I found that my TLS client was not happy because my server cert is
signed by an intermediate root.
A quick search in Google found other people mentioning the same problem,
but no solution or documentation.
I've had a quick look in the Kamailio source and I notice it is using
the call:
SSL_CTX_use_certificate_chain_file
to load the certificate specified in tls.cfg with
certificate=myserver.pem
In practice, this means the intermediate certificates can be appended to
myserver.pem and Kamailio will present them to the TLS client:
Example:
Trust heirarchy:
trusted root
- inter 1
- inter 2
- server.example.com.pem
Construct the PEM file in this exact order:
cat server.example.com.pem > chain-server.example.com.pem
cat inter2.pem >> chain-server.example.com.pem
cat inter1.pem >> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
