[SR-Users] TLS challenge

Julien Chavanton jchavanton at gmail.com
Thu Feb 7 17:46:11 CET 2019


Not sure if the logs a clear on what/when connection is rejected.

I can share a few troubleshooting hints :

1: Check if you are using the setting require_certificate try to set it to
no and test again.

2: You can verify that you can connect to our proxy using libssl

openssl s_client -showcerts -debug -verify_hostname <yourdomain.com>
-servername <yourdomain.com>  -connect <yourdomain.com>:5061


This command will produce a detailed report,

if the connection does not work you may need to add the root CA from
letsencrypt
https://letsencrypt.org/certificates/

(If your Linux OS is a bit old, this will be the case)

You can test with :

openssl s_client -showcerts -debug -verify_hostname <yourdomain.com>
-servername <yourdomain.com> -connect <yourdomain.com>:5061 -CAfile
/etc/ssl/certs/isrgrootx1.pem


3: take a full TCP trace using tcpdump and look at the handshake, you may
learn more about the failure/rejection

Hope this will help you, to save some of your hair
Julien

On Thu, Feb 7, 2019 at 1:29 AM Gertjan Wolzak <g.wolzak at kazlow.nl> wrote:

>
>
> Hello Kamailions,
>
> Julien, thank you for the help, I have added the letsencrypt ca
> certificate to the ca list, still no dice.
>
> So, still got lots of questions, but after my last booboo going to do some
> more research and testing. When I have no more hair left will get back to
> the list.
>
> Thanks for now.
>
> Rgds,
>
> Gertjan Wolzak
>
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190207/e5d3e3ff/attachment.html>


More information about the sr-users mailing list