[SR-Users] Retrieving cert details from tls peer

Mark Boyce mark at darkorigins.com
Fri Jul 3 11:12:48 CEST 2020 

Hi Daniel

Ah, that’s the bit I misunderstood. I thought that require_certificate would trigger mutual auth / mTLS rather than enforcing its presence.

No sign of a setting on the Yealink to send it’s certificate. Will go unpack a Cisco and see what that offers.

Thanks
Mark, 

> On 3 Jul 2020, at 09:09, Daniel-Constantin Mierla <miconda at gmail.com> wrote:
> 
> Hello,
> 
> the client has to be configured to present a certificate, and it doesn't do it based on kamailio log message:
> 
> INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate
> 
> Check the phone config to see if you can set such option. Kamailio can just see if a certificate is sent and if not reject the connection, if you have require_certificate = yes in the server profile of tls.cfg
> 
> You can eventually test with 'openssl s_client ...' to see details of client side certs in kamailio -- iirc, it has the options to specify client side certificate with -cert ... -key ...
> Cheers,
> Daniel
> On 03.07.20 09:52, Mark Boyce wrote:
>> Hi Daniel
>> 
>> I’m testing with a Yealink T57W. It comes with a factory install certificate which will probably fail validation as the common name is the MAC.  
>> 
>> I'm not trying validate the client device’s certificate just get it to offer what it has so I can check the details.
>> 
>> Thanks
>> Mark
>> 
>>> On 3 Jul 2020, at 08:38, Daniel-Constantin Mierla <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>>> 
>>> Hello,
>>> 
>>> what is the SIP client app you used? Is it configured to use its own tls certificate when connecting to the SIP server?
>>> 
>>> Cheers,
>>> Daniel
>>> On 02.07.20 18:51, Mark Boyce wrote:
>>>> Hi all
>>>> 
>>>> Been trying to grab the TLS cert details from incoming connections, but failing :-(
>>>> 
>>>> So with lines just before AUTH is called like this;
>>>> 
>>>>         if (proto == TLS) {
>>>>         xlog("L_INFO", "TLSDUMP $ci  peer_subject        : $tls_peer_subject\n");
>>>> 
>>>> Gets met with a log line line this;
>>>> 
>>>> INFO: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 1.2.3.4:11797 using TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256
>>>> INFO: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: 5.6.7.8:5061
>>>> INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate
>>>> ...
>>>> INFO: tls [tls_select.c:168]: get_cert(): Unable to retrieve peer TLS certificate from SSL structure
>>>> 
>>>> This is with verify_certificate and require_certificate set to no in tls.cfg
>>>> 
>>>> If I try and set the following in tls.cfg
>>>> 
>>>> [server:default]
>>>> method = TLSv1.2+
>>>> verify_certificate = no
>>>> require_certificate = yes
>>>> 
>>>> I see in the logs;
>>>> 
>>>> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>: tls_method=22
>>>> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/kamailio/tls-certs/cert.pem'
>>>> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)'
>>>> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)'
>>>> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=1
>>>> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'
>>>> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/kamailio/tls-certs/privkey.pem'
>>>> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=0
>>>> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9
>>>> NOTICE: tls [tls_domain.c:1095]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ...
>>>> INFO: tls [tls_domain.c:692]: set_verification(): TLSs<default>: Client MUST present valid certificate
>>>> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>: tls_method=20
>>>> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>: certificate='(null)'
>>>> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>: ca_list='(null)'
>>>> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>: crl='(null)'
>>>> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>: require_certificate=1
>>>> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>: cipher_list='(null)'
>>>> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>: private_key='(null)'
>>>> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>: verify_certificate=1
>>>> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>: verify_depth=9
>>>> INFO: tls [tls_domain.c:692]: set_verification(): TLSc<default>: Server MUST present valid certificate
>>>> ...
>>>> ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
>>>> 
>>>> Which looks like verification is being enabled when I add require?
>>>> 
>>>> 
>>>> 
>>>> Would someone be kind enough to point out what I am missing please? (Assuming it’s not a bug :-)
>>>> 
>>>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200703/7e74a28d/attachment.html>

More information about the sr-users mailing list