[SR-Users] TLS challenge

Julien Chavanton jchavanton at gmail.com
Tue Feb 5 17:19:37 CET 2019


Quick look at the logs

"tlsv1 alert unknown ca"

This means your CA list does not include lets encrypt, download it from
https://letsencrypt.org/certificates/

Not sure how you generate your ca_list.pem lets encrypt became trusted by
default, at one point on Debian not sure about the exact details

Regards
Julien


On Tue, Feb 5, 2019 at 2:33 AM Gertjan Wolzak <g.wolzak at kazlow.nl> wrote:

> Hello Kamailions,
>
> Ive beent trying to configure a tls connection between kamailio servers,
> but looks like Im missing some knowledge.
>
> The situation:
>
> phone1 <> internet <> kamailio1 <internet> kamailio2<> internet <> phone2
>
> The phones are yealink phones, they are connected using TLS v1.2, phone 1
> registers at kamailio1 and phone2 registers at kamailio2.
>
> Both kamailio servers have an letsencrypt certificate.
>
> When the connection between the two kamailio servers is set as sip, a call
> from a phone1 to phone2 the singnaling is forwarded and rtp flows.
>
> When I set the connection between the two kamailio servers to tls, things
> go wrong.. or better said I go wrong.
>
> The kamailio log on the receiving kamailio(kamailio2) shows that things go
> wrong and where, but I just cant figure out how to solve it.
>
> The log shows that the tls connection will be handled by the TLS Default
> configuration, the CA certificate is missing, well unknown.
>
> 15(7209) DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new
> tcp connection: 116.203.53.212
> 15(7209) DEBUG: <core> [core/tcp_main.c:999]: tcpconn_new(): on port
> 44153, type 3
> 15(7209) DEBUG: <core> [core/tcp_main.c:1309]: tcpconn_add(): hashes:
> 1805:3331:3809, 3
> 15(7209) DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG:
> io_watch_add(0xa77de0, 32, 2, 0x7ff9596d4b10), fd_no=23
> 15(7209) DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG:
> io_watch_del (0xa77de0, 32, -1, 0x0) fd_no=24 called
> 15(7209) DEBUG: <core> [core/tcp_main.c:4196]: handle_tcpconn_ev():
> sending to child, events 1
> 15(7209) DEBUG: <core> [core/tcp_main.c:3878]: send2child(): selected tcp
> worker 1 8(7202) for activity on [tls:kamailio2:5061], 0x7ff9596d4b10
>  8(7202) DEBUG: <core> [core/tcp_read.c:1759]: handle_io(): received n=8
> con=0x7ff9596d4b10, fd=9
>  8(7202) DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing
> tls connection initialization
>  8(7202) DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial
> TLS domain TLSs<default> (dom 0x7ff959498600 ctx 0x7ff9594b6430 sn [])
>  8(7202) DEBUG: tls [tls_domain.c:724]: sr_ssl_ctx_info_callback(): SSL
> handshake started
>  8(7202) DEBUG: <core> [core/tcp_main.c:2460]: tcpconn_do_send():
> sending...
>  8(7202) DEBUG: <core> [core/tcp_main.c:2494]: tcpconn_do_send(): after
> real write: c= 0x7ff9596d4b10 n=2637 fd=9
>  8(7202) DEBUG: <core> [core/tcp_main.c:2495]: tcpconn_do_send(): buf=
>
>  8(7202) DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG:
> io_watch_add(0xac78a0, 9, 2, 0x7ff9596d4b10), fd_no=1
>  8(7202) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
> accept:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
>  8(7202) ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR:
> tcp_read_req: error reading - c: 0x7ff9596d4b10 r: 0x7ff9596d4b90 (-1)
>  8(7202) DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG:
> io_watch_del (0xac78a0, 9, -1, 0x10) fd_no=2 called
>  8(7202) DEBUG: <core> [core/tcp_read.c:1683]: release_tcpconn():
> releasing con 0x7ff9596d4b10, state -2, fd=9, id=3 (kamailio1]:44153 ->
> [kamailio1]:5061)
>  8(7202) DEBUG: <core> [core/tcp_read.c:1684]: release_tcpconn():
> extra_data 0x7ff9596d2ab0
> 15(7209) DEBUG: <core> [core/tcp_main.c:3308]: handle_tcp_child(): reader
> response= 7ff9596d4b10, -2 from 1
> 15(7209) DEBUG: tls [tls_server.c:667]: tls_h_close(): Closing SSL
> connection 0x7ff9596d2ab0
>
> I assume I have configured tls.cfg partially correct, as the phones
> register and can make tls calls.
>
> What I find strange is this line:  8(7202) DEBUG: <core>
> [core/tcp_read.c:1683]: release_tcpconn(): releasing con 0x7ff9596d4b10,
> state -2, fd=9, id=3 (kamailio1]:44153 -> [kamailio1]:5061)
>
> Would the "[kamailio1]:5061" be the client configuration?
>
> So, what do I need to configure within the tls.cfg file so when a tls
> connection is initiated from the other server it will work.
>
> I have tried adding the other server as server within the tls.cfg, which
> does not work as kamailio is not listening on the ip address configured.
>
> When I add the server as a client in the tls.cfg as follows, the
> connection is handled by the default TLS configuration.
>
> [server:default]
> method = TLSv1.2
> verify_certificate = no
> require_certificate = no
> private_key = /etc/letsencrypt/live/kamailio.kazlow.nl/privkey.pem
> certificate = /etc/letsencrypt/live/kamailio.kazlow.nl/fullchain.pem
> #ca_list = /etc/kamailio/tls/cacert.pem
> #crl = /etc/kamailio/tls/crl.pem
>
> [client:kamailio1:5061]
> method = TLSv1.2
> verify_certificate = no
> require_certificate = yes
> certificate = /etc/kamailio/tls/fullchain.pem
> ca_list = /etc/kamailio/tls/cacert.pem
>
>
> # This is the default client domain, settings
> # in this domain will be used for all outgoing
> # TLS connections that do not match any other
> # client domain in this configuration file.
> # We require that servers present valid certificate.
> #
> [client:default]
> method = TLSv1.2
> verify_certificate = no
> require_certificate = no
> ca_list = /etc/kamailio/tls/cacert.pem
>
> I have tried forcing the socket on the sending kamailio, but that does not
> work.
>
> Any feedback on what I am doing wrong or where I can find information to
> extend my knowledge would be appreciated.
>
> Rgds,
>
> Gertjan Wolzak
>
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190205/cc15a029/attachment.html>


More information about the sr-users mailing list