[SR-Users] TLS CRL configuration

Daniel-Constantin Mierla miconda at gmail.com
Tue Jul 10 10:06:28 CEST 2018 

Hello,

the server checks if the client certificate is revoked. It is the duty
of the client to check if the server certificate is revoked and close
the connection. It is about a party checking if the other party of the
connection is using a trusted and valid certificate or not.

Cheers,
Daniel


On 10.07.18 08:15, Amarnath Kanchivanam wrote:
> Hi,
>
> Could you share your thoughts on the below clarification?
>
> Regards,
> Amarnath
>
> On Fri, Jul 6, 2018 at 4:06 PM Amarnath Kanchivanam
> <ykamarnath.sip at gmail.com <mailto:ykamarnath.sip at gmail.com>> wrote:
>
>     Thanks Daniel and Ding Ma.
>
>     I have Certificate Authority, who signed the server certificate
>     and client certificate. 
>     Server certificate and root CA is added to server. 
>     Client certificate and root CA is added to client.
>     Now CRL file path is update with server and it's own server
>     certificate is revoked. In this case what should be kamailio
>     server behavior, if any client wants to establish TLS connection?
>     or Since it's own server certificate is revoked TLS should be
>     disabled on server side?
>
>     As per my understanding, TLS should be disabled on server side, as
>     it does not have valid certificate. Please share your thoughts on
>     this.
>
>     Regards,
>     Amarnath
>
>     On Tue, Jul 3, 2018 at 5:22 PM Ding Ma <mading087 at gmail.com
>     <mailto:mading087 at gmail.com>> wrote:
>
>         The CRL with revoked server certificate needs to be loaded in
>         the sip client. TLS server doesn’t send CRL to client during
>         handshake.
>
>         Sent from my iPhone
>
>         On Jul 3, 2018, at 6:16 AM, Daniel-Constantin Mierla
>         <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>
>>         Hello,
>>
>>         haven't played with CRL lately, but kamailio should just call
>>         libssl functions for validating the certificates, after
>>         initializing the context with CRL file.
>>
>>         Maybe you can open an issue on github.com/kamailio/kamailio
>>         <http://github.com/kamailio/kamailio> tracker, add there all
>>         log messages printed by kamailio with debug=3 in
>>         kamailio.cfg. In this way we do not forget about it and can
>>         be investigated properly.
>>
>>         Cheers,
>>         Daniel
>>
>>         On 28.06.18 08:47, Amarnath Kanchivanam wrote:
>>>         Hi All,
>>>
>>>         I'm trying to configured kamailio as TLS server with below
>>>         configuration (tls.cfg) and TLS server is started successfully.
>>>
>>>         [server:default]
>>>         method = TLSv1+
>>>         verify_certificate = yes
>>>         require_certificate = yes
>>>         private_key = ./sip/server.key
>>>         certificate = ./sip/server.crt
>>>         ca_list = ./bundle.crt
>>>         crl = ./sip_crl.pem
>>>         verify_depth = 9
>>>
>>>         [client:default]
>>>         verify_certificate = no
>>>         require_certificate = no
>>>
>>>         TLS connection works fine.
>>>         Later i have updated the sip_crl.pem with server certificate
>>>         revoked details and performed tls.reload command to load the
>>>         latest update. 
>>>         After this I expect any TLS client trying to establish TLS
>>>         connection should fail, as the client and server
>>>         certificates are signed by same authority and server
>>>         certificate is revoked. But the clients are able to
>>>         establish TLS connection without any errors.
>>>
>>>         I'm not getting any traces to confirm CRL validation has
>>>         been performed before accepting the TLS connection. 
>>>
>>>         Any advice would be help to proceed with evaluating CRL
>>>         functionality.
>>>
>>>         -Amar
>>>
>>>
>>>         _______________________________________________
>>>         Kamailio (SER) - Users Mailing List
>>>         sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>>>         https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>         -- 
>>         Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
>>         www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>>         Kamailio World Conference -- www.kamailioworld.com <http://www.kamailioworld.com>
>>         _______________________________________________
>>         Kamailio (SER) - Users Mailing List
>>         sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>>         https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>         _______________________________________________
>         Kamailio (SER) - Users Mailing List
>         sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>         https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference -- www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180710/c5d9fff8/attachment.html>

More information about the sr-users mailing list