[SR-Users] please help to configure tls in kamailio for webrtc client like simpl5
ThanhTruong
thanhtruong217 at gmail.com
Thu Jul 15 16:51:49 CEST 2021
Hello Henning, and David, all
I tried to change to letsencrypt and configure as bellow
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/mydomain.com/privkey.pem
certificate = /etc/letsencrypt/live/mydomain.com/fullchain.pem
[client:default]
verify_certificate = yes
require_certificate = yes
I have same issue, could not log with webrtc client. the log is like
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 27.65.214.194
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/tcp_main.c:1174]: tcpconn_new(): on port 54961, type 3, socket 40
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/tcp_main.c:1493]: tcpconn_add(): hashes: 2860:2307:2170, 10
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x559d7996eaa0, 40, 2, 0x7f660ad93258), fd_no=32
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x559d7996eaa0, 40, -1, 0x0) fd_no=33 called
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/tcp_main.c:4456]: handle_tcpconn_ev(): sending to child, events 1
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/tcp_main.c:4126]: send2child(): selected tcp worker idx:0 proc:10 pid:23172 for activity on [tls:172.31.44.170:4443], 0x7f660ad93258
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_read.c:1749]: handle_io(): received n=8 con=0x7f660ad93258, fd=9
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing tls connection initialization
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7f660ac140a8 ctx 0x7f660ac662e8 sn [])
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f660ac662e8: (nil)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:948]: tls_server_name_cb(): received server_name (TLS extension): 'mydomain.com'
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:967]: tls_server_name_cb(): TLS cfg domain selected for received server name [mydomain.com]: socket [:0] server name='' - switching SSL CTX to 0x7f660ac662e8 dom 0x7f660ac140a8 (default)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_main.c:2705]: tcpconn_do_send(): sending...
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_main.c:2738]: tcpconn_do_send(): after real write: c= 0x7f660ad93258 n=4593 fd=9
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_main.c:2739]: tcpconn_do_send(): buf=#012#026#003#003
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x559d799da740, 9, 2, 0x7f660ad93258), fd_no=1
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f660ac662e8: (nil)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:759]: sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:759]: sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:759]: sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:424]: tls_accept(): TLS accept successful
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 27.65.214.194:54961 using TLSv1.3 TLS_AES_256_GCM_SHA384 256
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: 172.31.44.170:4443
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:1199]: tls_h_read_f(): Reading on a renegotiation of connection (n:-1) (2)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_read.c:1515]: tcp_read_req(): EOF
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x559d799da740, 9, -1, 0x10) fd_no=2 called
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_read.c:1884]: handle_io(): removing from list 0x7f660ad93258 id 10 fd 9, state 2, flags 4018, main fd 40, refcnt 2 ([27.65.214.194]:54961 -> [27.65.214.194]:4443)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_read.c:1668]: release_tcpconn(): releasing con 0x7f660ad93258, state -1, fd=9, id=10 ([27.65.214.194]:54961 -> [27.65.214.194]:4443)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core> [core/tcp_read.c:1672]: release_tcpconn(): extra_data 0x7f660adb5a58
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core> [core/tcp_main.c:3558]: handle_tcp_child(): reader response= 7f660ad93258, -1 from 0
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: tls [tls_server.c:683]: tls_h_tcpconn_close_f(): Closing SSL connection 0x7f660adb5a58
I did not see any error now, but could not register my webrtc client.
Please help me on that
thank you
> On Jul 15, 2021, at 16:33, David Villasmil <david.villasmil.work at gmail.com> wrote:
>
> Back when I did my first TLS, I did it with
>
> https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/ <https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/>
> It worked for me on the first try.
>
> Maybe give it a try.
>
> David
>
> On Thu, 15 Jul 2021 at 11:02, ThanhTruong <thanhtruong217 at gmail.com <mailto:thanhtruong217 at gmail.com>> wrote:
> Hi Henning and all,
>
> I can restart kamailio without error so i think kamailio can access the certs file, am i right?
>
> Next, i can check the tls configuration via some command and result like:
>
>
> openssl s_client -connect mydomain.com:4443 <http://mydomain.com:4443/>
>
> result is:
>
> CONNECTED(00000003)
> depth=1 C = US, ST = US, L = HCM, O = mydomain.com <http://mydomain.com/>, OU = mydomain.com <http://mydomain.com/>, CN = mydomain.com <http://mydomain.com/>, emailAddress = thanhtruong217 at gmail.com <mailto:thanhtruong217 at gmail.com>
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> 1 s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> IKqnZKfVhfs=
> -----END CERTIFICATE-----
> subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2890 bytes and written 391 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID: 047913A6C905B007C53EB31C51CBED00FDF8BBBBC8ACDA79238314C3AF899776
> Session-ID-ctx:
> Master-Key: 98D20DD5C85389F6BA32F0CADC76789D03BA3534D45F446418120E8358ACE5142FC21C02E0E3E22090A9E5920F8AB835
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
> 0000 - fa 90 a9 99 5e 02 04 26-ae bf ce f4 05 06 87 e0 ....^..&........
> 0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52 ...t.J}...S....R
> 0020 - 68 53 ea 9b e2 1d 23 ae-77 86 6b 74 21 5e 1e 88 hS....#.w.kt!^..
> 0030 - 50 75 3f e4 2a 7a 95 63-5a 87 58 b8 ac c1 ae 85 Pu?.*z.cZ.X.....
> 0040 - d9 73 3d 4d 5f 27 df 37-37 98 02 15 0c 3c 62 96 .s=M_'.77....<b.
> 0050 - 50 22 cd 2c e9 b0 aa ba-3e e0 9e a5 65 17 35 3f P".,....>...e.5?
> 0060 - d5 2d 37 4a 99 1a 19 42-aa 63 6a 74 8b fe 70 72 .-7J...B.cjt..pr
> 0070 - b6 cc 3d e1 b1 f8 da ee-9c 31 db 25 eb 2a 22 f5 ..=......1.%.*".
> 0080 - 38 87 13 aa 13 c1 4c c4-f9 1a 83 1c 38 a8 a9 15 8.....L.....8...
> 0090 - c4 70 cd 3f e5 0a 5e 5e-13 a3 13 a7 6d 29 0e 70 .p.?..^^....m).p
> 00a0 - fc 09 ee df e0 89 f6 48-29 04 1e 69 65 92 f0 e7 .......H)..ie...
>
> Start Time: 1626338959
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate chain)
> ---
>
>
> or normal tls port 5061:
>
> openssl s_client -connect mydomain.com:5061 <http://mydomain.com:5061/> -tls1
> CONNECTED(00000003)
> depth=1 C = US, ST = US, L = HCM, O = mydomain.com <http://mydomain.com/>, OU = mydomain.com <http://mydomain.com/>, CN = mydomain.com <http://mydomain.com/>, emailAddress = thanhtruong217 at gmail.com <mailto:thanhtruong217 at gmail.com>
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> 1 s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIEVDCCAzygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCVVMx
> xxxxxxxxxx...
> IKqnZKfVhfs=
> -----END CERTIFICATE-----
> subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com <mailto:issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217 at gmail.com>
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2896 bytes and written 307 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : ECDHE-RSA-AES256-SHA
> Session-ID: EF724C7926D18D0B727709E4D42650D2141EA44771E3FF8B566161F51095B0C7
> Session-ID-ctx:
> Master-Key: 61C323CD42A4447B4E662958EA4E5F9DE039A4F257342BBAED236E3B811D6052192FEC36CC245D810A847B9E5FFF54C6
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
> 0000 - 45 b4 44 76 46 b2 f5 a5-39 a4 ec 4e 53 22 5c 20 E.DvF...9..NS"\
> 0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52 ...t.J}...S....R
> 0020 - fe 69 4e 7a 3e 23 ff 41-62 54 f1 71 f5 a3 a4 3f .iNz>#.AbT.q...?
> 0030 - 99 81 5c d9 71 b6 82 be-7e 17 19 a7 d3 55 6a c9 ..\.q...~....Uj.
> 0040 - 9f 9c da ef ef 35 54 30-6e 60 6f f1 e2 13 6c 95 .....5T0n`o...l.
> 0050 - 7e 2a 48 7b 07 51 57 2d-7d 69 7a 8a 46 34 9d 32 ~*H{.QW-}iz.F4.2
> 0060 - b4 7f 4b a4 61 c6 3a 13-3d 86 af cf 22 be 50 63 ..K.a.:.=...".Pc
> 0070 - 93 41 3e 18 d3 37 38 bc-cb b2 83 ea 63 8a 1c c0 .A>..78.....c...
> 0080 - 5a a4 ed 35 18 85 17 9d-24 7c 87 25 ff 98 11 eb Z..5....$|.%....
> 0090 - f6 1d 89 41 9b ba a1 18-03 0a 90 90 bd 76 c8 80 ...A.........v..
> 00a0 - 44 1f 3a 8c 99 ac 2f ef-a5 e2 22 a6 58 9a e8 2a D.:.../...".X..*
>
> Start Time: 1626339048
> Timeout : 7200 (sec)
> Verify return code: 19 (self signed certificate in certificate chain)
>
>
>
> So, I am not sure what is my issue/wrong here. or can you help me to check more?
>
> Thanks,
> ThanhTruon
>
>> On Jul 15, 2021, at 15:33, Henning Westerholt <hw at skalatan.de <mailto:hw at skalatan.de>> wrote:
>>
>> Hello,
>>
>> please format your e-mail only with black – its really hard to read (it might be related to my client, though).
>>
>> Have you already checked the file system access rights to the certs if kamailio can actually read them?
>>
>> Cheers,
>>
>> Henning
>>
>> --
>> Henning Westerholt – https://skalatan.de/blog/ <https://skalatan.de/blog/>
>> Kamailio services – https://gilawa.com <https://gilawa.com/>
>>
>> From: sr-users <sr-users-bounces at lists.kamailio.org <mailto:sr-users-bounces at lists.kamailio.org>> On Behalf Of ThanhTruong
>> Sent: Thursday, July 15, 2021 5:09 AM
>> To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>>
>> Subject: Re: [SR-Users] please help to configure tls in kamailio for webrtc client like simpl5
>>
>> Hello Fred and all,
>>
>> I tried some changes, and result bellow.
>>
>> with :
>>
>> [server:default]
>> method = SSLv23
>> verify_certificate = no
>> require_certificate = no
>> private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
>> certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
>> ca_list = /etc/certs/demoCA/cert.pem
>>
>> [client:default]
>> verify_certificate = yes
>> require_certificate = yes
>> ~
>>
>> error log:
>>
>> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
>> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
>> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
>> Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>>
>>
>> With settings:
>>
>> [server:default]
>> method = SSLv23
>> verify_certificate = no
>> require_certificate = no
>> private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
>> certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
>> ca_list = /etc/certs/demoCA/cert.pem
>>
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>> ~
>>
>> and error log:
>>
>> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
>> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
>> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
>> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>> Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
>>
>>
>> and tried:
>>
>> [server:default]
>> method = SSLv23
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
>> certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
>> ca_list = /etc/certs/demoCA/cert.pem
>>
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>>
>> and error log:
>>
>> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
>> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
>> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
>> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>> Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
>>
>>
>> Then, i try with TLSv1+
>>
>>
>> [server:default]
>> method = TLSv1+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
>> certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
>> ca_list = /etc/certs/demoCA/cert.pem
>>
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>>
>> and log is:
>>
>> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
>> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
>> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
>> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
>> Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
>>
>>
>> I am sorry to border you and all, but i dont know how to get it works, please suggest.
>>
>> thank you so much.
>>
>>
>>
>> On Jul 15, 2021, at 01:10, Fred Posner <fred at palner.com <mailto:fred at palner.com>> wrote:
>>
>> On 7/14/21 2:04 PM, ThanhTruong wrote:
>>
>> verify_certificate =yes
>> require_certificate =yes
>>
>> Change both of those to no in your case.
>>
>> --
>> Fred Posner -- www.palner.com <http://www.palner.com/>
>> Matrix: @fred:matrix.lod.com <http://matrix.lod.com/>
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> * sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> Important: keep the mailing list in the recipients, do not reply only to the sender!
>> Edit mailing list options or unsubscribe:
>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
> --
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com <mailto:david.villasmil.work at gmail.com>
> phone: +34669448337
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210715/564cff4e/attachment.htm>
More information about the sr-users
mailing list