<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
As written in the previous reply I just sent, the error is not
related to crl handling, but to the fact that the client doesn't
sent its own certificate.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<div class="moz-cite-prefix">On 26/10/15 19:37, Vladimer Gabunia
wrote:<br>
</div>
<blockquote
cite="mid:767F5380AA99204F816B30B238C456CF45E98397@HN-MCAS-01.hn.ge"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<div style="font-size: 16px;">problem is urgent</div>
<div style="font-size: 16px;"><br>
</div>
<div style="font-size: 16px;">this is my CRL list file content:</div>
<div style="font-size: 16px;"><br>
</div>
<div style="font-family: Tahoma; font-size: 13.3333px;">
<div style="font-family: 'Times New Roman'; font-size: 16px;">-----BEGIN
X509 CRL-----</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">MIICVTCCAT0CAQEwDQYJKoZIhvcNAQELBQAwJTEjMCEGA1UEAxMaQ29tcGFueS1M</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">ZXZlbDItU3ViQ0EtUHViTkQXDTE1MTAyMzEzMTcwNloXDTE1MTAzMTAxMzcwNlow</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">JjAkAhMVAAAABvVGc+kRhlSIAAAAAAAGFw0xNTEwMjAxNDQxMDBaoIG7MIG4MB8G</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">A1UdIwQYMBaAFB9sqtM9CJaeyFNqNCP3lEMAB70AMBAGCSsGAQQBgjcVAQQDAgEA</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">MAoGA1UdFAQDAgEFMBwGCSsGAQQBgjcVBAQPFw0xNTEwMzAxMzI3MDZaMFkGA1Ud</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">LgRSMFAwTqBMoEqGSGh0dHA6Ly9HSVMtU3ViQ0EtUHViTkQuZ2lzLmdlL0NlcnRF</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">bnJvbGwvQ29tcGFueS1MZXZlbDItU3ViQ0EtUHViTkQrLmNybDANBgkqhkiG9w0B</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">AQsFAAOCAQEAnYROMIC6SdrkESoe07sLrE6KodBBIjSxYlCk4yVomdbyRZoZay+d</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">adFf1l6ouJuPhmMFj0iIWZw7GI4CGt+ObvqdkfntSzfDDocVkXtJKwjNbLVWfQaV</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">UVaehJp20n4tKZuF/rv5vldNZeFGBrJk8+K7pyFxvbQcdHpfXdYaFaCK1pclUib4</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">JSJHN+b7fVTV+PFpjqYE81JtO5yluGqz2wl4gRBSd12jpFXPpZkxWeMPQdBq4jRs</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">Xp4qvIPyam764IYJGxmdip75oQ/O3ArisDyuxEs2/KjYgkigs2TfAi3b4YJSAUpe</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">B/u8NCXwzT/lt8sm6s+uWYZvfio6ERRcFA==</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">-----END
X509 CRL-----</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;"><br>
</div>
<div style="font-family: 'Times New Roman'; font-size: 16px;">when
i enable </div>
<div>modparam("tls", "crl",
"/etc/kamailio/tls/Server/crl.pem")</div>
</div>
<div style="font-family: Tahoma; font-size: 13.3333px;"><br>
</div>
<div style="font-family: Tahoma; font-size: 13.3333px;">Here is
Part of Debug Log:</div>
<div style="font-family: Tahoma; font-size: 13.3333px;"><br>
</div>
<div style="font-family: Tahoma; font-size: 13.3333px;">
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG:
<core> [ip_addr.c:243]: print_ip(): tcpconn_new: new
tcp connection: 192.168.88.149</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG:
<core> [tcp_main.c:1096]: tcpconn_new(): tcpconn_new:
on port 56215, type 3</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG:
<core> [tcp_main.c:1408]: tcpconn_add(): tcpconn_add:
hashes: 2440:3999:3197, 5</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG:
<core> [io_wait.h:390]: io_watch_add(): DBG:
io_watch_add(0x89bf60, 47, 2, 0x7fb643de6698), fd_no=33</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG:
<core> [io_wait.h:617]: io_watch_del(): DBG:
io_watch_del (0x89bf60, 47, -1, 0x0) fd_no=34 called</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG:
<core> [tcp_main.c:4302]: handle_tcpconn_ev(): tcp:
DBG: sending to child, events 1</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG:
<core> [tcp_main.c:3973]: send2child(): selected tcp
worker 0 20(23474) for activity on
[tls:192.168.240.254:5061], 0x7fb643de6698</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [tcp_read.c:1510]: handle_io(): received n=8
con=0x7fb643de6698, fd=13</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: tls
[tls_server.c:178]: tls_complete_init(): Using TLS domain
TLSs<default></div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: tls
[tls_domain.c:700]: sr_ssl_ctx_info_callback(): SSL
handshake started</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [tcp_main.c:2556]: tcpconn_do_send(): tcp_send:
sending...</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [tcp_main.c:2590]: tcpconn_do_send(): tcp_send:
after real write: c= 0x7fb643de6698 n=1576 fd=13</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [tcp_main.c:2591]: tcpconn_do_send(): tcp_send:
buf=#012#026#003#003</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [io_wait.h:390]: io_watch_add(): DBG:
io_watch_add(0x8e0200, 13, 2, 0x7fb643de6698), fd_no=1</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [tcp_main.c:2556]: tcpconn_do_send(): tcp_send:
sending...</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [tcp_main.c:2590]: tcpconn_do_send(): tcp_send:
after real write: c= 0x7fb643de6698 n=7 fd=13</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [tcp_main.c:2591]: tcpconn_do_send(): tcp_send:
buf=#012#025#003#003</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: ERROR: tls
[tls_server.c:1186]: tls_read_f(): TLS
accept:error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: ERROR:
<core> [tcp_read.c:1281]: tcp_read_req(): ERROR:
tcp_read_req: error reading</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [io_wait.h:617]: io_watch_del(): DBG:
io_watch_del (0x8e0200, 13, -1, 0x10) fd_no=2 called</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [tcp_read.c:1437]: release_tcpconn(): releasing
con 0x7fb643de6698, state -2, fd=13, id=5</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG:
<core> [tcp_read.c:1438]: release_tcpconn():
extra_data 0x7fb643ddf4f8</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG:
<core> [tcp_main.c:3385]: handle_tcp_child():
handle_tcp_child: reader response= 7fb643de6698, -2 from 0</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: tls
[tls_server.c:597]: tls_h_close(): Closing SSL connection
0x7fb643ddf4f8</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23473]: DEBUG:
websocket [ws_conn.c:459]: wsconn_get_list():
wsconn_get_list</div>
<div>Oct 26 22:34:38 lip /usr/sbin/kamailio[23473]: DEBUG:
websocket [ws_conn.c:502]: wsconn_get_list():
wsconn_get_list returns list [(nil)] with [0] members</div>
<div>Oct 26 22:34:39 lip /usr/sbin/kamailio[23473]: DEBUG:
websocket [ws_conn.c:459]: wsconn_get_list():
wsconn_get_list</div>
<div>Oct 26 22:34:39 lip /usr/sbin/kamailio[23473]: DEBUG:
websocket [ws_conn.c:502]: wsconn_get_list():
wsconn_get_list returns list [(nil)] with [0] members</div>
</div>
<div style="font-family: Tahoma; font-size: 13.3333px;"><br>
</div>
<div style="font-family: Tahoma; font-size: 13.3333px;"><br>
</div>
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<hr tabindex="-1">
<div id="divRpF221708" style="direction: ltr;"><font
face="Tahoma" color="#000000" size="2"><b>From:</b>
sr-users [<a class="moz-txt-link-abbreviated" href="mailto:sr-users-bounces@lists.sip-router.org">sr-users-bounces@lists.sip-router.org</a>] on behalf
of Daniel-Constantin Mierla [<a class="moz-txt-link-abbreviated" href="mailto:miconda@gmail.com">miconda@gmail.com</a>]<br>
<b>Sent:</b> Monday, October 26, 2015 12:05 PM<br>
<b>To:</b> Kamailio (SER) - Users Mailing List<br>
<b>Subject:</b> Re: [SR-Users] Q: about CRL list (TLS)<br>
</font><br>
</div>
<div>Hello,<br>
<br>
<div class="moz-cite-prefix">On 25/10/15 13:10, Vladimer
Gabunia wrote:<br>
</div>
<blockquote type="cite">
<style type="text/css" id="owaParaStyle"></style>
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">
<div>hello all.</div>
<div>we compiled kamailio with TLS Support. but have
next problem when using CRL Lits.</div>
<div>Our Certificate issuing scheme is follow:</div>
<div>Offline Root CA -> Enterprise SubCA -> Server
and Phone Certificate </div>
<div>CRL list is signed by SubCA.</div>
<div>option "require client certificate is enables (1)
"</div>
<div>When we enable CRL list, phones are not registered.</div>
<div>CA file is offline RootCA certificate in pem
format.</div>
<div>We think that the reason is that СRL was signed by
Subca or incorrect CRL format.</div>
<div>CRL is converted from MS CRL to PEM. (What is the
format for the CRL)</div>
<div>maybe someone have experiance with similar
scenarios?</div>
</div>
</blockquote>
the readme file of the tls module has some documentation
about crl:<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.crl"
target="_blank">http://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.crl</a><br>
<br>
You can also try to run with debug=3 in kmailio.cfg and see
more debug messages about what happens internally.<br>
<br>
Cheers,<br>
Daniel<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://twitter.com/#%21/miconda" target="_blank">http://twitter.com/#!/miconda</a> - <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda" target="_blank">http://www.linkedin.com/in/miconda</a>
Book: SIP Routing With Kamailio - <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.asipto.com" target="_blank">http://www.asipto.com</a>
Kamailio Advanced Training, Nov 30-Dec 2, Berlin - <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://asipto.com/kat" target="_blank">http://asipto.com/kat</a></pre>
</div>
</div>
</div>
<hr>
<div><img moz-do-not-send="true" alt="gh.ge"
src="http://gh.ge/img/logo/logo.png"></div>
<font color="#5194AC"><b>ვლადიმერ გაბუნია</b><br>
IT სამსახურის უფროსი <br>
<font size="small">ტელ: (+995) 32 2505222 +8183 <br>
მობ: (995) 577 095333<br>
შპს "ჯეო ჰოსპიტალს" <br>
სათავო ოფისი<br>
თბილისი 0160, ვაჟა-ფშაველას გამზ. № 16;<br>
<a moz-do-not-send="true" href="http://gh.ge">http://www.gh.ge
</a><br>
</font></font>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Book: SIP Routing With Kamailio - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
Kamailio Advanced Training, Nov 30-Dec 2, Berlin - <a class="moz-txt-link-freetext" href="http://asipto.com/kat">http://asipto.com/kat</a></pre>
</body>
</html>