[Users] Problem with tls in openser

Klaus Darilion klaus.mailinglists at pernau.at
Mon Apr 24 10:14:40 CEST 2006


The trange thing is that Windows Messenger also tries to establish an 
https connection.

In any case, you have to import the CA-cert you genereated for signing 
the TLS certificates into the Windows PC. (You can do it via the 
Internet Explorer).

You can also try ssldump to trace the TLS handshake.

regards
klaus

Silvia talani wrote:
> *Hi,*
> ** 
> *I want to use OpenSer with TLS but when I try to connect to openser 
> with Windows Messenger I receive this message:*
>  
> ----------------------------------------------------------------------------------
> "Impossible to establish an HTTPS or TCP connection."
> ----------------------------------------------------------------------------------
>  
> *I used the TLS tutorial from openser site to configure TLS; I created 
> the certificates and this is my _openser.cfg file_:*
> // 
> 
> /# $Id: openser.cfg,v 1.5 2005/10/28 19:45:33 bogdan_iancu Exp $/
> 
> /# simple quick-start config script/
> 
> /# ----------- global configuration parameters ------------------------/
> 
> /debug=3 # debug level (cmd line: -dddddddddd)/
> 
> /fork=yes/
> 
> /log_stderror=no # (cmd line: -E)/
> 
> //* Uncomment these lines to enter debugging mode /
> 
> /fork=no/
> 
> /log_stderror=yes/
> 
> /*//
> 
> /check_via=no # (cmd. line: -v)/
> 
> /dns=no # (cmd. line: -r)/
> 
> /rev_dns=no # (cmd. line: -R)/
> 
> /port=5060/
> 
> /children=4/
> 
> /fifo="/tmp/openser_fifo"/
> 
> /# uncomment the following lines for TLS support/
> 
> /disable_tls = 0/
> 
> /listen = tls:192.168.1.5:5061 <http://192.168.1.5:5061>/
> 
> /tls_verify = 0/
> 
> /tls_require_certificate = 0/
> 
> /tls_method = SSLv23/
> 
> /tls_certificate = "/usr/local/etc/openser/tls/opensercert.pem"/
> 
> /tls_private_key = "/usr/local/etc/openser/tls/openser.pem"/
> 
> /tls_ca_list = "/usr/local/etc/openser/tls/calist.pem"/
> 
> // 
> 
> etc...... 
> 
>  
> 
> *I captured with _Ethereal_ the _packets exchanged_ between the 
> server(192.168.1.5 <http://192.168.1.5>) and the client(192.168.1.98 
> <http://192.168.1.98>) and on the openserver interface I found this 
> dialog: *
> 
>  
> 
> /No. Time Source Destination Protocol Info/
> 
> 1 0.000000 192.168.1.98 <http://192.168.1.98> 192.168.1.255 
> <http://192.168.1.255> BROWSER Host Announcement MARCO, Workstation, 
> Server, NT Workstation
> 
> /No. Time Source Destination Protocol Info/
> 
> 2 28.080507 192.168.1.98 <http://192.168.1.98> Broadcast ARP Who has 
> 192.168.1.5 <http://192.168.1.5>? Tell 192.168.1.98 <http://192.168.1.98>
> 
> /No. Time Source Destination Protocol Info/
> 
> 3 28.080636 192.168.1.5 <http://192.168.1.5> 192.168.1.98 
> <http://192.168.1.98> ARP 192.168.1.5 <http://192.168.1.5> is at 
> 00:50:fc:6d:0e:1e
> 
> /No. Time Source Destination Protocol Info/
> 
> 4 28.080742 192.168.1.98 <http://192.168.1.98> 192.168.1.5 
> <http://192.168.1.5> TCP 1439 > sip-tls [SYN] Seq=0 Ack=0 Win=65535 
> Len=0 MSS=1460
> 
> /No. Time Source Destination Protocol Info/
> 
> 5 28.080841 192.168.1.5 <http://192.168.1.5> 192.168.1.98 
> <http://192.168.1.98> TCP sip-tls > 1439 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
> 
> /No. Time Source Destination Protocol Info/
> 
> 6 28.498558 192.168.1.98 <http://192.168.1.98> 192.168.1.5 
> <http://192.168.1.5> TCP 1439 > sip-tls [SYN] Seq=0 Ack=0 Win=65535 
> Len=0 MSS=1460
> 
> /No. Time Source Destination Protocol Info/
> 
> 7 28.498674 192.168.1.5 <http://192.168.1.5> 192.168.1.98 
> <http://192.168.1.98> TCP sip-tls > 1439 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
> 
> /No. Time Source Destination Protocol Info/
> 
> 8 29.045430 192.168.1.98 <http://192.168.1.98> 192.168.1.5 
> <http://192.168.1.5> TCP 1439 > sip-tls [SYN] Seq=0 Ack=0 Win=65535 
> Len=0 MSS=1460
> 
> /No. Time Source Destination Protocol Info/
> 
> 9 29.045538 192.168.1.5 <http://192.168.1.5> 192.168.1.98 
> <http://192.168.1.98> TCP sip-tls > 1439 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
> 
> /No. Time Source Destination Protocol Info/
> 
> 10 29.048035 192.168.1.98 <http://192.168.1.98> 192.168.1.5 
> <http://192.168.1.5> TCP 1440 > https [SYN] Seq=0 Ack=0 Win=65535 Len=0 
> MSS=1460
> 
> /No. Time Source Destination Protocol Info/
> 
> 11 29.048128 192.168.1.5 <http://192.168.1.5> 192.168.1.98 
> <http://192.168.1.98> TCP https > 1440 [SYN, ACK] Seq=0 Ack=1 Win=5840 
> Len=0 MSS=1460
> 
> /No. Time Source Destination Protocol Info/
> 
> 12 29.048245 192.168.1.98 <http://192.168.1.98> 192.168.1.5 
> <http://192.168.1.5> TCP 1440 > https [ACK] Seq=1 Ack=1 Win=65535 Len=0
> 
> /No. Time Source Destination Protocol Info/
> 
> 13 29.118672 192.168.1.98 <http://192.168.1.98> 192.168.1.5 
> <http://192.168.1.5> SSLv3 Client Hello
> 
> //
> 
> /No. Time Source Destination Protocol Info/
> 
> 14 29.118795 192.168.1.5 <http://192.168.1.5> 192.168.1.98 
> <http://192.168.1.98> TCP https > 1440 [ACK] Seq=1 Ack=103 Win=5840 Len=0
> 
> /Frame 14 (54 bytes on wire, 54 bytes captured)/
> 
> //
> 
> /No. Time Source Destination Protocol Info/
> 
> 15 31.192871 192.168.1.5 <http://192.168.1.5> 192.168.1.98 
> <http://192.168.1.98> SSLv3 Server Hello, Certificate, Server Hello Done
> 
> //
> 
> /No. Time Source Destination Protocol Info/
> 
> 16 31.256175 192.168.1.98 <http://192.168.1.98> 192.168.1.5 
> <http://192.168.1.5> SSLv3 Client Key Exchange, Change Cipher Spec, 
> Encrypted Handshake Message
> 
> //
> 
> /No. Time Source Destination Protocol Info/
> 
> 17 31.256329 192.168.1.5 <http://192.168.1.5> 192.168.1.98 
> <http://192.168.1.98> TCP https > 1440 [ACK] Seq=741 Ack=307 Win=6432 Len=0
> 
> /No. Time Source Destination Protocol Info/
> 
> 18 31.317188 192.168.1.5 <http://192.168.1.5> 192.168.1.98 
> <http://192.168.1.98> SSLv3 Change Cipher Spec, Encrypted Handshake Message
> 
> /No. Time Source Destination Protocol Info/
> 
> 19 31.318624 192.168.1.98 <http://192.168.1.98> 192.168.1.5 
> <http://192.168.1.5> TCP 1440 > https [FIN, ACK] Seq=307 Ack=808 
> Win=64728 Len=0
> 
> /No. Time Source Destination Protocol Info/
> 
> 20 31.335535 192.168.1.5 <http://192.168.1.5> 192.168.1.98 
> <http://192.168.1.98> SSLv3 Encrypted Alert
> 
> //
> 
> /No. Time Source Destination Protocol Info/
> 
> 21 31.335788 192.168.1.98 <http://192.168.1.98> 192.168.1.5 
> <http://192.168.1.5> TCP 1440 > https [RST, ACK] Seq=308 Ack=831 Win=0 Len=0
> 
> *....so it seems that server and client use the TLS and exchange the 
> certificate....*
> *Can someone help me? Why are there the TCP RSTs? What is the Encrypted 
> Alert? Is the configuration file exact or not? What can I do to find the 
> problem and solve it?*
> ** 
> *Thanks!*
> *Silvia*
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users





More information about the Users mailing list