVaehJp20n4tKZuF/rv5vldNZeFGBrJk8+K7pyFxvbQcdHpfXdYaFaCK1pclUib4
> JSJHN+b7fVTV+PFpjqYE81JtO5yluGqz2wl4gRBSd12jpFXPpZkxWeMPQdBq4jRs
> Xp4qvIPyam764IYJGxmdip75oQ/O3ArisDyuxEs2/KjYgkigs2TfAi3b4YJSAUpe
> B/u8NCXwzT/lt8sm6s+uWYZvfio6ERRcFA==
> -----END X509 CRL-----
>
> when i enable 
> modparam("tls", "crl", "/etc/kamailio/tls/Server/crl.pem")
>
> Here is Part of Debug Log:
>
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
> [ip_addr.c:243]: print_ip(): tcpconn_new: new tcp connection:
> 192.168.88.149
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
> [tcp_main.c:1096]: tcpconn_new(): tcpconn_new: on port 56215, type 3
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
> [tcp_main.c:1408]: tcpconn_add(): tcpconn_add: hashes: 2440:3999:3197, 5
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
> [io_wait.h:390]: io_watch_add(): DBG: io_watch_add(0x89bf60, 47, 2,
> 0x7fb643de6698), fd_no=33
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
> [io_wait.h:617]: io_watch_del(): DBG: io_watch_del (0x89bf60, 47, -1,
> 0x0) fd_no=34 called
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
> [tcp_main.c:4302]: handle_tcpconn_ev(): tcp: DBG: sending to child,
> events 1
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
> [tcp_main.c:3973]: send2child(): selected tcp worker 0 20(23474) for
> activity on [tls:192.168.240.254:5061], 0x7fb643de6698
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [tcp_read.c:1510]: handle_io(): received n=8 con=0x7fb643de6698, fd=13
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: tls
> [tls_server.c:178]: tls_complete_init(): Using TLS domain TLSs<default>
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: tls
> [tls_domain.c:700]: sr_ssl_ctx_info_callback(): SSL handshake started
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [tcp_main.c:2556]: tcpconn_do_send(): tcp_send: sending...
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [tcp_main.c:2590]: tcpconn_do_send(): tcp_send: after real write: c=
> 0x7fb643de6698 n=1576 fd=13
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [tcp_main.c:2591]: tcpconn_do_send(): tcp_send: buf=#012#026#003#003
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [io_wait.h:390]: io_watch_add(): DBG: io_watch_add(0x8e0200, 13, 2,
> 0x7fb643de6698), fd_no=1
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [tcp_main.c:2556]: tcpconn_do_send(): tcp_send: sending...
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [tcp_main.c:2590]: tcpconn_do_send(): tcp_send: after real write: c=
> 0x7fb643de6698 n=7 fd=13
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [tcp_main.c:2591]: tcpconn_do_send(): tcp_send: buf=#012#025#003#003
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: ERROR: tls
> [tls_server.c:1186]: tls_read_f(): TLS accept:error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: ERROR: <core>
> [tcp_read.c:1281]: tcp_read_req(): ERROR: tcp_read_req: error reading
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [io_wait.h:617]: io_watch_del(): DBG: io_watch_del (0x8e0200, 13, -1,
> 0x10) fd_no=2 called
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [tcp_read.c:1437]: release_tcpconn(): releasing con 0x7fb643de6698,
> state -2, fd=13, id=5
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
> [tcp_read.c:1438]: release_tcpconn():  extra_data 0x7fb643ddf4f8
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
> [tcp_main.c:3385]: handle_tcp_child(): handle_tcp_child: reader
> response= 7fb643de6698, -2 from 0
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: tls
> [tls_server.c:597]: tls_h_close(): Closing SSL connection 0x7fb643ddf4f8
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23473]: DEBUG: websocket
> [ws_conn.c:459]: wsconn_get_list(): wsconn_get_list
> Oct 26 22:34:38 lip /usr/sbin/kamailio[23473]: DEBUG: websocket
> [ws_conn.c:502]: wsconn_get_list(): wsconn_get_list returns list
> [(nil)] with [0] members
> Oct 26 22:34:39 lip /usr/sbin/kamailio[23473]: DEBUG: websocket
> [ws_conn.c:459]: wsconn_get_list(): wsconn_get_list
> Oct 26 22:34:39 lip /usr/sbin/kamailio[23473]: DEBUG: websocket
> [ws_conn.c:502]: wsconn_get_list(): wsconn_get_list returns list
> [(nil)] with [0] members
>
>
> ------------------------------------------------------------------------
> *From:* sr-users [sr-users-bounces at lists.sip-router.org] on behalf of
> Daniel-Constantin Mierla [miconda at gmail.com]
> *Sent:* Monday, October 26, 2015 12:05 PM
> *To:* Kamailio (SER) - Users Mailing List
> *Subject:* Re: [SR-Users] Q: about CRL list (TLS)
>
> Hello,
>
> On 25/10/15 13:10, Vladimer Gabunia wrote:
>> hello all.
>> we compiled  kamailio with TLS Support.  but have next problem when
>> using CRL Lits.
>> Our Certificate issuing scheme is follow:
>> Offline Root CA -> Enterprise SubCA -> Server and Phone Certificate  
>> CRL list is signed by SubCA.
>> option  "require client certificate is enables (1) "
>> When we enable CRL list, phones are not registered.
>> CA file is offline RootCA   certificate in pem format.
>> We think that the reason is that СRL was signed by Subca or incorrect
>> CRL format.
>> CRL is converted from MS CRL to PEM. (What is the format for the CRL)
>> maybe someone have experiance with similar scenarios?
> the readme file of the tls module has some documentation about crl:
>
> http://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.crl
>
> You can also try to run with debug=3 in kmailio.cfg and see more debug
> messages about what happens internally.
>
> Cheers,
> Daniel
> -- 
> Daniel-Constantin Mierla
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> Book: SIP Routing With Kamailio - http://www.asipto.com
> Kamailio Advanced Training, Nov 30-Dec 2, Berlin - http://asipto.com/kat
> ------------------------------------------------------------------------
> gh.ge
> *ვლადიმერ გაბუნია*
> IT სამსახურის უფროსი
> ტელ: (+995) 32 2505222 +8183
> მობ: (995) 577 095333
> შპს "ჯეო ჰოსპიტალს"
> სათავო ოფისი
> თბილისი 0160, ვაჟა-ფშაველას გამზ. № 16;
> http://www.gh.ge <http://gh.ge>

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com
Kamailio Advanced Training, Nov 30-Dec 2, Berlin - http://asipto.com/kat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20151102/4c14a01c/attachment.html>

More information about the sr-users mailing list