[SR-Users] TLS CRL configuration

Ding Ma mading087 at gmail.com
Tue Jul 3 13:51:08 CEST 2018 

The CRL with revoked server certificate needs to be loaded in the sip client. TLS server doesn’t send CRL to client during handshake.

Sent from my iPhone

> On Jul 3, 2018, at 6:16 AM, Daniel-Constantin Mierla <miconda at gmail.com> wrote:
> 
> Hello,
> 
> haven't played with CRL lately, but kamailio should just call libssl functions for validating the certificates, after initializing the context with CRL file.
> 
> Maybe you can open an issue on github.com/kamailio/kamailio tracker, add there all log messages printed by kamailio with debug=3 in kamailio.cfg. In this way we do not forget about it and can be investigated properly.
> Cheers,
> Daniel
> 
>> On 28.06.18 08:47, Amarnath Kanchivanam       wrote:
>> Hi All,
>> 
>> I'm trying to configured kamailio as TLS server with below configuration (tls.cfg) and TLS server is started successfully.
>> 
>> [server:default]
>> method = TLSv1+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = ./sip/server.key
>> certificate = ./sip/server.crt
>> ca_list = ./bundle.crt
>> crl = ./sip_crl.pem
>> verify_depth = 9
>> 
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>> 
>> TLS connection works fine.
>> Later i have updated the sip_crl.pem with server certificate revoked details and performed tls.reload command to load the latest update. 
>> After this I expect any TLS client trying to establish TLS connection should fail, as the client and server certificates are signed by same authority and server certificate is revoked. But the clients are able to establish TLS connection without any errors.
>> 
>> I'm not getting any traces to confirm CRL validation has been performed before accepting the TLS connection. 
>> 
>> Any advice would be help to proceed with evaluating CRL functionality.
>> 
>> -Amar
>> 
>> 
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> 
> -- 
> Daniel-Constantin Mierla -- www.asipto.com
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio World Conference -- www.kamailioworld.com
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180703/669b687f/attachment.html>

More information about the sr-users mailing list