[SR-Users] TLS testing (with sipp)

Karsten Horsmann khorsmann at gmail.com
Thu Dec 19 18:59:05 CET 2019 

Hi Julien,

Thanks for this hint. A bit off topic the cert part but security should be
forced :)

Many ways to get an letsencryt certificate, I prefer the go-lang lego tool

docker run -v $(pwd)/.lego:/.lego goacme/lego -d fqdn --email your at email -a
--tls --pem run

Saved stuff in dot lego folder.

Cheers
Karsten Horsmann


Julien Chavanton <jchavanton at gmail.com> schrieb am Do., 19. Dez. 2019,
17:08:

> Hi, I guess I was the one stretching it :)
>
> If you need to generate a cert, check EFF let's encrypt, here is one
> example to get a cert with HTTP validation
>
> #!/bin/bash
>
>
> iptables -I INPUT -p tcp --dport 80 -j ACCEPT
> sudo docker run -it --rm --name certbot \
>         --net=host \
>         -v "/etc/letsencrypt:/etc/letsencrypt" \
>         -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
>         certbot/certbot certonly --eff-email --agree-tos -m use at domain.com
> --standalone --preferred-challenges http -d $1
> iptables -D INPUT -p tcp --dport 80 -j ACCEPT
> if [ "$2" == "copy" ]
> then
>         cp /etc/letsencrypt/live/$1/fullchain.pem tls/certificate.pem
>         cp /etc/letsencrypt/live/$1/privkey.pem tls/key.pem
> fi
>
>
> On Thu, Dec 19, 2019 at 6:20 AM Sebastian Damm <damm at sipgate.de> wrote:
>
>> Hi Julien,
>>
>> I had been thinking quite a while before posting it here, and maybe I
>> shouldn't have mentioned the sipp SSL error. But I thought, end2end
>> testing of kamailio setups could be of general interest from a
>> Kamailio user point of view. And I hoped to get suggestions on how to
>> do it.
>>
>> Thanks for the link to voip_patrol. I'm already playing with it. Still
>> stuck with needing a client certificate, though. I shouldn't need that
>> for a client, I'd think. But I'll try my best.
>>
>> Regards,
>> Sebastian
>>
>> On Wed, Dec 18, 2019 at 7:31 PM Julien Chavanton <jchavanton at gmail.com>
>> wrote:
>> >
>> > Hi Sebastian, this is off topic for the Kamailio mailing list.
>> >
>> > You can use Voip_patrol :
>> > https://github.com/jchavanton/voip_patrol
>> >
>> > Once you have your certificate, key and ca_list in default location
>> > ./voip_patrol -c ./xml/tls.xml
>> >
>> > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list
>> :tls/ca_list.pem
>> > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.certFile
>>  :tls/certificate.pem
>> > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.privKeyFile  :tls/key.pem
>> >
>> > tls.xml
>> >
>> > <?xml version="1.0"?>
>> > <config>
>> >     <actions>
>> >         <action type="register" transport="tls"
>> expected_cause_code="200" username="VP_ENV_USERNAME"
>> password="VP_ENV_PASSWORD" realm="domain.com" registrar="ep.domain.com"/>
>> >         <action type="wait" complete/>
>> >         <action type="accept" account="VP_ENV_USERNAME"
>> max_duration="20" hangup="5"/>
>> >         <action type="call"  transport="tls"
>> >             wait_until="3" expected_cause_code="200"
>> >             caller="12062349971 at 1.1.1.1" callee="
>> 12012343238 at ep.domain.com" max_duration="15" hangup="5"
>> >             username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD"
>> realm="domain.com"
>> >         />
>> >         <action type="wait" complete/>
>> >     </actions>
>> > </config>
>> >
>> > On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm <damm at sipgate.de> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I'm trying to construct an end-to-end encrypted signalling test
>> >> through our setup. I thought I could use sipp for that, as it supports
>> >> TLS according to the man page. However, when I try to run it, I get
>> >> this error:
>> >>
>> >> FI_init_ssl_context: SSL_CTX_use_certificate_file failed.
>> >>
>> >> I searched the web; however, all similar questions end up without
>> >> answers. I tried specifying a local key and cert without success. I'd
>> >> think I should not need a cert for my client, though.
>> >>
>> >> Has anyone ever successfully conducted an automated TLS test? I'm open
>> >> to using a different tool if necessary.
>> >>
>> >> Thanks for all hints or examples.
>> >>
>> >> Regards,
>> >> Sebastian
>> >>
>> >> --
>> >> Sebastian Damm
>> >> Voice Engineer
>> >> __________________________________________
>> >> sipgate GmbH
>> >> Gladbacher Straße 74 | 40219 Düsseldorf
>> >>
>> >> _______________________________________________
>> >> Kamailio (SER) - Users Mailing List
>> >> sr-users at lists.kamailio.org
>> >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>> > _______________________________________________
>> > Kamailio (SER) - Users Mailing List
>> > sr-users at lists.kamailio.org
>> > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>>
>> --
>> Sebastian Damm
>> Voice Engineer
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20191219/49016f45/attachment.html>

More information about the sr-users mailing list