[SR-Users] Retrieving cert details from tls peer

Daniel-Constantin Mierla miconda at gmail.com
Fri Jul 3 09:38:04 CEST 2020 

Hello,

what is the SIP client app you used? Is it configured to use its own tls
certificate when connecting to the SIP server?

Cheers,
Daniel

On 02.07.20 18:51, Mark Boyce wrote:
> Hi all
>
> Been trying to grab the TLS cert details from incoming connections,
> but failing :-(
>
> So with lines just before AUTH is called like this;
>
>         if (proto == TLS) {
>         xlog("L_INFO", "TLSDUMP $ci  peer_subject        :
> $tls_peer_subject\n");
>
> Gets met with a log line line this;
>
> INFO: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection
> from 1.2.3.4:11797 using TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256
> INFO: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket:
> 5.6.7.8:5061
> INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not
> present a certificate
> ...
> INFO: tls [tls_select.c:168]: get_cert(): Unable to retrieve peer TLS
> certificate from SSL structure
>
> This is with verify_certificate and require_certificate set to no in
> tls.cfg
>
> If I try and set the following in tls.cfg
>
> [server:default]
> method = TLSv1.2+
> verify_certificate = no
> require_certificate = yes
>
> I see in the logs;
>
> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>:
> tls_method=22
> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>:
> certificate='/etc/kamailio/tls-certs/cert.pem'
> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>:
> ca_list='(null)'
> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>:
> crl='(null)'
> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>:
> *require_certificate=1*
> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>:
> cipher_list='(null)'
> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>:
> private_key='/etc/kamailio/tls-certs/privkey.pem'
> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>:
> *verify_certificate=0*
> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>:
> verify_depth=9
> NOTICE: tls [tls_domain.c:1095]: ksr_tls_fix_domain(): registered
> server_name callback handler for socket [:0], server_name='<default>' ...
> INFO: tls [tls_domain.c:692]: set_verification():
> TLSs<default>:*Client MUST present valid certificate*
> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>:
> tls_method=20
> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>:
> certificate='(null)'
> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>:
> ca_list='(null)'
> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>:
> crl='(null)'
> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>:
> *require_certificate=1*
> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>:
> cipher_list='(null)'
> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>:
> private_key='(null)'
> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>:
> *verify_certificate=1*
> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>:
> verify_depth=9
> INFO: tls [tls_domain.c:692]: set_verification(): TLSc<default>:
> *Server MUST present valid certificate*
> ...
> ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
> accept:error:1417C086:SSL
> routines:tls_process_client_certificate:certificate verify failed
>
> Which looks like verification is being enabled when I add require?
>
>
>
> Would someone be kind enough to point out what I am missing please?
> (Assuming it’s not a bug :-)
>
>
> Thanks
> Mark
> -- 
> Mark Boyce
> Dark Origins Ltd
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200703/02fd4afd/attachment.html>

More information about the sr-users mailing list