[SR-Users] please help to configure tls in kamailio for webrtc client like simpl5
ThanhTruong
thanhtruong217 at gmail.com
Thu Jul 15 10:56:41 CEST 2021
Hi Henning and all,
I can restart kamailio without error so i think kamailio can access the certs file, am i right?
Next, i can check the tls configuration via some command and result like:
openssl s_client -connect mydomain.com:4443
result is:
CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN = mydomain.com, emailAddress = thanhtruong217 at gmail.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
1 s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
---
No client certificate CA names sent
---
SSL handshake has read 2890 bytes and written 391 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 047913A6C905B007C53EB31C51CBED00FDF8BBBBC8ACDA79238314C3AF899776
Session-ID-ctx:
Master-Key: 98D20DD5C85389F6BA32F0CADC76789D03BA3534D45F446418120E8358ACE5142FC21C02E0E3E22090A9E5920F8AB835
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - fa 90 a9 99 5e 02 04 26-ae bf ce f4 05 06 87 e0 ....^..&........
0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52 ...t.J}...S....R
0020 - 68 53 ea 9b e2 1d 23 ae-77 86 6b 74 21 5e 1e 88 hS....#.w.kt!^..
0030 - 50 75 3f e4 2a 7a 95 63-5a 87 58 b8 ac c1 ae 85 Pu?.*z.cZ.X.....
0040 - d9 73 3d 4d 5f 27 df 37-37 98 02 15 0c 3c 62 96 .s=M_'.77....<b.
0050 - 50 22 cd 2c e9 b0 aa ba-3e e0 9e a5 65 17 35 3f P".,....>...e.5?
0060 - d5 2d 37 4a 99 1a 19 42-aa 63 6a 74 8b fe 70 72 .-7J...B.cjt..pr
0070 - b6 cc 3d e1 b1 f8 da ee-9c 31 db 25 eb 2a 22 f5 ..=......1.%.*".
0080 - 38 87 13 aa 13 c1 4c c4-f9 1a 83 1c 38 a8 a9 15 8.....L.....8...
0090 - c4 70 cd 3f e5 0a 5e 5e-13 a3 13 a7 6d 29 0e 70 .p.?..^^....m).p
00a0 - fc 09 ee df e0 89 f6 48-29 04 1e 69 65 92 f0 e7 .......H)..ie...
Start Time: 1626338959
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
or normal tls port 5061:
openssl s_client -connect mydomain.com:5061 -tls1
CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN = mydomain.com, emailAddress = thanhtruong217 at gmail.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
1 s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCVVMx
xxxxxxxxxx...
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
---
No client certificate CA names sent
---
SSL handshake has read 2896 bytes and written 307 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: EF724C7926D18D0B727709E4D42650D2141EA44771E3FF8B566161F51095B0C7
Session-ID-ctx:
Master-Key: 61C323CD42A4447B4E662958EA4E5F9DE039A4F257342BBAED236E3B811D6052192FEC36CC245D810A847B9E5FFF54C6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 45 b4 44 76 46 b2 f5 a5-39 a4 ec 4e 53 22 5c 20 E.DvF...9..NS"\
0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52 ...t.J}...S....R
0020 - fe 69 4e 7a 3e 23 ff 41-62 54 f1 71 f5 a3 a4 3f .iNz>#.AbT.q...?
0030 - 99 81 5c d9 71 b6 82 be-7e 17 19 a7 d3 55 6a c9 ..\.q...~....Uj.
0040 - 9f 9c da ef ef 35 54 30-6e 60 6f f1 e2 13 6c 95 .....5T0n`o...l.
0050 - 7e 2a 48 7b 07 51 57 2d-7d 69 7a 8a 46 34 9d 32 ~*H{.QW-}iz.F4.2
0060 - b4 7f 4b a4 61 c6 3a 13-3d 86 af cf 22 be 50 63 ..K.a.:.=...".Pc
0070 - 93 41 3e 18 d3 37 38 bc-cb b2 83 ea 63 8a 1c c0 .A>..78.....c...
0080 - 5a a4 ed 35 18 85 17 9d-24 7c 87 25 ff 98 11 eb Z..5....$|.%....
0090 - f6 1d 89 41 9b ba a1 18-03 0a 90 90 bd 76 c8 80 ...A.........v..
00a0 - 44 1f 3a 8c 99 ac 2f ef-a5 e2 22 a6 58 9a e8 2a D.:.../...".X..*
Start Time: 1626339048
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
So, I am not sure what is my issue/wrong here. or can you help me to check more?
Thanks,
ThanhTruon
> On Jul 15, 2021, at 15:33, Henning Westerholt <hw at skalatan.de> wrote:
>
> Hello,
>
> please format your e-mail only with black – its really hard to read (it might be related to my client, though).
>
> Have you already checked the file system access rights to the certs if kamailio can actually read them?
>
> Cheers,
>
> Henning
>
> --
> Henning Westerholt – https://skalatan.de/blog/ <https://skalatan.de/blog/>
> Kamailio services – https://gilawa.com <https://gilawa.com/>
>
> From: sr-users <sr-users-bounces at lists.kamailio.org> On Behalf Of ThanhTruong
> Sent: Thursday, July 15, 2021 5:09 AM
> To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
> Subject: Re: [SR-Users] please help to configure tls in kamailio for webrtc client like simpl5
>
> Hello Fred and all,
>
> I tried some changes, and result bellow.
>
> with :
>
> [server:default]
> method = SSLv23
> verify_certificate = no
> require_certificate = no
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>
> [client:default]
> verify_certificate = yes
> require_certificate = yes
> ~
>
> error log:
>
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>
>
> With settings:
>
> [server:default]
> method = SSLv23
> verify_certificate = no
> require_certificate = no
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>
> [client:default]
> verify_certificate = no
> require_certificate = no
> ~
>
> and error log:
>
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
>
>
> and tried:
>
> [server:default]
> method = SSLv23
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>
> [client:default]
> verify_certificate = no
> require_certificate = no
>
> and error log:
>
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
>
>
> Then, i try with TLSv1+
>
>
> [server:default]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>
> [client:default]
> verify_certificate = no
> require_certificate = no
>
> and log is:
>
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
>
>
> I am sorry to border you and all, but i dont know how to get it works, please suggest.
>
> thank you so much.
>
>
>
> On Jul 15, 2021, at 01:10, Fred Posner <fred at palner.com <mailto:fred at palner.com>> wrote:
>
> On 7/14/21 2:04 PM, ThanhTruong wrote:
>
> verify_certificate =yes
> require_certificate =yes
>
> Change both of those to no in your case.
>
> --
> Fred Posner -- www.palner.com <http://www.palner.com/>
> Matrix: @fred:matrix.lod.com <http://matrix.lod.com/>
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210715/09ed2dc8/attachment.htm>
More information about the sr-users
mailing list