[SR-Users] please help to configure tls in kamailio for webrtc client like simpl5
David Villasmil
david.villasmil.work at gmail.com
Thu Jul 15 11:33:07 CEST 2021
Back when I did my first TLS, I did it with
https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/
It worked for me on the first try.
Maybe give it a try.
David
On Thu, 15 Jul 2021 at 11:02, ThanhTruong <thanhtruong217 at gmail.com> wrote:
> Hi Henning and all,
>
> I can restart kamailio without error so i think kamailio can access the
> certs file, am i right?
>
> Next, i can check the tls configuration via some command and result like:
>
>
> openssl s_client -connect mydomain.com:4443
>
> result is:
>
> CONNECTED(00000003)
> depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN
> = mydomain.com, emailAddress = thanhtruong217 at gmail.com
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/
> C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
> i:/
> C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
> 1 s:/
> C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
> i:/
> C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> IKqnZKfVhfs=
> -----END CERTIFICATE-----
>
> subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
>
> issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2890 bytes and written 391 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID:
> 047913A6C905B007C53EB31C51CBED00FDF8BBBBC8ACDA79238314C3AF899776
> Session-ID-ctx:
> Master-Key:
> 98D20DD5C85389F6BA32F0CADC76789D03BA3534D45F446418120E8358ACE5142FC21C02E0E3E22090A9E5920F8AB835
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
> 0000 - fa 90 a9 99 5e 02 04 26-ae bf ce f4 05 06 87 e0
> ....^..&........
> 0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52
> ...t.J}...S....R
> 0020 - 68 53 ea 9b e2 1d 23 ae-77 86 6b 74 21 5e 1e 88
> hS....#.w.kt!^..
> 0030 - 50 75 3f e4 2a 7a 95 63-5a 87 58 b8 ac c1 ae 85
> Pu?.*z.cZ.X.....
> 0040 - d9 73 3d 4d 5f 27 df 37-37 98 02 15 0c 3c 62 96
> .s=M_'.77....<b.
> 0050 - 50 22 cd 2c e9 b0 aa ba-3e e0 9e a5 65 17 35 3f
> P".,....>...e.5?
> 0060 - d5 2d 37 4a 99 1a 19 42-aa 63 6a 74 8b fe 70 72
> .-7J...B.cjt..pr
> 0070 - b6 cc 3d e1 b1 f8 da ee-9c 31 db 25 eb 2a 22 f5
> ..=......1.%.*".
> 0080 - 38 87 13 aa 13 c1 4c c4-f9 1a 83 1c 38 a8 a9 15
> 8.....L.....8...
> 0090 - c4 70 cd 3f e5 0a 5e 5e-13 a3 13 a7 6d 29 0e 70
> .p.?..^^....m).p
> 00a0 - fc 09 ee df e0 89 f6 48-29 04 1e 69 65 92 f0 e7
> .......H)..ie...
>
> Start Time: 1626338959
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate chain)
> ---
>
>
> or normal tls port 5061:
>
> openssl s_client -connect mydomain.com:5061 -tls1
> CONNECTED(00000003)
> depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN
> = mydomain.com, emailAddress = thanhtruong217 at gmail.com
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/
> C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
> i:/
> C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
> 1 s:/
> C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
> i:/
> C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIEVDCCAzygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCVVMx
> xxxxxxxxxx...
> IKqnZKfVhfs=
> -----END CERTIFICATE-----
>
> subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
>
> issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2896 bytes and written 307 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : ECDHE-RSA-AES256-SHA
> Session-ID:
> EF724C7926D18D0B727709E4D42650D2141EA44771E3FF8B566161F51095B0C7
> Session-ID-ctx:
> Master-Key:
> 61C323CD42A4447B4E662958EA4E5F9DE039A4F257342BBAED236E3B811D6052192FEC36CC245D810A847B9E5FFF54C6
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
> 0000 - 45 b4 44 76 46 b2 f5 a5-39 a4 ec 4e 53 22 5c 20
> E.DvF...9..NS"\
> 0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52
> ...t.J}...S....R
> 0020 - fe 69 4e 7a 3e 23 ff 41-62 54 f1 71 f5 a3 a4 3f
> .iNz>#.AbT.q...?
> 0030 - 99 81 5c d9 71 b6 82 be-7e 17 19 a7 d3 55 6a c9
> ..\.q...~....Uj.
> 0040 - 9f 9c da ef ef 35 54 30-6e 60 6f f1 e2 13 6c 95
> .....5T0n`o...l.
> 0050 - 7e 2a 48 7b 07 51 57 2d-7d 69 7a 8a 46 34 9d 32
> ~*H{.QW-}iz.F4.2
> 0060 - b4 7f 4b a4 61 c6 3a 13-3d 86 af cf 22 be 50 63
> ..K.a.:.=...".Pc
> 0070 - 93 41 3e 18 d3 37 38 bc-cb b2 83 ea 63 8a 1c c0
> .A>..78.....c...
> 0080 - 5a a4 ed 35 18 85 17 9d-24 7c 87 25 ff 98 11 eb
> Z..5....$|.%....
> 0090 - f6 1d 89 41 9b ba a1 18-03 0a 90 90 bd 76 c8 80
> ...A.........v..
> 00a0 - 44 1f 3a 8c 99 ac 2f ef-a5 e2 22 a6 58 9a e8 2a
> D.:.../...".X..*
>
> Start Time: 1626339048
> Timeout : 7200 (sec)
> Verify return code: 19 (self signed certificate in certificate chain)
>
>
>
> So, I am not sure what is my issue/wrong here. or can you help me to check
> more?
>
> Thanks,
> ThanhTruon
>
> On Jul 15, 2021, at 15:33, Henning Westerholt <hw at skalatan.de> wrote:
>
> Hello,
>
> please format your e-mail only with black – its really hard to read (it
> might be related to my client, though).
>
> Have you already checked the file system access rights to the certs if
> kamailio can actually read them?
>
> Cheers,
>
> Henning
>
> --
> Henning Westerholt – https://skalatan.de/blog/
> Kamailio services – https://gilawa.com
>
> *From:* sr-users <sr-users-bounces at lists.kamailio.org> *On Behalf Of *
> ThanhTruong
> *Sent:* Thursday, July 15, 2021 5:09 AM
> *To:* Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
> *Subject:* Re: [SR-Users] please help to configure tls in kamailio for
> webrtc client like simpl5
>
> Hello Fred and all,
>
> I tried some changes, and result bellow.
>
> with :
>
> [server:default]
> method = SSLv23
> verify_certificate = no
> require_certificate = no
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>
> [client:default]
> verify_certificate = yes
> require_certificate = yes
> ~
>
> error log:
>
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls
> [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls
> [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls
> [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls
> [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>
>
> With settings:
>
> [server:default]
> method = SSLv23
> verify_certificate = no
> require_certificate = no
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>
> [client:default]
> verify_certificate = no
> require_certificate = no
> ~
>
> and error log:
>
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls
> [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls
> [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls
> [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls
> [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core>
> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading
> - c: 0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
>
>
> and tried:
>
> [server:default]
> method = SSLv23
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
> ca_list = /etc/certs/demoCA/cert.pem
>
> [client:default]
> verify_certificate = no
> require_certificate = no
>
> and error log:
>
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls
> [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls
> [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls
> [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls
> [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core>
> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading
> - c: 0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
>
>
> Then, i try with TLSv1+
>
>
> [server:default]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/certs/mydomain.com/key.pem
> certificate = /etc/certs/mydomain.com/cert.pem
>
> ca_list = /etc/certs/demoCA/cert.pem
>
> [client:default]
> verify_certificate = no
> require_certificate = no
>
> and log is:
>
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls
> [tls_server.c:1283]: tls_h_read_f(): protocol level error
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls
> [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls
> [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls
> [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core>
> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading
> - c: 0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
>
>
> I am sorry to border you and all, but i dont know how to get it works,
> please suggest.
>
> thank you so much.
>
>
>
> On Jul 15, 2021, at 01:10, Fred Posner <fred at palner.com> wrote:
>
> On 7/14/21 2:04 PM, ThanhTruong wrote:
>
> verify_certificate =yes
> require_certificate =yes
>
>
> Change both of those to no in your case.
>
> --
> Fred Posner -- www.palner.com
> Matrix: @fred:matrix.lod.com
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
--
Regards,
David Villasmil
email: david.villasmil.work at gmail.com
phone: +34669448337
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210715/54b8696d/attachment.htm>
More information about the sr-users
mailing list