[SR-Users] please help to configure tls in kamailio for webrtc client like simpl5

Henning Westerholt hw at skalatan.de
Mon Jul 19 16:28:30 CEST 2021


Hello,

your problems are probably not related to the certificate authority. Many people use letsencrypt with Kamailio without problems. But other vendors of course works as well.

Cheers,

Henning

--
Henning Westerholt - https://skalatan.de/blog/
Kamailio services - https://gilawa.com<https://gilawa.com/>

From: sr-users <sr-users-bounces at lists.kamailio.org> On Behalf Of ThanhTruong
Sent: Saturday, July 17, 2021 6:57 PM
To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
Subject: Re: [SR-Users] please help to configure tls in kamailio for webrtc client like simpl5

Hello everyone,

Could a good SSL work on my case ? Like if i got it from Comodo or something like that. Could it work ?

I really need it work, if someone can help me, ping me on skype : voipmanvn

Thank you in advance.
ThanhTruong


On Jul 16, 2021, at 00:04, ThanhTruong <thanhtruong217 at gmail.com<mailto:thanhtruong217 at gmail.com>> wrote:


Hi Fred,

i do not need client to present cert as well. i think that is your last question.

BTW, my kamailio is in NAT and has advertise on public IP.

So, does it effect on websocket and tls configuration ?

I have something in kamailio.cfg like:


#!substdef "!LOCALHOST_WSS4_ADDR!tls:IP4_LOCALHOST:MY_WSS_PORT advertise mydomain.com<http://mydomain.com/>:MY_WSS_PORT!g"


Thanks
ThanhTruong



On Jul 15, 2021, at 22:28, ThanhTruong <thanhtruong217 at gmail.com<mailto:thanhtruong217 at gmail.com>> wrote:

Hello Fred and all,

I set to no and try again, same issue.

this is tls.cfg

[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/mydomain.com/privkey.pem<http://mydomain.com/privkey.pem>
certificate = /etc/letsencrypt/live/mydomain.com/fullchain.pem<http://mydomain.com/fullchain.pem>

[client:default]
verify_certificate = no
require_certificate = no







and log is same

Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 27.65.214.194
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core> [core/tcp_main.c:1174]: tcpconn_new(): on port 64742, type 3, socket 40
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core> [core/tcp_main.c:1493]: tcpconn_add(): hashes: 303:768:633, 1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core> [core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x558c2e300aa0, 40, 2, 0x7fb1a8451258), fd_no=32
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core> [core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x558c2e300aa0, 40, -1, 0x0) fd_no=33 called
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core> [core/tcp_main.c:4456]: handle_tcpconn_ev(): sending to child, events 1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core> [core/tcp_main.c:4126]: send2child(): selected tcp worker idx:0 proc:10 pid:24060 for activity on [tls:172.31.44.170:4443], 0x7fb1a8451258
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core> [core/tcp_read.c:1749]: handle_io(): received n=8 con=0x7fb1a8451258, fd=9
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing tls connection initialization
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fb1a82d20a8 ctx 0x7fb1a83242e8 sn [])
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7fb1a83242e8: (nil)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:948]: tls_server_name_cb(): received server_name (TLS extension): 'mydomain.com<http://mydomain.com/>'
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:967]: tls_server_name_cb(): TLS cfg domain selected for received server name [mydomain.com<http://mydomain.com/>]: socket [:0] server name='' - switching SSL CTX to 0x7fb1a83242e8 dom 0x7fb1a82d20a8 (default)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core> [core/tcp_main.c:2705]: tcpconn_do_send(): sending...
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core> [core/tcp_main.c:2738]: tcpconn_do_send(): after real write: c= 0x7fb1a8451258 n=4593 fd=9
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core> [core/tcp_main.c:2739]: tcpconn_do_send(): buf=#012#026#003#003
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core> [core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x558c2e36c740, 9, 2, 0x7fb1a8451258), fd_no=1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7fb1a83242e8: (nil)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]: sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]: sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]: sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:424]: tls_accept(): TLS accept successful
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 27.65.214.194:64742 using TLSv1.3 TLS_AES_256_GCM_SHA384 256
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: 172.31.44.170:4443
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:1199]: tls_h_read_f(): Reading on a renegotiation of connection (n:569) (0)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core> [core/tcp_read.c:1515]: tcp_read_req(): EOF
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core> [core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x558c2e36c740, 9, -1, 0x10) fd_no=2 called
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core> [core/tcp_read.c:1884]: handle_io(): removing from list 0x7fb1a8451258 id 1 fd 9, state 2, flags 4018, main fd 40, refcnt 2 ([27.65.214.194]:64742 -> [27.65.214.194]:4443)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core> [core/tcp_read.c:1668]: release_tcpconn(): releasing con 0x7fb1a8451258, state -1, fd=9, id=1 ([27.65.214.194]:64742 -> [27.65.214.194]:4443)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core> [core/tcp_read.c:1672]: release_tcpconn(): extra_data 0x7fb1a8431bc8
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core> [core/tcp_main.c:3558]: handle_tcp_child(): reader response= 7fb1a8451258, -1 from 0
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: tls [tls_server.c:683]: tls_h_tcpconn_close_f(): Closing SSL connection 0x7fb1a8431bc8





:)

Thanks,
Thanhtruong


On Jul 15, 2021, at 22:17, Fred Posner <fred at palner.com<mailto:fred at palner.com>> wrote:

On 7/15/21 11:12 AM, ThanhTruong wrote:

i am not sure what is the issue.

Well, you are currently requiring a client certificate. If you are not
meaning to do this, set that to no.

--
Fred Posner -- www.palner.com<http://www.palner.com/>
Matrix: @fred:matrix.lod.com<http://matrix.lod.com/>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210719/2954733d/attachment.htm>


More information about the sr-users mailing list