[OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Jul 25 11:27:22 EDT 2017


I have to admit that you have to "know how to read the SSL errors" in 
order to really understand the root problem :) . Now that you find the 
issue and if we look back at the error description "verify 
error:num=20:unable to get local issuer certificate", it make sense - 
SSL complains it did not find the comodo CA in order to validate the 
certificate presented by the TLS client (which was probably signed by 
Comodo).

Best regards,

Bogdan-Andrei Iancu
   OpenSIPS Founder and Developer
   http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 05:27 PM, Callum Guy wrote:
> Hi Bogdan,
>
> Thanks for your response, based on your advice I performed a full 
> packet capture on the handshake and established that a certificate was 
> indeed being presented.
>
> Following up on this I managed to establish that the problem was a 
> missing intermediary CA in the certificate chain, specifically:
>
> https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca
>
> The error message presented by OpenSIPs was certainly misleading in 
> this case. For others benefit the approach for installing a new CA is 
> super simple:
>
>  1. create the file in /etc/pki/ca-trust/source/anchors
>     (i.e. comodo-ca-rsa-ev-secure-server.pem)
>  2. run "update-ca-trust" with root privs
>
> Problem solved.
>
> Have a good day all!
>
> Callum
>
> On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei Iancu 
> <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>
>     Hi Callum,
>
>     The error may indicate the fact that the TLS client does not
>     present a TLS certificate while connection to your OpenSIPS. This
>     has nothing to do with the TLS multi domain, which anyhow is
>     supported. As the test, you can create a separate TLS domain
>     (server) bound to the IP of that TLS client, TLS domain having the
>     require_certificate option turned off.
>
>     Best Regards,
>
>     Bogdan-Andrei Iancu
>        OpenSIPS Founder and Developer
>        http://www.opensips-solutions.com
>
>     OpenSIPS Bootcamp 2017, Houston, US
>        http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>
>     On 07/25/2017 03:26 PM, Callum Guy wrote:
>>     Hi All,
>>
>>     *Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7
>>
>>     I have been working with new TLS connection and have been having
>>     problems validating their client certificate. My OpenSIPs
>>     configuration works fine for other providers (i.e. Twilio)
>>     however I am seeing the following error messages reported while
>>     verify_cert is enabled:
>>
>>     Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>>     opensips[4881]: NOTICE:tls_mgm:verify_callback: depth = 0
>>     Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>>     opensips[4881]: NOTICE:tls_mgm:verify_callback: subject =
>>     /serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
>>     Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2
>>     Venture Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain
>>     SSL/CN=simwood.com <http://simwood.com>
>>     Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>>     opensips[4881]: NOTICE:tls_mgm:verify_callback: verify
>>     error:num=20:unable to get local issuer certificate
>>     Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>>     opensips[4881]: NOTICE:tls_mgm:verify_callback: something wrong
>>     with the cert ... error code is 20 (check x509_vfy.h)
>>     Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>>     opensips[4881]: NOTICE:tls_mgm:verify_callback: verify return:0
>>     Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>>     opensips[4881]: ERROR:proto_tls:tls_accept: New TLS connection
>>     from 178.22.140.34:34281 <http://178.22.140.34:34281> failed to
>>     accept
>>     Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>>     opensips[4881]: ERROR:proto_tls:tls_print_errstack: TLS errstack:
>>     error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
>>     certificate returned
>>     Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>>     opensips[4881]: ERROR:proto_tls:tls_read_req: failed to do
>>     pre-tls reading
>>
>>     Part of my reason for resorting to the mailing list are old
>>     mailing list emails discussing that multi-domain certificates are
>>     not supported by OpenSIPs - is anyone able to confirm if this
>>     remains a problem?
>>
>>     The openssl error code 20 is translated as
>>     X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>>
>>     I have seen other reports that this issue may be related to an
>>     improperly chained certificate - does this sound at all likely?
>>
>>     Any tips on debugging would be greatly appreciated, thanks.
>>
>>     Callum
>>     -- 
>>     Callum Guy
>>     Head of Information Security
>>     X-on
>>
>>
>>     *^0333 332 0000  | www.x-on.co.uk <http://www.x-on.co.uk>  |
>>     _**_^<https://www.linkedin.com/company/x-on>
>>     <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
>>     X-on is a trading name of Storacall Technology Ltd a limited
>>     company registered in England and Wales.
>>     Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>>     Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>>     The information in this e-mail is confidential and for use by the
>>     addressee(s) only. If you are not the intended recipient, please
>>     notify X-on immediately on +44(0)333 332 0000
>>     <tel:+44%20333%20332%200000> and delete the
>>     message from your computer. If you are not a named addressee you
>>     must not use, disclose, disseminate, distribute, copy, print or
>>     reply to this email. Views or opinions expressed by an individual
>>     within this email may not necessarily reflect the views of X-on
>>     or its associated companies. Although X-on routinely screens for
>>     viruses, addressees should scan this email and any attachments
>>     for viruses. X-on makes no representation or warranty as to the
>>     absence of viruses in this email or any attachments.
>>
>>
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> -- 
> Callum Guy
> Head of Information Security
> X-on
>
>
> *^0333 332 0000  | www.x-on.co.uk <http://www.x-on.co.uk>  | 
> _**_^<https://www.linkedin.com/company/x-on> 
> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company 
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the 
> addressee(s) only. If you are not the intended recipient, please 
> notify X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must 
> not use, disclose, disseminate, distribute, copy, print or reply to 
> this email. Views or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its 
> associated companies. Although X-on routinely screens for viruses, 
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the 
> absence of viruses in this email or any attachments.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170725/494ae7ed/attachment-0001.html>


More information about the Users mailing list