[SR-Users] Mutual TLS with Skype for Business 2015
Daniel-Constantin Mierla
miconda at gmail.com
Mon Oct 30 18:43:20 CET 2017
Hello,
On 27.10.17 17:12, Francisco Valentin Vinagrero wrote:
>
> Hi all,
>
>
>
> I’m still stuck with this even if I built a new VM to avoid any buggy
> configuration.
>
>
>
> Some thoughts on this:
>
>
>
> 1. I have tried to change verify_certificate = no on my server
> section of tls.cfg, so ideally the remote certificate will not be
> verified, but this is not changing anything.
>
to understand properly, even if you have verify_certificate = no, the
certificated is verified and fails?
Otherwise I don't have access to Skype for Business 2015, so I cannot
troubleshoot much.
Cheers,
Daniel
>
>
> 2. My Kamailio cluster is part of a DNS alias, but the alias is
> defined as alias=<myalias>:5061 in the Kamailio.cfg. Could this be
> affecting somehow the verification? My tls.cfg only has server:default
> and client:default section.
>
>
>
> 3. Every time I reload the configuration, the TLS info and debug
> messages for client and server are coherent with what I would expect
> from my tls.cfg:
>
>
>
> INFO: tls [tls_domain.c:278]: fill_missing(): TLSs<default>:
> tls_method=20
>
>
> INFO: tls [tls_domain.c:290]: fill_missing(): TLSs<default>:
> certificate='/usr/local/etc/kamailio/tls/myCert.pem'
>
> INFO: tls [tls_domain.c:297]: fill_missing(): TLSs<default>:
> ca_list='/usr/local/etc/kamailio/tls/myCAfile.pem'
>
> INFO: tls [tls_domain.c:304]: fill_missing(): TLSs<default>:
> crl='(null)'
>
>
> INFO: tls [tls_domain.c:308]: fill_missing(): TLSs<default>:
> require_certificate=1
>
>
> INFO: tls [tls_domain.c:315]: fill_missing(): TLSs<default>:
> cipher_list='(null)'
>
>
> INFO: tls [tls_domain.c:322]: fill_missing(): TLSs<default>:
> private_key='/usr/local/etc/kamailio/tls/myKey.pem'
>
> INFO: tls [tls_domain.c:326]: fill_missing(): TLSs<default>:
> verify_certificate=1
>
>
> INFO: tls [tls_domain.c:329]: fill_missing(): TLSs<default>:
> verify_depth=9
>
>
> DEBUG: tls [tls_domain.c:968]: fix_domain(): using tls methods range:
> 20
>
> DEBUG: tls [tls_domain.c:566]: load_crl(): TLSs<default>: No CRL
> configured
>
> INFO: tls [tls_domain.c:658]: set_verification(): TLSs<default>:
> Client MUST present valid certificate
>
> INFO: tls [tls_domain.c:278]: fill_missing(): TLSc<default>:
> tls_method=20
>
>
> INFO: tls [tls_domain.c:290]: fill_missing(): TLSc<default>:
> certificate='/usr/local/etc/kamailio/tls/myCert.pem'
>
> INFO: tls [tls_domain.c:297]: fill_missing(): TLSc<default>:
> ca_list='/usr/local/etc/kamailio/tls/myCAfile.pem'
>
> INFO: tls [tls_domain.c:304]: fill_missing(): TLSc<default>:
> crl='(null)'
>
>
> INFO: tls [tls_domain.c:308]: fill_missing(): TLSc<default>:
> require_certificate=1
>
>
> INFO: tls [tls_domain.c:315]: fill_missing(): TLSc<default>:
> cipher_list='(null)'
>
>
> INFO: tls [tls_domain.c:322]: fill_missing(): TLSc<default>:
> private_key='/usr/local/etc/kamailio/tls/myKey.pem'
>
> INFO: tls [tls_domain.c:326]: fill_missing(): TLSc<default>:
> verify_certificate=1
>
>
> INFO: tls [tls_domain.c:329]: fill_missing(): TLSc<default>:
> verify_depth=9
>
>
> DEBUG: tls [tls_domain.c:968]: fix_domain(): using tls methods range:
> 20
>
> DEBUG: tls [tls_domain.c:566]: load_crl(): TLSc<default>: No CRL
> configured
>
> INFO: tls [tls_domain.c:658]: set_verification(): TLSc<default>:
> Server MUST present valid certificate
>
> DEBUG: tls [tls_domain.c:1119]: load_private_key(): TLSs<default>: Key
> '/usr/local/etc/kamailio/tls/myKey.pem' successfuly loaded
>
> DEBUG: tls [tls_domain.c:1119]: load_private_key(): TLSc<default>: Key
> '/usr/local/etc/kamailio/tls/myKey.pem' successfuly loaded
>
> DEBUG: tls [tls_rpc.c:82]: tls_reload(): TLS configuration successfuly
> loaded
>
>
>
> 4. When the first handshake begins after reloading, it goes to
> the TLSs default domain:
>
>
>
> DEBUG: <core> [ip_addr.c:229]: print_ip(): tcpconn_new: new tcp
> connection: 188.185.115.181
>
> DEBUG: <core> [tcp_main.c:985]: tcpconn_new(): on port 56404, type
> 3
>
> DEBUG: <core> [tcp_main.c:1295]: tcpconn_add(): hashes:
> 2351:1920:1122,
> 168
>
> DEBUG: <core> [io_wait.h:376]: io_watch_add(): DBG:
> io_watch_add(0xa25be0, 30, 2, 0x7ff243558420),
> fd_no=21
>
> DEBUG: <core> [io_wait.h:598]: io_watch_del(): DBG: io_watch_del
> (0xa25be0, 30, -1, 0x0) fd_no=22 called
>
> DEBUG: <core> [tcp_main.c:4131]: handle_tcpconn_ev(): sending to
> child, events 1
>
> DEBUG: <core> [tcp_main.c:3813]: send2child(): selected tcp worker 2
> 13(13472) for activity on [tls:<myLocalIP>:5061], 0x7ff243558420
>
> DEBUG: <core> [tcp_read.c:1566]: handle_io(): received n=8
> con=0x7ff243558420,
> fd=8
>
> DEBUG: tls [tls_server.c:197]: tls_complete_init(): completing tls
> connection initialization
>
> DEBUG: tls [tls_server.c:226]: tls_complete_init(): Using initial TLS
> domain TLSs<default> (dom 0x7ff242d79b40 ctx 0x7ff2430cc448 sn [])
>
>
>
> 5. I wonder if anyone has configured this with Skype for
> Business 2015 lately? Any clue?
>
>
>
>
>
> Cheers, Francisco.
>
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com
Kamailio World Conference - www.kamailioworld.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171030/623b52fb/attachment.html>
More information about the sr-users
mailing list