<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
<br><br>> Date: Mon, 13 Sep 2010 11:40:33 +0200<br>> From: klaus.mailinglists@pernau.at<br>> To: betergreen@live.com<br>> CC: sr-users@lists.sip-router.org<br>> Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate<br>> <br>> <br>> <br>> Am 13.09.2010 11:10, schrieb peter_green lion:<br>> > enable_tls=1<br>> > tcp_async=no<br>> ><br>> > listen=tls:192.168.1.81:5060<br>> <br>> The default is for TLS is port 5061.<br>> <br>> ><br>> > modparam("tls", "tls_method", "TLSv1")<br>> > modparam("tls", "tls_method", "SSLv23")<br>> <br>> You can not use TLS and SSL - only on e or the other. SIP is <br>> standardized with TLSv1. Thus you should remove SSLv23 unless you <br>> explicitely know that the client can not handle TLSv1 (then the client <br>> would be buggy)<br>> <br>> > modparam("tls", "certificate", "ser1_cert.pem")<br>> > modparam("tls", "private_key", "privkey.pem")<br>> > modparam("tls", "ca_list", "cacert.pem")<br>> > modparam("tls", "verify_certificate", 1)<br>> <br>> <br>> > modparam("tls", "require_certificate", 1)<br>> <br>> Here is the problem: You have configured Kamailio to require a client <br>> certificate. Usually the SIP client does not have a TLS client <br>> certificate, thus Kamailio will terminate the TLS connection with <br>> handshake error. Set<br>> modparam("tls", "require_certificate", 0)<br>> and at least it should work with the "openssl s_client" tool.<br>> <br>> <br>> regards<br>> Klaus<br>> <br>> <br><br>hi Klaus and all,<br><br>i have changed all thing as you advice,<br>but it cannot work,<br>when i run command to check :<br><br>[root@appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1<br>CONNECTED(00000003)<br>depth=1 /C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40<br>verify error:num=19:self signed certificate in certificate chain<br>verify return:0<br><br>....................<br>subject=/C=vn/ST=hcm/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40<br>issuer=/C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40<br>---<br>Acceptable client certificate CA names<br>/C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40<br>---<br>SSL handshake has read 2256 bytes and written 299 bytes<br>---<br>New, TLSv1/SSLv3, Cipher is AES256-SHA<br>Server public key is 1024 bit<br>Secure Renegotiation IS supported<br>Compression: zlib compression<br>Expansion: zlib compression<br>SSL-Session:<br> Protocol : TLSv1<br> Cipher : AES256-SHA<br> Session-ID:<br> Session-ID-ctx:<br> Master-Key: 08F56E61E88ADF353D6EB77126706E4364F31FB31437153ABAB1A20090F8D77CE0BEA0E0B218DB6E7653FBD873E91735<br> Key-Arg : None<br> Krb5 Principal: None<br> Compression: 1 (zlib compression)<br> Start Time: 1284411539<br> Timeout : 7200 (sec)<br> Verify return code: 19 (self signed certificate in certificate chain)<br>and :<br><br>[root@appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1 -CAfile cacert.pem<br>CONNECTED(00000003)<br>2223:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:<br><br>so what is the prolem ?<br><br>thanks and regards,<br>Peter Green.<br><br><br><br> </body>
</html>