29 jan 2012 kl. 13:11 skrev Daniel Pocock: > > > I found that my TLS client was not happy because my server cert is > signed by an intermediate root. > > A quick search in Google found other people mentioning the same problem, > but no solution or documentation. > > I've had a quick look in the Kamailio source and I notice it is using > the call: > > SSL_CTX_use_certificate_chain_file > > to load the certificate specified in tls.cfg with > > certificate=myserver.pem > > In practice, this means the intermediate certificates can be appended to > myserver.pem and Kamailio will present them to the TLS client: > > Example: > > Trust heirarchy: > > trusted root > - inter 1 > - inter 2 > - server.example.com.pem > > Construct the PEM file in this exact order: > > cat server.example.com.pem > chain-server.example.com.pem > cat inter2.pem >> chain-server.example.com.pem > cat inter1.pem >> chain-server.example.com.pem > > and then, in tls.cfg: > > certificate=chain-server.example.com.pem >
This applies to almost all OpenSSL based implementations. But it should be documented somewhere. /O _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
