It's working Re: [Serusers] SER with TLS

Jan Janak jan at iptel.org
Wed Apr 4 10:21:59 CEST 2007 

Thanks a lot! I have to retest the code again. Could you do me a favor
and send me (privately) your configuration file?

  Jan.

Katty Xiong wrote:
> I replace the function
> SSL_CTX_use_certificate_chain_file() with
> SSL_CTX_use_certificate_file() in tls_domain.c, and
> it's working now.
> 
>  227                  //if
> (!SSL_CTX_use_certificate_chain_file(d->ctx[i],
> d->cert_file)) {
>    228                  if
> (!SSL_CTX_use_certificate_file(d->ctx[i],
> d->cert_file, SSL_FILETYPE_PEM)) {
> 
> For SSL_CTX_use_certificate_chain_file(), I tried
> different CA, it didn't work.
> 
> thanks,
> Joy
> 
> 
> --- Katty Xiong <cyyxiong at yahoo.com> wrote:
> 
>> After I dig a bit, it seems the problem is related
>> with certificate. 
>>
>> When I comment out the line in the configuration
>> file,
>> #modparam("tls", "cipher_list", "HIGH");
>> fill_missing (in tls_domain.c) returns -1 since the
>> following condition becomes true.
>> 193     if (!d->cipher_list &&
>> 194       shm_asciiz_dup(&d->cipher_list,
>> parent->cipher_list) < 0) return -1;
>> 195     LOG(L_INFO, "%s: cipher_list='%s'\n",
>> tls_domain_str(d), d->cipher_list);
>>
>> So though SER starts, certificate and private key is
>> not loaded. 
>>
>> To avoid this issue, I set up the cipher_list to
>> HIGH.
>> But somehow, SER complains that:
>> tls_domain.c:229: Unable to load certificate file
>> tls_domain.c:230 load_cert:error...
>>
>> So I guess there is something wrong with the
>> certificate. What I did is as follows. Could you
>> check
>> if I made mistakes in generating CA? 
>>
>> 1. Create CA private key
>> #openssl genrsa -out ./private/cakey.pem 2048
>> 2. Create self-signed certificate
>> #openssl req -out ./cacert.pem -x509 -new -key
>> ./private/cakey.pem
>> 3. Create a certificate request
>> #openssl req -out ser1_cert_req.pem -new -nodes
>> 4. Sign it with the CA certificate
>> #openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
>> 5. Copy ser1_cert.pem and privkey.pem to ser
>> configuration directory
>>
>> thanks,
>> Joy
>>
>>
>> --- Jan Janak <jan at iptel.org> wrote:
>>
>>> Is there anything in syslog?
>>>
>>>   Jan.
>>>
>>> Katty Xiong wrote:
>>>> Yes. I configured SER to listen on tls using
>>>> listen parameter.
>>>>
>>>> listen=tls:199.199.2.50:5061
>>>>
>>>> Actually from the system I can see TCP
>> connection
>>> for
>>>> this tls is established. But somehow the tls
>>> process
>>>> does not responde to the ClientHello message.
>>>>
>>>> thanks,
>>>> Joy
>>>>
>>>>
>>>> --- Jan Janak <jan at iptel.org> wrote:
>>>>
>>>>> Katty Xiong wrote:
>>>>>> I am using SER ottendorf with TLS protocol and
>>>>> have
>>>>>> the following issues. Does anybody experience
>>>>> similar
>>>>>> problems? 
>>>>>>
>>>>>> SER cannot run with the following setup in the
>>>>>> configuration file: (I follow this link to
>> setup
>>>>> key
>>>>>> and certificate:
>>>>>>
> http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/README?rev=1.1&content-type=text/plain)
>>>>>> modparam("tls", "private_key", "cakey.pem")
>>>>>> modparam("tls", "certificate", "cacert.pem")
>>>>>> modparam("tls", "ca_list", "calist.pem") 
>>>>>> modparam("tls", "cipher_list", "HIGH");
>>>>>   You don't need that option unless you want to
>>>>> restrict thee
>>>>>   list of ciphers that are available. openssl
>>> uses
>>>>> all available
>>>>>   ciphers by default.
>>>>>
>>>>>> With the last line commented out:
>>>>>> #modparam("tls", "cipher_list", "HIGH");
>>>>>> SER can start, but the tls connection cannot
>> be
>>>>>> established. Network trace shows SER does not
>>>>> responde
>>>>>> to ClientHello sent by client.
>>>>>   A couple of quick questions:
>>>>>
>>>>>   - Have you configured SER to listen on tls
>>> using
>>>>> listen parameter?
>>>>>   - Are you connecting to the right port (i.e.
>>> 5061
>>>>> and not 5060) ?
>>>>>
>>>>>     Jan.
>>>>>
>>>>
>>>>
>>>>  
>>>>
> ____________________________________________________________________________________
>>>> Finding fabulous fares is fun.  
>>>> Let Yahoo! FareChase search your favorite travel
>>> sites to find flight and hotel bargains.
>> http://farechase.yahoo.com/promo-generic-14795097
>>>
>>
>>
>>  
>>
> ____________________________________________________________________________________
>> Looking for earth-friendly autos? 
>> Browse Top Cars by "Green Rating" at Yahoo! Autos'
>> Green Center.
>> http://autos.yahoo.com/green_center/
>> _______________________________________________
>> Serusers mailing list
>> Serusers at lists.iptel.org
>> http://lists.iptel.org/mailman/listinfo/serusers
>>
> 
> 
> 
>  
> ____________________________________________________________________________________
> Now that's room service!  Choose from over 150,000 hotels
> in 45,000 destinations on Yahoo! Travel to find your fit.
> http://farechase.yahoo.com/promo-generic-14795097
>

More information about the sr-users mailing list