[SR-Users] TLS CRL configuration
Amarnath Kanchivanam
ykamarnath.sip at gmail.com
Tue Jul 10 08:15:44 CEST 2018
Hi,
Could you share your thoughts on the below clarification?
Regards,
Amarnath
On Fri, Jul 6, 2018 at 4:06 PM Amarnath Kanchivanam <
ykamarnath.sip at gmail.com> wrote:
> Thanks Daniel and Ding Ma.
>
> I have Certificate Authority, who signed the server certificate and client
> certificate.
> Server certificate and root CA is added to server.
> Client certificate and root CA is added to client.
> Now CRL file path is update with server and it's own server certificate is
> revoked. In this case what should be kamailio server behavior, if any
> client wants to establish TLS connection? or Since it's own server
> certificate is revoked TLS should be disabled on server side?
>
> As per my understanding, TLS should be disabled on server side, as it does
> not have valid certificate. Please share your thoughts on this.
>
> Regards,
> Amarnath
>
> On Tue, Jul 3, 2018 at 5:22 PM Ding Ma <mading087 at gmail.com> wrote:
>
>> The CRL with revoked server certificate needs to be loaded in the sip
>> client. TLS server doesn’t send CRL to client during handshake.
>>
>> Sent from my iPhone
>>
>> On Jul 3, 2018, at 6:16 AM, Daniel-Constantin Mierla <miconda at gmail.com>
>> wrote:
>>
>> Hello,
>>
>> haven't played with CRL lately, but kamailio should just call libssl
>> functions for validating the certificates, after initializing the context
>> with CRL file.
>>
>> Maybe you can open an issue on github.com/kamailio/kamailio tracker, add
>> there all log messages printed by kamailio with debug=3 in kamailio.cfg. In
>> this way we do not forget about it and can be investigated properly.
>> Cheers,
>> Daniel
>>
>> On 28.06.18 08:47, Amarnath Kanchivanam wrote:
>>
>> Hi All,
>>
>> I'm trying to configured kamailio as TLS server with below configuration
>> (tls.cfg) and TLS server is started successfully.
>>
>> [server:default]
>> method = TLSv1+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = ./sip/server.key
>> certificate = ./sip/server.crt
>> ca_list = ./bundle.crt
>> crl = ./sip_crl.pem
>> verify_depth = 9
>>
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>>
>> TLS connection works fine.
>> Later i have updated the sip_crl.pem with server certificate revoked
>> details and performed tls.reload command to load the latest update.
>> After this I expect any TLS client trying to establish TLS connection
>> should fail, as the client and server certificates are signed by same
>> authority and server certificate is revoked. But the clients are able to
>> establish TLS connection without any errors.
>>
>> I'm not getting any traces to confirm CRL validation has been performed
>> before accepting the TLS connection.
>>
>> Any advice would be help to proceed with evaluating CRL functionality.
>>
>> -Amar
>>
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing Listsr-users at lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>> --
>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
>> Kamailio World Conference -- www.kamailioworld.com
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180710/95000009/attachment.html>
More information about the sr-users
mailing list