[SR-Users] Issue with ca-list

Daniel-Constantin Mierla miconda at gmail.com
Fri Nov 20 16:48:38 CET 2020 

Hello,

does the client section ca_list file has the CA of the remote server?

Cheers,
Daniel

On 20.11.20 15:56, George Goglidze wrote:
>
> Hi Daniel,
>
>  
>
> No – you misunderstood me.
>
>  
>
> It’s not the remote server that is not trusting us but  we are not
> trusting the remote server.
>
> My SBC (Kamailio) is sending out TLS error unknown CA.
>
>  
>
> Thanks,
>
>  
>
> *From: *Daniel-Constantin Mierla <miconda at gmail.com>
> *Date: *Friday, 20 November 2020 at 14:48
> *To: *Kamailio (SER) - Users Mailing List
> <sr-users at lists.kamailio.org>, George Goglidze <george at ipcorp.co.uk>
> *Subject: *Re: [SR-Users] Issue with ca-list
>
> Hello,
>
> On 20.11.20 11:13, George Goglidze wrote:
>
>     Hi Folks,
>
>      
>
>     I was wondering if somebody could help me with an issue. I’m a
>     newbie here, just installing Kamailio sip server.
>
>     I’ve enabled TLS, and am trying create a SIP Trunk to external SIP
>     Service which is TLS enabled port 5061.
>
>      
>
>     I’ve configured the following in tls.cfg:
>
>     [server:default]
>
>     method = TLSv1.2+
>
>     verify_certificate = yes
>
>     require_certificate = yes
>
>     private_key = /etc/kamailio/certs/sbc-private.pem
>
>     certificate = /etc/kamailio/certs/godaddy.pem
>
>     ca_list = /etc/kamailio/certs/calist.pem   
>
>      
>
>     In the section above – ca_list = calist.pem contains all the CA’s
>     and Subordinates of the destination server.
>
>     Private_key  and certificate are of my own server (public
>     godaddysigned)
>
>      
>
>     [client:default]
>
>     method = TLSv1.2+
>
>     verify_certificate = yes
>
>     require_certificate = yes
>
>     private_key = /etc/kamailio/certs/sbc-private.pem
>
>     certificate = /etc/kamailio/certs/godaddy.pem
>
>     ca_list = /etc/kamailio/certs/godaddyca.pem
>
>      
>
>     In the section above the ca_list is godaddy’s ca and subordinate.
>
>      
>
>      
>
>     In the wireshark I can see that I’m sending out SIP OPTIONS PING
>     (I’m using dispatcher module).
>
>     Then the server replies with tls SERVER HELLO which includes it’s
>     certificate
>
>     But for some reason we are rejecting it:
>
>     Alert (level: fatal, Description: Unknown CA)
>
>      
>
>     How should I set this up to make sure the remote server CA’s are
>     verified?
>
>  
>
> I am not sure I understand what you want to do -- to verify that the
> list of CAs trusted by the remote server? This is not possible, what
> is trusted by the server is its own business. An entity can verify
> only of the presented certificate by a peer is signed by a trusted CA
> from its CAs trusted list.
>
> Cheers,
> Daniel
>
> -- 
> Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Funding: https://www.paypal.me/dcmierla <https://www.paypal.me/dcmierla>
>
> -->
>
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20201120/d6891584/attachment.htm>

More information about the sr-users mailing list