<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello,<br>
</p>
<br>
<div class="moz-cite-prefix">On 25.10.17 11:32, Francisco Valentin
Vinagrero wrote:<br>
</div>
<blockquote type="cite"
cite="mid:D344618A4B7B0F4ABA8047A07E92D47401F66ABC7C@CERNXCHG54.cern.ch">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m trying to replace two old Audiocodes
gateways (used to interconnect our Skype for Business
infrastructure to the PSTN) with a new Kamailio cluster.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am having some trouble to get the TLS
mutual authentication working with Kamailio. For the moment,
I’m just trying to receive the incoming OPTIONS from SfB, but
I get all the time certificate verification errors:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ERROR: tls [tls_util.h:42]: tls_err_ret():
TLS accept:error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed<o:p></o:p></p>
<p class="MsoNormal">ERROR: <core> [tcp_read.c:1330]:
tcp_read_req(): ERROR: tcp_read_req: error reading<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My tls.cfg is quite simple, with the same
config for client and server (and one single listen=tls:<my
IP>:5061 in the Kamailio.cfg file)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[server:default]<o:p></o:p></p>
<p class="MsoNormal">method = TLSv1+<o:p></o:p></p>
<p class="MsoNormal">verify_certificate = yes<o:p></o:p></p>
<p class="MsoNormal">require_certificate = yes<o:p></o:p></p>
<p class="MsoNormal">private_key =
/usr/local/etc/kamailio/tls/key_gw_sfb.pem <o:p>
</o:p></p>
<p class="MsoNormal">certificate =
/usr/local/etc/kamailio/tls/cert_gw_sfb.pem # => This
certificate’s Subject is the DNS alias for the cluster, with
all the kamailios in the cluster as Subject Alternative Names<o:p></o:p></p>
<p class="MsoNormal">ca_list =
/usr/local/etc/kamailio/tls/myca_and_sfbca.pem # =>
Kamailio and Skype for Business are signed by different CAs,
so here I concatenated all intermediate and root CAs<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[client:default]<o:p></o:p></p>
<p class="MsoNormal">method = TLSv1+<o:p></o:p></p>
<p class="MsoNormal">verify_certificate = yes<o:p></o:p></p>
<p class="MsoNormal">require_certificate = yes<o:p></o:p></p>
<p class="MsoNormal">private_key =
/usr/local/etc/kamailio/tls/key_gw_sfb.pem<o:p></o:p></p>
<p class="MsoNormal"><span lang="FR">certificate =
/usr/local/etc/kamailio/tls/cert_gw_sfb.pem<o:p></o:p></span></p>
<p class="MsoNormal">ca_list =
/usr/local/etc/kamailio/tls/myca_and_sfbca.pem<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">When I run Kamailio, I can see incoming
OPTIONS from Microsoft Exchange Unified Messaging (UM), whose
certificate I verify without any issues. UM presents a
certificate issued for a single machine, so no Subject
Alternative Names (SANs) are involved.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The problem comes with the TLS handshake
for the Skype Mediation pool. They have a certificate with
Subject = DNS alias and all the physical machines that are
behind the alias appear listed as Subject Alternative Names
(SANs) in the certificate.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As the only difference between UM and
Skype’s Mediation is the certificate’s Subject, I think I am
missing something on my configuration to validate the SANs
instead of the subject. Is the TLS module doing any reverse
DNS lookup to verify this?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
afaik, the certificate validation is done by the libssl, kamailio is
not doing much in this respect and no dns query inside kamailio tls
module. Maybe some parameters must be set when asking for
validation.<br>
<br>
If you run with debug=3 inside kamailio.cfg, do you see any log
messages that can help in identifying why it fails?<br>
<br>
Cheers,<br>
Daniel<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
Kamailio World Conference - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>