[SR-Users] please help to configure tls in kamailio for webrtc client like simpl5

ThanhTruong thanhtruong217 at gmail.com
Thu Jul 15 05:09:14 CEST 2021 

Hello Fred and all,

I tried some changes, and result bellow.

with :

[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem

[client:default]
verify_certificate = yes
require_certificate = yes
~                           

error log:

Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170


With settings:

[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem

[client:default]
verify_certificate = no
require_certificate = no
~                           

and error log:

Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)


and tried:

[server:default]
method = SSLv23
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem

[client:default]
verify_certificate = no
require_certificate = no

and error log:

Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f222a018fc0 r: 0x7f222a0190e8 (-1)


Then, i try with TLSv1+


[server:default]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem

[client:default]
verify_certificate = no
require_certificate = no

and log is:

Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)


I am sorry to border you and all, but i dont know how to get it works, please suggest. 

thank you so much.


> On Jul 15, 2021, at 01:10, Fred Posner <fred at palner.com> wrote:
> 
> On 7/14/21 2:04 PM, ThanhTruong wrote:
>> verify_certificate =yes
>> require_certificate =yes
> 
> Change both of those to no in your case.
> 
> -- 
> Fred Posner -- www.palner.com
> Matrix: @fred:matrix.lod.com
> 
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>  * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
>  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210715/e0fe422a/attachment.htm>

More information about the sr-users mailing list