[SR-Users] please help to configure tls in kamailio for webrtc client like simpl5

ThanhTruong thanhtruong217 at gmail.com
Thu Jul 15 16:51:49 CEST 2021


Hello Henning, and David, all

I tried to change to letsencrypt and configure as bellow

[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/mydomain.com/privkey.pem
certificate = /etc/letsencrypt/live/mydomain.com/fullchain.pem

[client:default]
verify_certificate = yes
require_certificate = yes

I have same issue, could not log with webrtc client. the log is like

Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 27.65.214.194
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/tcp_main.c:1174]: tcpconn_new(): on port 54961, type 3, socket 40
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/tcp_main.c:1493]: tcpconn_add(): hashes: 2860:2307:2170, 10
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x559d7996eaa0, 40, 2, 0x7f660ad93258), fd_no=32
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x559d7996eaa0, 40, -1, 0x0) fd_no=33 called
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/tcp_main.c:4456]: handle_tcpconn_ev(): sending to child, events 1
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/tcp_main.c:4126]: send2child(): selected tcp worker idx:0 proc:10 pid:23172 for activity on [tls:172.31.44.170:4443], 0x7f660ad93258
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_read.c:1749]: handle_io(): received n=8 con=0x7f660ad93258, fd=9
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing tls connection initialization
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7f660ac140a8 ctx 0x7f660ac662e8 sn [])
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f660ac662e8: (nil)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:948]: tls_server_name_cb(): received server_name (TLS extension): 'mydomain.com'
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:967]: tls_server_name_cb(): TLS cfg domain selected for received server name [mydomain.com]: socket [:0] server name='' - switching SSL CTX to 0x7f660ac662e8 dom 0x7f660ac140a8 (default)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_main.c:2705]: tcpconn_do_send(): sending...
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_main.c:2738]: tcpconn_do_send(): after real write: c= 0x7f660ad93258 n=4593 fd=9
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_main.c:2739]: tcpconn_do_send(): buf=#012#026#003#003
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x559d799da740, 9, 2, 0x7f660ad93258), fd_no=1
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f660ac662e8: (nil)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:759]: sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:759]: sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:759]: sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:424]: tls_accept(): TLS accept successful
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 27.65.214.194:54961 using TLSv1.3 TLS_AES_256_GCM_SHA384 256
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: 172.31.44.170:4443
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:1199]: tls_h_read_f(): Reading on a renegotiation of connection (n:-1) (2)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_read.c:1515]: tcp_read_req(): EOF
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x559d799da740, 9, -1, 0x10) fd_no=2 called
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_read.c:1884]: handle_io(): removing from list 0x7f660ad93258 id 10 fd 9, state 2, flags 4018, main fd 40, refcnt 2 ([27.65.214.194]:54961 -> [27.65.214.194]:4443)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_read.c:1668]: release_tcpconn(): releasing con 0x7f660ad93258, state -1, fd=9, id=10 ([27.65.214.194]:54961 -> [27.65.214.194]:4443)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_read.c:1672]: release_tcpconn(): extra_data 0x7f660adb5a58
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/tcp_main.c:3558]: handle_tcp_child(): reader response= 7f660ad93258, -1 from 0
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: tls [tls_server.c:683]: tls_h_tcpconn_close_f(): Closing SSL connection 0x7f660adb5a58

I did not see any error now, but could not register my webrtc client.

Please help me on that 

thank you


> On Jul 15, 2021, at 16:33, David Villasmil <david.villasmil.work at gmail.com> wrote:
> 
> Back when I did my first TLS, I did it with 
> 
> https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/ <https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/>
> It worked for me on the first try.
> 
> Maybe give it a try.
> 
> David
> 
> On Thu, 15 Jul 2021 at 11:02, ThanhTruong <thanhtruong217 at gmail.com <mailto:thanhtruong217 at gmail.com>> wrote:
> Hi Henning and all,
> 
> I can restart kamailio without error so i think kamailio can access the certs file, am i right?
> 
> Next, i can check the tls configuration via some command  and result like:
> 
> 
> openssl s_client -connect mydomain.com:4443 <http://mydomain.com:4443/>
> 
> result is:
> 
> CONNECTED(00000003)
> depth=1 C = US, ST = US, L = HCM, O = mydomain.com <http://mydomain.com/>, OU = mydomain.com <http://mydomain.com/>, CN = mydomain.com <http://mydomain.com/>, emailAddress = thanhtruong217 at gmail.com <mailto:thanhtruong217 at gmail.com>
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
>    i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
>  1 s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
>    i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> IKqnZKfVhfs=
> -----END CERTIFICATE-----
> subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2890 bytes and written 391 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID: 047913A6C905B007C53EB31C51CBED00FDF8BBBBC8ACDA79238314C3AF899776
>     Session-ID-ctx: 
>     Master-Key: 98D20DD5C85389F6BA32F0CADC76789D03BA3534D45F446418120E8358ACE5142FC21C02E0E3E22090A9E5920F8AB835
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 7200 (seconds)
>     TLS session ticket:
>     0000 - fa 90 a9 99 5e 02 04 26-ae bf ce f4 05 06 87 e0   ....^..&........
>     0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52   ...t.J}...S....R
>     0020 - 68 53 ea 9b e2 1d 23 ae-77 86 6b 74 21 5e 1e 88   hS....#.w.kt!^..
>     0030 - 50 75 3f e4 2a 7a 95 63-5a 87 58 b8 ac c1 ae 85   Pu?.*z.cZ.X.....
>     0040 - d9 73 3d 4d 5f 27 df 37-37 98 02 15 0c 3c 62 96   .s=M_'.77....<b.
>     0050 - 50 22 cd 2c e9 b0 aa ba-3e e0 9e a5 65 17 35 3f   P".,....>...e.5?
>     0060 - d5 2d 37 4a 99 1a 19 42-aa 63 6a 74 8b fe 70 72   .-7J...B.cjt..pr
>     0070 - b6 cc 3d e1 b1 f8 da ee-9c 31 db 25 eb 2a 22 f5   ..=......1.%.*".
>     0080 - 38 87 13 aa 13 c1 4c c4-f9 1a 83 1c 38 a8 a9 15   8.....L.....8...
>     0090 - c4 70 cd 3f e5 0a 5e 5e-13 a3 13 a7 6d 29 0e 70   .p.?..^^....m).p
>     00a0 - fc 09 ee df e0 89 f6 48-29 04 1e 69 65 92 f0 e7   .......H)..ie...
> 
>     Start Time: 1626338959
>     Timeout   : 300 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
> 
> 
> or normal tls port 5061:
> 
>  openssl s_client -connect mydomain.com:5061 <http://mydomain.com:5061/> -tls1
> CONNECTED(00000003)
> depth=1 C = US, ST = US, L = HCM, O = mydomain.com <http://mydomain.com/>, OU = mydomain.com <http://mydomain.com/>, CN = mydomain.com <http://mydomain.com/>, emailAddress = thanhtruong217 at gmail.com <mailto:thanhtruong217 at gmail.com>
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
>    i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
>  1 s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
>    i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIEVDCCAzygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCVVMx
> xxxxxxxxxx...
> IKqnZKfVhfs=
> -----END CERTIFICATE-----
> subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2896 bytes and written 307 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : ECDHE-RSA-AES256-SHA
>     Session-ID: EF724C7926D18D0B727709E4D42650D2141EA44771E3FF8B566161F51095B0C7
>     Session-ID-ctx: 
>     Master-Key: 61C323CD42A4447B4E662958EA4E5F9DE039A4F257342BBAED236E3B811D6052192FEC36CC245D810A847B9E5FFF54C6
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 7200 (seconds)
>     TLS session ticket:
>     0000 - 45 b4 44 76 46 b2 f5 a5-39 a4 ec 4e 53 22 5c 20   E.DvF...9..NS"\ 
>     0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52   ...t.J}...S....R
>     0020 - fe 69 4e 7a 3e 23 ff 41-62 54 f1 71 f5 a3 a4 3f   .iNz>#.AbT.q...?
>     0030 - 99 81 5c d9 71 b6 82 be-7e 17 19 a7 d3 55 6a c9   ..\.q...~....Uj.
>     0040 - 9f 9c da ef ef 35 54 30-6e 60 6f f1 e2 13 6c 95   .....5T0n`o...l.
>     0050 - 7e 2a 48 7b 07 51 57 2d-7d 69 7a 8a 46 34 9d 32   ~*H{.QW-}iz.F4.2
>     0060 - b4 7f 4b a4 61 c6 3a 13-3d 86 af cf 22 be 50 63   ..K.a.:.=...".Pc
>     0070 - 93 41 3e 18 d3 37 38 bc-cb b2 83 ea 63 8a 1c c0   .A>..78.....c...
>     0080 - 5a a4 ed 35 18 85 17 9d-24 7c 87 25 ff 98 11 eb   Z..5....$|.%....
>     0090 - f6 1d 89 41 9b ba a1 18-03 0a 90 90 bd 76 c8 80   ...A.........v..
>     00a0 - 44 1f 3a 8c 99 ac 2f ef-a5 e2 22 a6 58 9a e8 2a   D.:.../...".X..*
> 
>     Start Time: 1626339048
>     Timeout   : 7200 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> 
> 
> 
> So, I am not sure what is my issue/wrong here. or can you help me to check more?
> 
> Thanks,
> ThanhTruon
> 
>> On Jul 15, 2021, at 15:33, Henning Westerholt <hw at skalatan.de <mailto:hw at skalatan.de>> wrote:
>> 
>> Hello,
>>  
>> please format your e-mail only with black – its really hard to read (it might be related to my client, though).
>>  
>> Have you already checked the file system access rights to the certs if kamailio can actually read them?
>>  
>> Cheers,
>>  
>> Henning
>>  
>> -- 
>> Henning Westerholt – https://skalatan.de/blog/ <https://skalatan.de/blog/>
>> Kamailio services – https://gilawa.com <https://gilawa.com/>
>>  
>> From: sr-users <sr-users-bounces at lists.kamailio.org <mailto:sr-users-bounces at lists.kamailio.org>> On Behalf Of ThanhTruong
>> Sent: Thursday, July 15, 2021 5:09 AM
>> To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>>
>> Subject: Re: [SR-Users] please help to configure tls in kamailio for webrtc client like simpl5
>>  
>> Hello Fred and all,
>>  
>> I tried some changes, and result bellow.
>>  
>> with :
>>  
>> [server:default]
>> method = SSLv23
>> verify_certificate = no
>> require_certificate = no
>> private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
>> certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
>> ca_list = /etc/certs/demoCA/cert.pem
>>  
>> [client:default]
>> verify_certificate = yes
>> require_certificate = yes
>> ~                           
>>  
>> error log:
>>  
>> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
>> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
>> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
>> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>>  
>>  
>> With settings:
>>  
>> [server:default]
>> method = SSLv23
>> verify_certificate = no
>> require_certificate = no
>> private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
>> certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
>> ca_list = /etc/certs/demoCA/cert.pem
>>  
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>> ~                           
>>  
>> and error log:
>>  
>> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
>> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
>> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
>> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
>>  
>>  
>> and tried:
>>  
>> [server:default]
>> method = SSLv23
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
>> certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
>> ca_list = /etc/certs/demoCA/cert.pem
>>  
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>>  
>> and error log:
>>  
>> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
>> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
>> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
>> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
>>  
>>  
>> Then, i try with TLSv1+
>>  
>>  
>> [server:default]
>> method = TLSv1+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
>> certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
>> ca_list = /etc/certs/demoCA/cert.pem
>>  
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>>  
>> and log is:
>>  
>> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
>> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
>> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
>> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
>>  
>>  
>> I am sorry to border you and all, but i dont know how to get it works, please suggest. 
>>  
>> thank you so much.
>>  
>> 
>> 
>> On Jul 15, 2021, at 01:10, Fred Posner <fred at palner.com <mailto:fred at palner.com>> wrote:
>>  
>> On 7/14/21 2:04 PM, ThanhTruong wrote:
>> 
>> verify_certificate =yes
>> require_certificate =yes
>> 
>> Change both of those to no in your case.
>> 
>> -- 
>> Fred Posner -- www.palner.com <http://www.palner.com/>
>> Matrix: @fred:matrix.lod.com <http://matrix.lod.com/>
>> 
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>>  * sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> Important: keep the mailing list in the recipients, do not reply only to the sender!
>> Edit mailing list options or unsubscribe:
>>  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>   * sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
> -- 
> Regards,
> 
> David Villasmil
> email: david.villasmil.work at gmail.com <mailto:david.villasmil.work at gmail.com>
> phone: +34669448337
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>  * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
>  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210715/564cff4e/attachment.htm>


More information about the sr-users mailing list