[SR-Users] Q: about CRL list (TLS)

Vladimer Gabunia vgabunia at gh.ge
Mon Oct 26 19:37:27 CET 2015 

problem is urgent

this is my CRL  list file content:

-----BEGIN X509 CRL-----
MIICVTCCAT0CAQEwDQYJKoZIhvcNAQELBQAwJTEjMCEGA1UEAxMaQ29tcGFueS1M
ZXZlbDItU3ViQ0EtUHViTkQXDTE1MTAyMzEzMTcwNloXDTE1MTAzMTAxMzcwNlow
JjAkAhMVAAAABvVGc+kRhlSIAAAAAAAGFw0xNTEwMjAxNDQxMDBaoIG7MIG4MB8G
A1UdIwQYMBaAFB9sqtM9CJaeyFNqNCP3lEMAB70AMBAGCSsGAQQBgjcVAQQDAgEA
MAoGA1UdFAQDAgEFMBwGCSsGAQQBgjcVBAQPFw0xNTEwMzAxMzI3MDZaMFkGA1Ud
LgRSMFAwTqBMoEqGSGh0dHA6Ly9HSVMtU3ViQ0EtUHViTkQuZ2lzLmdlL0NlcnRF
bnJvbGwvQ29tcGFueS1MZXZlbDItU3ViQ0EtUHViTkQrLmNybDANBgkqhkiG9w0B
AQsFAAOCAQEAnYROMIC6SdrkESoe07sLrE6KodBBIjSxYlCk4yVomdbyRZoZay+d
adFf1l6ouJuPhmMFj0iIWZw7GI4CGt+ObvqdkfntSzfDDocVkXtJKwjNbLVWfQaV
UVaehJp20n4tKZuF/rv5vldNZeFGBrJk8+K7pyFxvbQcdHpfXdYaFaCK1pclUib4
JSJHN+b7fVTV+PFpjqYE81JtO5yluGqz2wl4gRBSd12jpFXPpZkxWeMPQdBq4jRs
Xp4qvIPyam764IYJGxmdip75oQ/O3ArisDyuxEs2/KjYgkigs2TfAi3b4YJSAUpe
B/u8NCXwzT/lt8sm6s+uWYZvfio6ERRcFA==
-----END X509 CRL-----

when i enable
modparam("tls", "crl", "/etc/kamailio/tls/Server/crl.pem")

Here is Part of Debug Log:

Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core> [ip_addr.c:243]: print_ip(): tcpconn_new: new tcp connection: 192.168.88.149
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core> [tcp_main.c:1096]: tcpconn_new(): tcpconn_new: on port 56215, type 3
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core> [tcp_main.c:1408]: tcpconn_add(): tcpconn_add: hashes: 2440:3999:3197, 5
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core> [io_wait.h:390]: io_watch_add(): DBG: io_watch_add(0x89bf60, 47, 2, 0x7fb643de6698), fd_no=33
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core> [io_wait.h:617]: io_watch_del(): DBG: io_watch_del (0x89bf60, 47, -1, 0x0) fd_no=34 called
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core> [tcp_main.c:4302]: handle_tcpconn_ev(): tcp: DBG: sending to child, events 1
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core> [tcp_main.c:3973]: send2child(): selected tcp worker 0 20(23474) for activity on [tls:192.168.240.254:5061], 0x7fb643de6698
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [tcp_read.c:1510]: handle_io(): received n=8 con=0x7fb643de6698, fd=13
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: tls [tls_server.c:178]: tls_complete_init(): Using TLS domain TLSs<default>
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: tls [tls_domain.c:700]: sr_ssl_ctx_info_callback(): SSL handshake started
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [tcp_main.c:2556]: tcpconn_do_send(): tcp_send: sending...
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [tcp_main.c:2590]: tcpconn_do_send(): tcp_send: after real write: c= 0x7fb643de6698 n=1576 fd=13
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [tcp_main.c:2591]: tcpconn_do_send(): tcp_send: buf=#012#026#003#003
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [io_wait.h:390]: io_watch_add(): DBG: io_watch_add(0x8e0200, 13, 2, 0x7fb643de6698), fd_no=1
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [tcp_main.c:2556]: tcpconn_do_send(): tcp_send: sending...
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [tcp_main.c:2590]: tcpconn_do_send(): tcp_send: after real write: c= 0x7fb643de6698 n=7 fd=13
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [tcp_main.c:2591]: tcpconn_do_send(): tcp_send: buf=#012#025#003#003
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: ERROR: tls [tls_server.c:1186]: tls_read_f(): TLS accept:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: ERROR: <core> [tcp_read.c:1281]: tcp_read_req(): ERROR: tcp_read_req: error reading
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [io_wait.h:617]: io_watch_del(): DBG: io_watch_del (0x8e0200, 13, -1, 0x10) fd_no=2 called
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [tcp_read.c:1437]: release_tcpconn(): releasing con 0x7fb643de6698, state -2, fd=13, id=5
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core> [tcp_read.c:1438]: release_tcpconn():  extra_data 0x7fb643ddf4f8
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core> [tcp_main.c:3385]: handle_tcp_child(): handle_tcp_child: reader response= 7fb643de6698, -2 from 0
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: tls [tls_server.c:597]: tls_h_close(): Closing SSL connection 0x7fb643ddf4f8
Oct 26 22:34:38 lip /usr/sbin/kamailio[23473]: DEBUG: websocket [ws_conn.c:459]: wsconn_get_list(): wsconn_get_list
Oct 26 22:34:38 lip /usr/sbin/kamailio[23473]: DEBUG: websocket [ws_conn.c:502]: wsconn_get_list(): wsconn_get_list returns list [(nil)] with [0] members
Oct 26 22:34:39 lip /usr/sbin/kamailio[23473]: DEBUG: websocket [ws_conn.c:459]: wsconn_get_list(): wsconn_get_list
Oct 26 22:34:39 lip /usr/sbin/kamailio[23473]: DEBUG: websocket [ws_conn.c:502]: wsconn_get_list(): wsconn_get_list returns list [(nil)] with [0] members


________________________________
From: sr-users [sr-users-bounces at lists.sip-router.org] on behalf of Daniel-Constantin Mierla [miconda at gmail.com]
Sent: Monday, October 26, 2015 12:05 PM
To: Kamailio (SER) - Users Mailing List
Subject: Re: [SR-Users] Q: about CRL list (TLS)

Hello,

On 25/10/15 13:10, Vladimer Gabunia wrote:
hello all.
we compiled  kamailio with TLS Support.  but have next problem when using CRL Lits.
Our Certificate issuing scheme is follow:
Offline Root CA -> Enterprise SubCA -> Server and Phone Certificate
CRL list is signed by SubCA.
option  "require client certificate is enables (1) "
When we enable CRL list, phones are not registered.
CA file is offline RootCA   certificate in pem format.
We think that the reason is that СRL was signed by Subca or incorrect CRL format.
CRL is converted from MS CRL to PEM. (What is the format for the CRL)
maybe someone have experiance with similar scenarios?
the readme file of the tls module has some documentation about crl:

http://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.crl

You can also try to run with debug=3 in kmailio.cfg and see more debug messages about what happens internally.

Cheers,
Daniel

--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com
Kamailio Advanced Training, Nov 30-Dec 2, Berlin - http://asipto.com/kat

________________________________
[gh.ge]
ვლადიმერ გაბუნია
IT სამსახურის უფროსი
ტელ: (+995) 32 2505222 +8183
მობ: (995) 577 095333
შპს "ჯეო ჰოსპიტალს"
სათავო ოფისი
თბილისი 0160, ვაჟა-ფშაველას გამზ. № 16;
http://www.gh.ge <http://gh.ge>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20151026/645f351c/attachment.html>

More information about the sr-users mailing list