[SR-Users] Issue with ca-list

Daniel-Constantin Mierla miconda at gmail.com
Fri Nov 20 15:48:25 CET 2020 

Hello,

On 20.11.20 11:13, George Goglidze wrote:
>
> Hi Folks,
>
>  
>
> I was wondering if somebody could help me with an issue. I’m a newbie
> here, just installing Kamailio sip server.
>
> I’ve enabled TLS, and am trying create a SIP Trunk to external SIP
> Service which is TLS enabled port 5061.
>
>  
>
> I’ve configured the following in tls.cfg:
>
> [server:default]
>
> method = TLSv1.2+
>
> verify_certificate = yes
>
> require_certificate = yes
>
> private_key = /etc/kamailio/certs/sbc-private.pem
>
> certificate = /etc/kamailio/certs/godaddy.pem
>
> ca_list = /etc/kamailio/certs/calist.pem   
>
>  
>
> In the section above – ca_list = calist.pem contains all the CA’s and
> Subordinates of the destination server.
>
> Private_key  and certificate are of my own server (public godaddysigned)
>
>  
>
> [client:default]
>
> method = TLSv1.2+
>
> verify_certificate = yes
>
> require_certificate = yes
>
> private_key = /etc/kamailio/certs/sbc-private.pem
>
> certificate = /etc/kamailio/certs/godaddy.pem
>
> ca_list = /etc/kamailio/certs/godaddyca.pem
>
>  
>
> In the section above the ca_list is godaddy’s ca and subordinate.
>
>  
>
>  
>
> In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m
> using dispatcher module).
>
> Then the server replies with tls SERVER HELLO which includes it’s
> certificate
>
> But for some reason we are rejecting it:
>
> Alert (level: fatal, Description: Unknown CA)
>
>  
>
> How should I set this up to make sure the remote server CA’s are
> verified?
>

I am not sure I understand what you want to do -- to verify that the
list of CAs trusted by the remote server? This is not possible, what is
trusted by the server is its own business. An entity can verify only of
the presented certificate by a peer is signed by a trusted CA from its
CAs trusted list.

Cheers,
Daniel

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20201120/1426921a/attachment.htm>

More information about the sr-users mailing list