[SR-Users] Issue with ca-list

Joel Serrano joel at textplus.com
Fri Nov 20 19:51:04 CET 2020


Hey George,

I’m not on my computer right now, but give a try with your settings but
changing:

ca_list=/etc/ssl/certs/ca-certificates.crt

(That is for Debian, other OS have different locations)

Using that on Debian 10 it works, but be prepared to wait a while for the
startup and potentially increasing memory limits..



On Fri, Nov 20, 2020 at 10:43 George Goglidze <george at ipcorp.co.uk> wrote:

> I can narrow it down - as the team’s part only uses Baltimore certificates
>
> That actually means one root and 4 subordinates for direct routing
> currently.
>
> I can point out exact certs you need if you cannot identify them.
>
> But can you please share your configuration to make this work? As I was
> not able to.
>
> What’s your kaimailo.cfg/ tls.cfg like?
>
> Get Outlook for iOS <https://aka.ms/o0ukef>
> ------------------------------
> *From:* sr-users <sr-users-bounces at lists.kamailio.org> on behalf of Joel
> Serrano <joel at textplus.com>
> *Sent:* Friday, November 20, 2020 6:30:17 PM
>
> *To:* Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
> *Subject:* Re: [SR-Users] Issue with ca-list
>
> I have that working using the OS provided ssl CA list. That said, Kamailio
> takes >20s to startup because it has to load the entire list, and I had to
> increase memory limits.
>
> If you manage to narrow the list down please share it.
>
> On Fri, Nov 20, 2020 at 07:59 George Goglidze <george at ipcorp.co.uk> wrote:
>
> To be exact this is what my ca_list file contains:
>
> My own certificate’s root CA
>
> My own certificate’s subordinate CA
>
> Remote SIP Provider’s root CAs (there are many over 10)
>
> Remote SIP Provider’s subordinate CAs (over 50)
>
>
>
> I’m trying Direct Routing integration with Microsoft – and there’s a big
> list of root CA’s and subordinates that Microsoft recommends you to trust
> for this purpose.
>
> Here’s the link to all certificates:
>
>
> https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption-office-365-certificate-chains?view=o365-worldwide
>
>
>
> Regards,
>
>
>
> *From: *Daniel-Constantin Mierla <miconda at gmail.com>
> *Date: *Friday, 20 November 2020 at 15:48
>
> *To: *George Goglidze <george at ipcorp.co.uk>, Kamailio (SER) - Users
> Mailing List <sr-users at lists.kamailio.org>
> *Subject: *Re: [SR-Users] Issue with ca-list
>
> Hello,
>
> does the client section ca_list file has the CA of the remote server?
>
> Cheers,
> Daniel
>
> On 20.11.20 15:56, George Goglidze wrote:
>
> Hi Daniel,
>
>
>
> No – you misunderstood me.
>
>
>
> It’s not the remote server that is not trusting us but  we are not
> trusting the remote server.
>
> My SBC (Kamailio) is sending out TLS error unknown CA.
>
>
>
> Thanks,
>
>
>
> *From: *Daniel-Constantin Mierla <miconda at gmail.com> <miconda at gmail.com>
> *Date: *Friday, 20 November 2020 at 14:48
> *To: *Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
> <sr-users at lists.kamailio.org>, George Goglidze <george at ipcorp.co.uk>
> <george at ipcorp.co.uk>
> *Subject: *Re: [SR-Users] Issue with ca-list
>
> Hello,
>
> On 20.11.20 11:13, George Goglidze wrote:
>
> Hi Folks,
>
>
>
> I was wondering if somebody could help me with an issue. I’m a newbie
> here, just installing Kamailio sip server.
>
> I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service
> which is TLS enabled port 5061.
>
>
>
> I’ve configured the following in tls.cfg:
>
> [server:default]
>
> method = TLSv1.2+
>
> verify_certificate = yes
>
> require_certificate = yes
>
> private_key = /etc/kamailio/certs/sbc-private.pem
>
> certificate = /etc/kamailio/certs/godaddy.pem
>
> ca_list = /etc/kamailio/certs/calist.pem
>
>
>
> In the section above – ca_list = calist.pem contains all the CA’s and
> Subordinates of the destination server.
>
> Private_key  and certificate are of my own server (public godaddy signed)
>
>
>
> [client:default]
>
> method = TLSv1.2+
>
> verify_certificate = yes
>
> require_certificate = yes
>
> private_key = /etc/kamailio/certs/sbc-private.pem
>
> certificate = /etc/kamailio/certs/godaddy.pem
>
> ca_list = /etc/kamailio/certs/godaddyca.pem
>
>
>
> In the section above the ca_list is godaddy’s ca and subordinate.
>
>
>
>
>
> In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m
> using dispatcher module).
>
> Then the server replies with tls SERVER HELLO which includes it’s
> certificate
>
> But for some reason we are rejecting it:
>
> Alert (level: fatal, Description: Unknown CA)
>
>
>
> How should I set this up to make sure the remote server CA’s are verified?
>
>
>
> I am not sure I understand what you want to do -- to verify that the list
> of CAs trusted by the remote server? This is not possible, what is trusted
> by the server is its own business. An entity can verify only of the
> presented certificate by a peer is signed by a trusted CA from its CAs
> trusted list.
>
> Cheers,
> Daniel
>
> --
>
> Daniel-Constantin Mierla -- www.asipto.com
>
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
>
> Funding: https://www.paypal.me/dcmierla
>
> -->
>
> --
>
> Daniel-Constantin Mierla -- www.asipto.com
>
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
>
> Funding: https://www.paypal.me/dcmierla
>
> -->
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20201120/389a15a2/attachment.htm>


More information about the sr-users mailing list