Thanks, Daniel. I'll be rebuilding with the recent changes this evening. A few clarification requests inline below...
On Monday, February 23, 2015 11:26:27 AM Daniel-Constantin Mierla wrote: > Hello, > > can you try with latest master? After just quick view of sources, I spotted > some issue identifying ipv6 address and pushed a small patch for it, but no > time to test it for now. > > Cheers, > Daniel > > On 23/02/15 10:01, Daniel-Constantin Mierla wrote: > Hello, > > On 23/02/15 02:16, Anthony Messina wrote: > I'm wondering if anyone can point me in the right direction for the > following two issues with Kamailio and tls.cfg > > 1. When attempting to configure TLS settings for connecting to a specific > IPv4 client, it seems that the ca_list indicated in [client:default] > overrides the one in the client-specific config. If I don't include the > client's CA in the [client:default] section, I get the following, > regardless of what is in [client:204.74.213.5:5061]. > > ERROR: tls [tls_server.c:1230]: tls_read_f(): TLS write:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > [client:default] > method = TLSv1+ > verify_certificate = yes > require_certificate = no > private_key = /etc/kamailio/key.pem > certificate = /etc/kamailio/crt.pem > verify_depth = 2 > # In order for the client below to work, the ca_list here needs to support # > contain the CA for the specific client. Not sure why, maybe a bug? #ca_list > = /etc/pki/CA/myownCA.pem # Can't use this one > ca_list = /etc/kamailio/kamailio.tls.ca_list.pem # Contains ALL client CA's > > [client:204.74.213.5:5061] > method = TLSv1+ > verify_certificate = yes > require_certificate = yes > verify_depth = 2 > ca_list = /etc/kamailio/204.74.213.5.crt.pem > > I noticed that this one is hard to match because it specifies the local > socket, but the kernel returns a random local port when doing a connect. > The matching should be changed to be done on an xavp or the forced socket. > I made a note on the commit: > > - > https://github.com/kamailio/kamailio/commit/9a36fb7aae0adc39efb17a967a88db2 > eebfd8c36 > > It is on my list to solve it, but no time so far. I'm not sure I follow you here. Kamailio is sending an outbound connection to [client:204.74.213.5:5061] -- I'm not specifying the local socket, but the remote endpoint, as far as I can tell, based on the iptel.org example in the tls.cfg file below. I have not yet begun to use the new SNI features. How did this work prior to the SNI implementation? I ask because Kamailio (acting as the client in this case) is connecting to a TLS server set via LCR with the destination 204.74.213.5:5061. # Special settings for the iptel.org public SIP # server. We do not verify the certificate of the # server because it can be expired. The server # implements authentication using SSL client # certificates so configure the client certificate # that was given to use by iptel.org staff here. # #[client:195.37.77.101:5061] #verify_certificate = no #certificate = /etc/kamailio/iptel_client.pem #private_key = /etc/kamailio/iptel_key.pem #ca_list = /etc/kamailio/iptel_ca.pem #crl = /etc/kamailio/iptel_crl.pem > 2. When attempting to configure TLS settings for connecting to a specific > IPv6 client, I cannot figure out the syntax needed to specify the IPv6 > client. What is the proper syntax? > > With [client:[2607:5300:60:1f93::0]:5061], I get: > ERROR: tls [tls_config.c:71]: parse_ipv6(): tls.cfg:57:9: Invalid IPv6 > address > > Perhaps it is an issue in the parser of the config, I will look at it. So after https://github.com/kamailio/kamailio/commit/4b682e15fcd14fc3eb153865c2071162c7592220 are the following IPv6 syntax is correct? Is the port necessary? I was unsure of the nested brackets. [client:[2607:5300:60:1f93::0]:5061] -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
