[SR-Users] FW: Mutual TLS with Skype for Business 2015

Francisco Valentin Vinagrero francisco.valentin.vinagrero at cern.ch
Wed Oct 25 11:33:43 CEST 2017 

Hello,

I'm trying to replace two old Audiocodes gateways (used to interconnect our Skype for Business infrastructure to the PSTN) with a new Kamailio cluster.

I am having some trouble to get the TLS mutual authentication working with Kamailio.  For the moment, I'm just trying to receive the incoming OPTIONS from SfB, but I get all the time certificate verification errors:

ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
ERROR: <core> [tcp_read.c:1330]: tcp_read_req(): ERROR: tcp_read_req: error reading

My tls.cfg is quite simple, with the same config for client and server (and one single listen=tls:<my IP>:5061 in the Kamailio.cfg file)

[server:default]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /usr/local/etc/kamailio/tls/key_gw_sfb.pem
certificate = /usr/local/etc/kamailio/tls/cert_gw_sfb.pem  # => This certificate's Subject is the DNS alias for the cluster, with all the kamailios in the cluster as Subject Alternative Names
ca_list = /usr/local/etc/kamailio/tls/myca_and_sfbca.pem  # => Kamailio and Skype for Business are signed by different CAs,  so here I concatenated all intermediate and root CAs

[client:default]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /usr/local/etc/kamailio/tls/key_gw_sfb.pem
certificate = /usr/local/etc/kamailio/tls/cert_gw_sfb.pem
ca_list = /usr/local/etc/kamailio/tls/myca_and_sfbca.pem


When I run Kamailio, I can see incoming OPTIONS from Microsoft Exchange Unified Messaging (UM), whose certificate I verify without any issues. UM presents a certificate issued for a single machine, so no Subject Alternative Names (SANs) are involved.

The problem comes with the TLS handshake for the Skype Mediation pool. They have a certificate with Subject = DNS alias and all the physical machines that are behind the alias appear listed as Subject Alternative Names (SANs) in the certificate.

As the only difference between UM and Skype's Mediation is the certificate's Subject, I think I am missing something on my configuration to validate the SANs instead of the subject. Is the TLS module doing any reverse DNS lookup to verify this?

Thanks,
Francisco.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171025/d27fb265/attachment.html>

More information about the sr-users mailing list