[SR-Users] Retrieving cert details from tls peer

Daniel-Constantin Mierla miconda at gmail.com
Fri Jul 3 10:09:48 CEST 2020


Hello,

the client has to be configured to present a certificate, and it doesn't
do it based on kamailio log message:

INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not
present a certificate

Check the phone config to see if you can set such option. Kamailio can
just see if a certificate is sent and if not reject the connection, if
you have require_certificate = yes in the server profile of tls.cfg

You can eventually test with 'openssl s_client ...' to see details of
client side certs in kamailio -- iirc, it has the options to specify
client side certificate with -cert ... -key ...

Cheers,
Daniel

On 03.07.20 09:52, Mark Boyce wrote:
> Hi Daniel
>
> I’m testing with a Yealink T57W. It comes with a factory install
> certificate which will probably fail validation as the common name is
> the MAC.  
>
> I'm not trying validate the client device’s certificate just get it to
> offer what it has so I can check the details.
>
> Thanks
> Mark
>
>> On 3 Jul 2020, at 08:38, Daniel-Constantin Mierla <miconda at gmail.com
>> <mailto:miconda at gmail.com>> wrote:
>>
>> Hello,
>>
>> what is the SIP client app you used? Is it configured to use its own
>> tls certificate when connecting to the SIP server?
>>
>> Cheers,
>> Daniel
>>
>> On 02.07.20 18:51, Mark Boyce wrote:
>>> Hi all
>>>
>>> Been trying to grab the TLS cert details from incoming connections,
>>> but failing :-(
>>>
>>> So with lines just before AUTH is called like this;
>>>
>>>         if (proto == TLS) {
>>>         xlog("L_INFO", "TLSDUMP $ci  peer_subject        :
>>> $tls_peer_subject\n");
>>>
>>> Gets met with a log line line this;
>>>
>>> INFO: tls [tls_server.c:431]: tls_accept(): tls_accept: new
>>> connection from 1.2.3.4:11797 using TLSv1.2
>>> ECDHE-RSA-AES256-GCM-SHA384 256
>>> INFO: tls [tls_server.c:434]: tls_accept(): tls_accept: local
>>> socket: 5.6.7.8:5061
>>> INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did
>>> not present a certificate
>>> ...
>>> INFO: tls [tls_select.c:168]: get_cert(): Unable to retrieve peer
>>> TLS certificate from SSL structure
>>>
>>> This is with verify_certificate and require_certificate set to no in
>>> tls.cfg
>>>
>>> If I try and set the following in tls.cfg
>>>
>>> [server:default]
>>> method = TLSv1.2+
>>> verify_certificate = no
>>> require_certificate = yes
>>>
>>> I see in the logs;
>>>
>>> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>:
>>> tls_method=22
>>> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>:
>>> certificate='/etc/kamailio/tls-certs/cert.pem'
>>> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>:
>>> ca_list='(null)'
>>> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>:
>>> crl='(null)'
>>> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>:
>>> *require_certificate=1*
>>> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>:
>>> cipher_list='(null)'
>>> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>:
>>> private_key='/etc/kamailio/tls-certs/privkey.pem'
>>> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>:
>>> *verify_certificate=0*
>>> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>:
>>> verify_depth=9
>>> NOTICE: tls [tls_domain.c:1095]: ksr_tls_fix_domain(): registered
>>> server_name callback handler for socket [:0],
>>> server_name='<default>' ...
>>> INFO: tls [tls_domain.c:692]: set_verification():
>>> TLSs<default>:*Client MUST present valid certificate*
>>> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>:
>>> tls_method=20
>>> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>:
>>> certificate='(null)'
>>> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>:
>>> ca_list='(null)'
>>> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>:
>>> crl='(null)'
>>> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>:
>>> *require_certificate=1*
>>> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>:
>>> cipher_list='(null)'
>>> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>:
>>> private_key='(null)'
>>> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>:
>>> *verify_certificate=1*
>>> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>:
>>> verify_depth=9
>>> INFO: tls [tls_domain.c:692]: set_verification(): TLSc<default>:
>>> *Server MUST present valid certificate*
>>> ...
>>> ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
>>> accept:error:1417C086:SSL
>>> routines:tls_process_client_certificate:certificate verify failed
>>>
>>> Which looks like verification is being enabled when I add require?
>>>
>>>
>>>
>>> Would someone be kind enough to point out what I am missing please?
>>> (Assuming it’s not a bug :-)
>>>
>>>
>>> Thanks
>>> Mark
>>> -- 
>>> Mark Boyce
>>> Dark Origins Ltd
>>>
>>> _______________________________________________
>>> Kamailio (SER) - Users Mailing List
>>> sr-users at lists.kamailio.org
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> -- 
>> Daniel-Constantin Mierla -- www.asipto.com
>> www.twitter.com/miconda -- www.linkedin.com/in/miconda
>> Funding: https://www.paypal.me/dcmierla
>
> Mark
> -- 
> Mark Boyce
> Dark Origins Ltd
> e: mark at darkorigins.com <mailto:mark at darkorigins.com>
> t: 0345 0043 043
> f: 0345 0043 044
>
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200703/93bf1a70/attachment.html>


More information about the sr-users mailing list