hi all,
I have configured tls support in kamailio, but i cannot register sip phone.
my configure :
I create cert and private key as:
"kamctl tls userCERT user"
log show :
Creating directory /usr/local/etc/kamailio//tls/user
Creating user certificate request
Generating a 512 bit RSA private key
..++++++++++++
...................++++++++++++
writing new private key to '/usr/local/etc/kamailio//tls/user/user-privkey.pem'
-----
Signing certificate request
Using configuration from /usr/local/etc/kamailio//tls/request.conf
Enter pass phrase for ./rootCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'somename.somewhere.com'
stateOrProvinceName :PRINTABLE:'Some State'
countryName :PRINTABLE:'XY'
emailAddress :IA5STRING:'r...@somename.somewhere.com'
organizationName :PRINTABLE:'My Large Organization Name'
organizationalUnitName:PRINTABLE:'My Subunit of Large Organization'
Certificate is to be certified until Sep 4 09:13:58 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Generating CA list
DONE
INFO: Private key is locate at
/usr/local/etc/kamailio//tls/user/user-privkey.pem
INFO: Certificate is locate at /usr/local/etc/kamailio//tls/user/user-cert.pem
INFO: CA-List is locate at /usr/local/etc/kamailio//tls/user/user-calist.pem
I add to kamailio.cfg
enable_tls=1
tcp_async=no
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "certificate",
"/usr/local/etc/kamailio//tls/user/user-cert.pem")
modparam("tls", "private_key",
"/usr/local/etc/kamailio//tls/user/user-privkey.pem")
modparam("tls", "ca_list", "/usr/local/etc/kamailio//tls/user/user-calist.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
i restart kamailio:
"kamctl restart"
log in tail -f /var/log/message
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls
[tls_domain.c:175]: TLSc<default>: tls_method=9
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls
[tls_domain.c:185]: TLSc<default>:
certificate='/usr/local/etc/kamailio//tls/user/user-cert.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls
[tls_domain.c:190]: TLSc<default>:
ca_list='/usr/local/etc/kamailio//tls/user/user-calist.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls
[tls_domain.c:193]: TLSc<default>: require_certificate=1
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls
[tls_domain.c:198]: TLSc<default>: cipher_list='(null)'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls
[tls_domain.c:203]: TLSc<default>:
private_key='/usr/local/etc/kamailio//tls/user/user-privkey.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls
[tls_domain.c:206]: TLSc<default>: verify_certificate=1
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls
[tls_domain.c:209]: TLSc<default>: verify_depth=9
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls
[tls_domain.c:331]: TLSc<default>: Server MUST present valid certificate
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: WARNING: tls
[tls_domain.c:395]: tls: set_ssl_options: openssl SSL_OP_TLS_BLOCK_PADDING bug
workaround enabled (openssl version 90802f)
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3116]: INFO: ctl
[io_listener.c:224]: io_listen_loop: using epoll_lt io watch method (config)
i see that kamailio start okie, but sip phone cannot register.
log in :tail -f /var/log/message:
Sep 4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls
[tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
in portgo : certificate validation failure.
please suggest to fix it,
thanks.
Peter green
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
