[SR-Users] Retrieving cert details from tls peer

Mark Boyce mark at darkorigins.com
Fri Jul 3 09:52:38 CEST 2020


Hi Daniel

I’m testing with a Yealink T57W. It comes with a factory install certificate which will probably fail validation as the common name is the MAC.  

I'm not trying validate the client device’s certificate just get it to offer what it has so I can check the details.

Thanks
Mark

> On 3 Jul 2020, at 08:38, Daniel-Constantin Mierla <miconda at gmail.com> wrote:
> 
> Hello,
> 
> what is the SIP client app you used? Is it configured to use its own tls certificate when connecting to the SIP server?
> 
> Cheers,
> Daniel
> On 02.07.20 18:51, Mark Boyce wrote:
>> Hi all
>> 
>> Been trying to grab the TLS cert details from incoming connections, but failing :-(
>> 
>> So with lines just before AUTH is called like this;
>> 
>>         if (proto == TLS) {
>>         xlog("L_INFO", "TLSDUMP $ci  peer_subject        : $tls_peer_subject\n");
>> 
>> Gets met with a log line line this;
>> 
>> INFO: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 1.2.3.4:11797 using TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256
>> INFO: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: 5.6.7.8:5061
>> INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate
>> ...
>> INFO: tls [tls_select.c:168]: get_cert(): Unable to retrieve peer TLS certificate from SSL structure
>> 
>> This is with verify_certificate and require_certificate set to no in tls.cfg
>> 
>> If I try and set the following in tls.cfg
>> 
>> [server:default]
>> method = TLSv1.2+
>> verify_certificate = no
>> require_certificate = yes
>> 
>> I see in the logs;
>> 
>> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>: tls_method=22
>> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/kamailio/tls-certs/cert.pem'
>> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)'
>> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)'
>> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=1
>> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'
>> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/kamailio/tls-certs/privkey.pem'
>> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=0
>> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9
>> NOTICE: tls [tls_domain.c:1095]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ...
>> INFO: tls [tls_domain.c:692]: set_verification(): TLSs<default>: Client MUST present valid certificate
>> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>: tls_method=20
>> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>: certificate='(null)'
>> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>: ca_list='(null)'
>> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>: crl='(null)'
>> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>: require_certificate=1
>> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>: cipher_list='(null)'
>> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>: private_key='(null)'
>> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>: verify_certificate=1
>> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>: verify_depth=9
>> INFO: tls [tls_domain.c:692]: set_verification(): TLSc<default>: Server MUST present valid certificate
>> ...
>> ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
>> 
>> Which looks like verification is being enabled when I add require?
>> 
>> 
>> 
>> Would someone be kind enough to point out what I am missing please? (Assuming it’s not a bug :-)
>> 
>> 
>> Thanks
>> Mark
>> -- 
>> Mark Boyce
>> Dark Origins Ltd
>> 
>> 
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
> -- 
> Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com/>
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Funding: https://www.paypal.me/dcmierla <https://www.paypal.me/dcmierla>
Mark
-- 
Mark Boyce
Dark Origins Ltd
e: mark at darkorigins.com <mailto:mark at darkorigins.com>
t: 0345 0043 043
f: 0345 0043 044

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200703/3419ff71/attachment.html>


More information about the sr-users mailing list