[SR-Users] Mutual TLS with Skype for Business 2015

Frank Carmickle frank at carmickle.com
Mon Oct 30 18:51:29 CET 2017


Francisco,

Please share your s_client command and output that is connecting appropriately.

--FC

> On Oct 30, 2017, at 1:43 PM, Daniel-Constantin Mierla <miconda at gmail.com> wrote:
> 
> Hello,
> 
> 
> On 27.10.17 17:12, Francisco Valentin Vinagrero wrote:
>> Hi all,
>>  
>> I’m still stuck with this even if I built a new VM to avoid any buggy configuration.
>>  
>> Some thoughts on this:
>>  
>> 1.       I have tried to change verify_certificate = no on my server section of tls.cfg, so ideally the remote certificate will not be verified, but this is not changing anything.
> to understand properly, even if you have verify_certificate = no, the certificated is verified and fails?
> 
> Otherwise I don't have access to Skype for Business 2015, so I cannot troubleshoot much.
> 
> Cheers,
> Daniel
> 
>>  
>> 2.       My Kamailio cluster is part of a DNS alias, but the alias is defined as alias=<myalias>:5061 in the Kamailio.cfg. Could this be affecting somehow the verification? My tls.cfg only has server:default and client:default section.
>>  
>> 3.       Every time I reload the configuration, the TLS info and debug messages for client and server are coherent with what I would expect from my tls.cfg:
>>  
>> INFO: tls [tls_domain.c:278]: fill_missing(): TLSs<default>: tls_method=20                                                               
>> INFO: tls [tls_domain.c:290]: fill_missing(): TLSs<default>: certificate='/usr/local/etc/kamailio/tls/myCert.pem'                  
>> INFO: tls [tls_domain.c:297]: fill_missing(): TLSs<default>: ca_list='/usr/local/etc/kamailio/tls/myCAfile.pem'                      
>> INFO: tls [tls_domain.c:304]: fill_missing(): TLSs<default>: crl='(null)'                                                                 
>> INFO: tls [tls_domain.c:308]: fill_missing(): TLSs<default>: require_certificate=1                                                       
>> INFO: tls [tls_domain.c:315]: fill_missing(): TLSs<default>: cipher_list='(null)'                                                         
>> INFO: tls [tls_domain.c:322]: fill_missing(): TLSs<default>: private_key='/usr/local/etc/kamailio/tls/myKey.pem'                   
>> INFO: tls [tls_domain.c:326]: fill_missing(): TLSs<default>: verify_certificate=1                                                         
>> INFO: tls [tls_domain.c:329]: fill_missing(): TLSs<default>: verify_depth=9                                                              
>> DEBUG: tls [tls_domain.c:968]: fix_domain(): using tls methods range: 20                                                                  
>> DEBUG: tls [tls_domain.c:566]: load_crl(): TLSs<default>: No CRL configured                                                              
>> INFO: tls [tls_domain.c:658]: set_verification(): TLSs<default>: Client MUST present valid certificate                                   
>> INFO: tls [tls_domain.c:278]: fill_missing(): TLSc<default>: tls_method=20                                                               
>> INFO: tls [tls_domain.c:290]: fill_missing(): TLSc<default>: certificate='/usr/local/etc/kamailio/tls/myCert.pem'                  
>> INFO: tls [tls_domain.c:297]: fill_missing(): TLSc<default>: ca_list='/usr/local/etc/kamailio/tls/myCAfile.pem'                      
>> INFO: tls [tls_domain.c:304]: fill_missing(): TLSc<default>: crl='(null)'                                                                
>> INFO: tls [tls_domain.c:308]: fill_missing(): TLSc<default>: require_certificate=1                                                        
>> INFO: tls [tls_domain.c:315]: fill_missing(): TLSc<default>: cipher_list='(null)'                                                        
>> INFO: tls [tls_domain.c:322]: fill_missing(): TLSc<default>: private_key='/usr/local/etc/kamailio/tls/myKey.pem'                    
>> INFO: tls [tls_domain.c:326]: fill_missing(): TLSc<default>: verify_certificate=1                                                        
>> INFO: tls [tls_domain.c:329]: fill_missing(): TLSc<default>: verify_depth=9                                                              
>> DEBUG: tls [tls_domain.c:968]: fix_domain(): using tls methods range: 20                                                                  
>> DEBUG: tls [tls_domain.c:566]: load_crl(): TLSc<default>: No CRL configured                                                              
>> INFO: tls [tls_domain.c:658]: set_verification(): TLSc<default>: Server MUST present valid certificate                                   
>> DEBUG: tls [tls_domain.c:1119]: load_private_key(): TLSs<default>: Key '/usr/local/etc/kamailio/tls/myKey.pem' successfuly loaded  
>> DEBUG: tls [tls_domain.c:1119]: load_private_key(): TLSc<default>: Key '/usr/local/etc/kamailio/tls/myKey.pem' successfuly loaded  
>> DEBUG: tls [tls_rpc.c:82]: tls_reload(): TLS configuration successfuly loaded        
>>  
>> 4.       When the first handshake begins after reloading, it goes to the TLSs default domain:
>>  
>> DEBUG: <core> [ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 188.185.115.181                                              
>> DEBUG: <core> [tcp_main.c:985]: tcpconn_new(): on port 56404, type 3                                                                      
>> DEBUG: <core> [tcp_main.c:1295]: tcpconn_add(): hashes: 2351:1920:1122, 168                                                              
>> DEBUG: <core> [io_wait.h:376]: io_watch_add(): DBG: io_watch_add(0xa25be0, 30, 2, 0x7ff243558420), fd_no=21                              
>> DEBUG: <core> [io_wait.h:598]: io_watch_del(): DBG: io_watch_del (0xa25be0, 30, -1, 0x0) fd_no=22 called                                 
>> DEBUG: <core> [tcp_main.c:4131]: handle_tcpconn_ev(): sending to child, events 1                                                          
>> DEBUG: <core> [tcp_main.c:3813]: send2child(): selected tcp worker 2 13(13472) for activity on [tls:<myLocalIP>:5061], 0x7ff243558420  
>> DEBUG: <core> [tcp_read.c:1566]: handle_io(): received n=8 con=0x7ff243558420, fd=8                                                      
>> DEBUG: tls [tls_server.c:197]: tls_complete_init(): completing tls connection initialization                                             
>> DEBUG: tls [tls_server.c:226]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7ff242d79b40 ctx 0x7ff2430cc448 sn []) 
>>  
>> 5.       I wonder if anyone has configured this with Skype for Business 2015 lately? Any clue?
>>  
>>  
>> Cheers, Francisco.
> 
> -- 
> Daniel-Constantin Mierla
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com <http://www.asipto.com/>
> Kamailio World Conference - www.kamailioworld.com <http://www.kamailioworld.com/>_______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171030/22d42f3f/attachment.html>


More information about the sr-users mailing list