[SR-Users] TLS challenge

Gertjan Wolzak g.wolzak at kazlow.nl
Tue Feb 5 11:31:16 CET 2019 

Hello Kamailions,

Ive beent trying to configure a tls connection between kamailio servers, 
but looks like Im missing some knowledge.

The situation:

phone1 <> internet <> kamailio1 <internet> kamailio2<> internet <> phone2

The phones are yealink phones, they are connected using TLS v1.2, phone 
1 registers at kamailio1 and phone2 registers at kamailio2.

Both kamailio servers have an letsencrypt certificate.

When the connection between the two kamailio servers is set as sip, a 
call from a phone1 to phone2 the singnaling is forwarded and rtp flows.

When I set the connection between the two kamailio servers to tls, 
things go wrong.. or better said I go wrong.

The kamailio log on the receiving kamailio(kamailio2) shows that things 
go wrong and where, but I just cant figure out how to solve it.

The log shows that the tls connection will be handled by the TLS Default 
configuration, the CA certificate is missing, well unknown.

15(7209) DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: 
new tcp connection: 116.203.53.212
15(7209) DEBUG: <core> [core/tcp_main.c:999]: tcpconn_new(): on port 
44153, type 3
15(7209) DEBUG: <core> [core/tcp_main.c:1309]: tcpconn_add(): hashes: 
1805:3331:3809, 3
15(7209) DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: 
io_watch_add(0xa77de0, 32, 2, 0x7ff9596d4b10), fd_no=23
15(7209) DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: 
io_watch_del (0xa77de0, 32, -1, 0x0) fd_no=24 called
15(7209) DEBUG: <core> [core/tcp_main.c:4196]: handle_tcpconn_ev(): 
sending to child, events 1
15(7209) DEBUG: <core> [core/tcp_main.c:3878]: send2child(): selected 
tcp worker 1 8(7202) for activity on [tls:kamailio2:5061], 0x7ff9596d4b10
  8(7202) DEBUG: <core> [core/tcp_read.c:1759]: handle_io(): received 
n=8 con=0x7ff9596d4b10, fd=9
  8(7202) DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing 
tls connection initialization
  8(7202) DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using 
initial TLS domain TLSs<default> (dom 0x7ff959498600 ctx 0x7ff9594b6430 
sn [])
  8(7202) DEBUG: tls [tls_domain.c:724]: sr_ssl_ctx_info_callback(): SSL 
handshake started
  8(7202) DEBUG: <core> [core/tcp_main.c:2460]: tcpconn_do_send(): 
sending...
  8(7202) DEBUG: <core> [core/tcp_main.c:2494]: tcpconn_do_send(): after 
real write: c= 0x7ff9596d4b10 n=2637 fd=9
  8(7202) DEBUG: <core> [core/tcp_main.c:2495]: tcpconn_do_send(): buf=

  8(7202) DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: 
io_watch_add(0xac78a0, 9, 2, 0x7ff9596d4b10), fd_no=1
  8(7202) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS 
accept:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
  8(7202) ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: 
tcp_read_req: error reading - c: 0x7ff9596d4b10 r: 0x7ff9596d4b90 (-1)
  8(7202) DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: 
io_watch_del (0xac78a0, 9, -1, 0x10) fd_no=2 called
  8(7202) DEBUG: <core> [core/tcp_read.c:1683]: release_tcpconn(): 
releasing con 0x7ff9596d4b10, state -2, fd=9, id=3 (kamailio1]:44153 -> 
[kamailio1]:5061)
  8(7202) DEBUG: <core> [core/tcp_read.c:1684]: release_tcpconn(): 
extra_data 0x7ff9596d2ab0
15(7209) DEBUG: <core> [core/tcp_main.c:3308]: handle_tcp_child(): 
reader response= 7ff9596d4b10, -2 from 1
15(7209) DEBUG: tls [tls_server.c:667]: tls_h_close(): Closing SSL 
connection 0x7ff9596d2ab0

I assume I have configured tls.cfg partially correct, as the phones 
register and can make tls calls.

What I find strange is this line:  8(7202) DEBUG: <core> 
[core/tcp_read.c:1683]: release_tcpconn(): releasing con 0x7ff9596d4b10, 
state -2, fd=9, id=3 (kamailio1]:44153 -> [kamailio1]:5061)

Would the "[kamailio1]:5061" be the client configuration?

So, what do I need to configure within the tls.cfg file so when a tls 
connection is initiated from the other server it will work.

I have tried adding the other server as server within the tls.cfg, which 
does not work as kamailio is not listening on the ip address configured.

When I add the server as a client in the tls.cfg as follows, the 
connection is handled by the default TLS configuration.

[server:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/kamailio.kazlow.nl/privkey.pem
certificate = /etc/letsencrypt/live/kamailio.kazlow.nl/fullchain.pem
#ca_list = /etc/kamailio/tls/cacert.pem
#crl = /etc/kamailio/tls/crl.pem

[client:kamailio1:5061]
method = TLSv1.2
verify_certificate = no
require_certificate = yes
certificate = /etc/kamailio/tls/fullchain.pem
ca_list = /etc/kamailio/tls/cacert.pem


# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
ca_list = /etc/kamailio/tls/cacert.pem

I have tried forcing the socket on the sending kamailio, but that does 
not work.

Any feedback on what I am doing wrong or where I can find information to 
extend my knowledge would be appreciated.

Rgds,

Gertjan Wolzak




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190205/6a5ee8a3/attachment.html>

More information about the sr-users mailing list