<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
<br><br>> Date: Thu, 9 Sep 2010 16:17:18 +0200<br>> From: klaus.mailinglists@pernau.at<br>> To: betergreen@live.com<br>> CC: sr-users@lists.sip-router.org<br>> Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate<br>> <br>> <br>> <br>> Am 09.09.2010 12:00, schrieb peter_green lion:<br>> ><br>> > > Date: Thu, 9 Sep 2010 11:13:19 +0200<br>> > > From: klaus.mailinglists@pernau.at<br>> > > To: betergreen@live.com<br>> > > CC: sr-users@lists.sip-router.org<br>> > > Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate<br>> > ><br>> > ><br>> > ><br>> > > Am 09.09.2010 10:17, schrieb peter_green lion:<br>> > > > hi all,<br>> > > > i have configure tls support as this link:<br>> > > > http://www.kamailio.org/docs/tls-devel.html#id2451496<br>> > > > and i add certificate to 3CX sip phone is "cacert.pem" but when i<br>> > > > register sip phone, the log file in kamailio server is :<br>> > > ><br>> > > > Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls<br>> > > > [tls_server.c:392]: SSL error:error:14094412:SSL<br>> > > > routines:SSL3_READ_BYTES:sslv3 alert bad certificate<br>> > ><br>> > > I think the means that the SIP phone sends the ALERT because the it does<br>> > > not accept the certificate of the server. So you h ave to debug why the<br>> > > SIP phone does not accept the certificate.<br>> > ><br>> > > You really should test with another SIP client first.<br>> > ><br>> > > regards<br>> > > Klaus<br>> > ><br>> > > ><br>> > > > my configure in kamailio.cfg as :<br>> > > ><br>> > > > modparam("tls", "tls_method", "TLSv1")<br>> > > > modparam("tls", "tls_method", "SSLv23")<br>> > > > modparam("tls", "certificate",<br>> > > > "/usr/local/etc/kamailio//tls/user/user-cert.pem")<br>> > > > modparam("tls", "private_key",<br>> > > > "/usr/local/etc/kamailio//tls/user/user-privkey.pem")<br>> > > > modparam("tls", "ca_list",<br>> > > > "/usr/local/etc/kamailio//tls/user/user-calist.pem")<br>> > > > modparam("tls", "verify_certificate",0 )<br>> > > > modparam("tls", "require_certificate",0 )<br>> > > ><br>> > > ><br>> > > > please suggest to fix this error.<br>> > > > thanks and regards.<br>> > > > Peter Green.<br>> > > ><br>> > > ><br>> > > ><br>> > > > _ ______________________________________________<br>> > > > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>> > > > sr-users@lists.sip-router.org<br>> > > > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users<br>> ><br>> ><br>> > hi Klaus,<br>> > i add certificate to internet explorer, but it fail:<br>> > when i view this certificate i see that error:<br>> ><br>> > "this certificate has expired or is not yet valid"<br>> ><br>> > is mean this certificate is wrong ?<br>> <br>> Yes. It is either expired or not yet valid!<br>> ><br>> > so how do i make it correct ?<br>> <br>> Hope this ends this endless conversation<br>> <br>> http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates<br>> <br>> regards<br>> klaus<br>> <br><br>hi Klaus,<br>I hope i could close this question, but i cannot make it work.<br>i did as the document which you send me. <br>and when i test certificate with command as:<br><br>[root@appliance kamailio]# openssl s_client -connect localhost:5061 -tls1 -CAfile /etc/certs/demoCA/cert.pem<br>CONNECTED(00000003)<br>depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA<br>verify return:1<br>depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com<br>verify return:1<br>2962:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40<br>2962:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:<br><br><br>[root@appliance kamailio]# openssl s_client -connect localhost:5061 -ssl2 -CAfile /etc/certs/demoCA/cert.pem<br>CONNECTED(00000003)<br>depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA<br>verify return:1<br>depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com<br>verify return:1<br>2963:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:<br><br><br>[root@appliance kamailio]# openssl s_client -connect localhost:5061 -ssl3 -CAfile /etc/certs/demoCA/cert.pem<br>CONNECTED(00000003)<br>depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA<br>verify return:1<br>depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com<br>verify return:1<br>2964:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40<br>2964:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:<br><br>and i have the same error as last email.<br><br>please help me to handle this error.<br>thanks for help me.<br>regards,<br>Peter Green.<br>                                            </body>
</html>