[SR-Users] please help to configure tls in kamailio for webrtc client like simpl5

ThanhTruong thanhtruong217 at gmail.com
Thu Jul 15 10:56:41 CEST 2021


Hi Henning and all,

I can restart kamailio without error so i think kamailio can access the certs file, am i right?

Next, i can check the tls configuration via some command  and result like:


openssl s_client -connect mydomain.com:4443

result is:

CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN = mydomain.com, emailAddress = thanhtruong217 at gmail.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
   i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
 1 s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
   i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
---
No client certificate CA names sent
---
SSL handshake has read 2890 bytes and written 391 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 047913A6C905B007C53EB31C51CBED00FDF8BBBBC8ACDA79238314C3AF899776
    Session-ID-ctx: 
    Master-Key: 98D20DD5C85389F6BA32F0CADC76789D03BA3534D45F446418120E8358ACE5142FC21C02E0E3E22090A9E5920F8AB835
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - fa 90 a9 99 5e 02 04 26-ae bf ce f4 05 06 87 e0   ....^..&........
    0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52   ...t.J}...S....R
    0020 - 68 53 ea 9b e2 1d 23 ae-77 86 6b 74 21 5e 1e 88   hS....#.w.kt!^..
    0030 - 50 75 3f e4 2a 7a 95 63-5a 87 58 b8 ac c1 ae 85   Pu?.*z.cZ.X.....
    0040 - d9 73 3d 4d 5f 27 df 37-37 98 02 15 0c 3c 62 96   .s=M_'.77....<b.
    0050 - 50 22 cd 2c e9 b0 aa ba-3e e0 9e a5 65 17 35 3f   P".,....>...e.5?
    0060 - d5 2d 37 4a 99 1a 19 42-aa 63 6a 74 8b fe 70 72   .-7J...B.cjt..pr
    0070 - b6 cc 3d e1 b1 f8 da ee-9c 31 db 25 eb 2a 22 f5   ..=......1.%.*".
    0080 - 38 87 13 aa 13 c1 4c c4-f9 1a 83 1c 38 a8 a9 15   8.....L.....8...
    0090 - c4 70 cd 3f e5 0a 5e 5e-13 a3 13 a7 6d 29 0e 70   .p.?..^^....m).p
    00a0 - fc 09 ee df e0 89 f6 48-29 04 1e 69 65 92 f0 e7   .......H)..ie...

    Start Time: 1626338959
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---


or normal tls port 5061:

 openssl s_client -connect mydomain.com:5061 -tls1
CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN = mydomain.com, emailAddress = thanhtruong217 at gmail.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
   i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
 1 s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
   i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCVVMx
xxxxxxxxxx...
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
---
No client certificate CA names sent
---
SSL handshake has read 2896 bytes and written 307 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: EF724C7926D18D0B727709E4D42650D2141EA44771E3FF8B566161F51095B0C7
    Session-ID-ctx: 
    Master-Key: 61C323CD42A4447B4E662958EA4E5F9DE039A4F257342BBAED236E3B811D6052192FEC36CC245D810A847B9E5FFF54C6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 45 b4 44 76 46 b2 f5 a5-39 a4 ec 4e 53 22 5c 20   E.DvF...9..NS"\ 
    0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52   ...t.J}...S....R
    0020 - fe 69 4e 7a 3e 23 ff 41-62 54 f1 71 f5 a3 a4 3f   .iNz>#.AbT.q...?
    0030 - 99 81 5c d9 71 b6 82 be-7e 17 19 a7 d3 55 6a c9   ..\.q...~....Uj.
    0040 - 9f 9c da ef ef 35 54 30-6e 60 6f f1 e2 13 6c 95   .....5T0n`o...l.
    0050 - 7e 2a 48 7b 07 51 57 2d-7d 69 7a 8a 46 34 9d 32   ~*H{.QW-}iz.F4.2
    0060 - b4 7f 4b a4 61 c6 3a 13-3d 86 af cf 22 be 50 63   ..K.a.:.=...".Pc
    0070 - 93 41 3e 18 d3 37 38 bc-cb b2 83 ea 63 8a 1c c0   .A>..78.....c...
    0080 - 5a a4 ed 35 18 85 17 9d-24 7c 87 25 ff 98 11 eb   Z..5....$|.%....
    0090 - f6 1d 89 41 9b ba a1 18-03 0a 90 90 bd 76 c8 80   ...A.........v..
    00a0 - 44 1f 3a 8c 99 ac 2f ef-a5 e2 22 a6 58 9a e8 2a   D.:.../...".X..*

    Start Time: 1626339048
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)



So, I am not sure what is my issue/wrong here. or can you help me to check more?

Thanks,
ThanhTruon

> On Jul 15, 2021, at 15:33, Henning Westerholt <hw at skalatan.de> wrote:
> 
> Hello,
>  
> please format your e-mail only with black – its really hard to read (it might be related to my client, though).
>  
> Have you already checked the file system access rights to the certs if kamailio can actually read them?
>  
> Cheers,
>  
> Henning
>  
> -- 
> Henning Westerholt – https://skalatan.de/blog/ <https://skalatan.de/blog/>
> Kamailio services – https://gilawa.com <https://gilawa.com/>
>  
> From: sr-users <sr-users-bounces at lists.kamailio.org> On Behalf Of ThanhTruong
> Sent: Thursday, July 15, 2021 5:09 AM
> To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
> Subject: Re: [SR-Users] please help to configure tls in kamailio for webrtc client like simpl5
>  
> Hello Fred and all,
>  
> I tried some changes, and result bellow.
>  
> with :
>  
> [server:default]
> method = SSLv23
> verify_certificate = no
> require_certificate = no
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>  
> [client:default]
> verify_certificate = yes
> require_certificate = yes
> ~                           
>  
> error log:
>  
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>  
>  
> With settings:
>  
> [server:default]
> method = SSLv23
> verify_certificate = no
> require_certificate = no
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>  
> [client:default]
> verify_certificate = no
> require_certificate = no
> ~                           
>  
> and error log:
>  
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
>  
>  
> and tried:
>  
> [server:default]
> method = SSLv23
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>  
> [client:default]
> verify_certificate = no
> require_certificate = no
>  
> and error log:
>  
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
>  
>  
> Then, i try with TLSv1+
>  
>  
> [server:default]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>  
> [client:default]
> verify_certificate = no
> require_certificate = no
>  
> and log is:
>  
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
>  
>  
> I am sorry to border you and all, but i dont know how to get it works, please suggest. 
>  
> thank you so much.
>  
> 
> 
> On Jul 15, 2021, at 01:10, Fred Posner <fred at palner.com <mailto:fred at palner.com>> wrote:
>  
> On 7/14/21 2:04 PM, ThanhTruong wrote:
> 
> verify_certificate =yes
> require_certificate =yes
> 
> Change both of those to no in your case.
> 
> -- 
> Fred Posner -- www.palner.com <http://www.palner.com/>
> Matrix: @fred:matrix.lod.com <http://matrix.lod.com/>
> 
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>  * sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
>  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210715/09ed2dc8/attachment.htm>


More information about the sr-users mailing list