[Users] Problem registering the UA with openSER(tls enabled)

Ncheeku Baranov opensersubscribe at gmail.com
Fri Dec 29 15:52:05 CET 2006


You are correct, so just for the trial purposes if I want the TLS handshake
to be successful what credentials for the client should I use? i.e. can I do
something like:

openssl s_client -cert user-cert.pem -key user-privkey.pem -state -connect
10.30.00.41:5061

on doing this it comes back with an error saying Verify Return Code: 21
(Unable to verify the first certificate), Should I be using new certificates
or with the same set of certificates I can achive a successful handshake?

Thanks a lot..
Ncheeku

On 12/29/06, Steffen Witt <witt.steffen at googlemail.com> wrote:
>
> Hello,
>
> openssl can play client and/or server role.
>
>
> Best regards,
> Steffen
>
>
> 2006/12/29, Ncheeku Baranov <opensersubscribe at gmail.com>:
> > Thanks Steffen. Is there any freely available tls client which can be
> used
> > to check this settings and the handshake? That will be really helpful..
> >
> > Best regards,
> > NCheeku
> >
> >
> >
> > On 12/28/06, Steffen Witt <witt.steffen at googlemail.com> wrote:
> > > Hello Ncheeku,
> > >
> > > change to the directory with your ".pem" files:
> > /usr/local/etc/openser/tls/user
> > >
> > >
> > > Then you can test your TLS handshake with the following command:
> > >
> > > openssl s_server -cert user-cert.pem -key user-privkey.pem -state
> -accept
> > 5061
> > >
> > > Openssl simulates a TLS server with your certificate/private key files
> > > and it accepts only requests at port 5061.
> > >
> > >
> > > Best regards,
> > > Steffen
> > >
> > >
> > >
> > > 2006/12/28, Ncheeku Baranov <opensersubscribe at gmail.com>:
> > > > Thanks a lot Steffen. Adding the new listen = udp: 10.30.100.41:5060
> > indeed
> > > > worked. How can I check the TLS handshake using openssl at the
> server?
> > > > Thanks a lot..
> > > >
> > > >
> > > >
> > > > On 12/28/06, Steffen Witt < witt.steffen at googlemail.com> wrote:
> > > > > Hello again,
> > > > >
> > > > > maybe you should add the following line to test your non-TLS UAs:
> > > > >
> > > > > disable_tls = 0
> > > > > listen = udp:10.30.100.41:5060   <---
> > > > > listen = tls:10.30.100.41:5061
> > > > >
> > > > >
> > > > > You can check your TLS handshake by simulating your server with
> > openssl.
> > > > >
> > > > >
> > > > > Please have a look at the following link that describes the TLS
> > support:
> > > > >
> > > > > http://www.openser.org/docs/tls.html
> > > > >
> > > > >
> > > > > Best regards,
> > > > > Steffen
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > 2006/12/28, Ncheeku Baranov < opensersubscribe at gmail.com>:
> > > > > > Hi,
> > > > > >
> > > > > > I am trying to make my non-TLS/TLS UA register with my TLS
> enabled
> > > > openSER.
> > > > > > Currently I am just working on my local machine with the client
> UAs
> > on
> > > > the
> > > > > > same subnet,(so there is only one domain, but its not named).
> Below
> > is
> > > > my
> > > > > > configuration file:
> > > > > >
> > > > > > disable_tls = 0
> > > > > > listen = tls:10.30.100.41:5061
> > > > > > tls_verify_server = 1
> > > > > > tls_verify_client = 0
> > > > > > tls_require_client_certificate = 0
> > > > > > tls_method = TLSv1
> > > > > > tls_certificate =
> > > > "/usr/local/etc/openser/tls/user/user-
> > > > > > cert.pem"
> > > > > > tls_private_key =
> > > > "/usr/local/etc/openser/tls/user/user-
> > > > > > privkey.pem"
> > > > > > tls_ca_list =
> > > > > > "usr/local/etc/openser/tls/user/user-calist.pem"
> > > > > >
> > > > > > However, with the above configuration the client UAs couldnot
> > register
> > > > and I
> > > > > > got 408 Request Time out Message. Is there any field that is
> missing
> > to
> > > > make
> > > > > > this simple scenario work? What should be the values of
> > > > "tls_client_domain"
> > > > > > and "tls_server_domain" fields in this case?
> > > > > >
> > > > > > I noticed that when I start the openSER without TLS support
> using
> > > > > > "openserctl start" and do "ps -e" after that, there are more
> openSER
> > > > > > processes running than if I start openSER with TLS support in
> which
> > case
> > > > I
> > > > > > see very few of these processes running.
> > > > > >
> > > > > > Your help is much appreciated....
> > > > > >
> > > > > > Best regards,
> > > > > > NCheeku
> > > > > >
> > > > > > _______________________________________________
> > > > > > Users mailing list
> > > > > > Users at openser.org
> > > > > > http://openser.org/cgi-bin/mailman/listinfo/users
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kamailio.org/pipermail/users/attachments/20061229/dae4c7d7/attachment.htm 


More information about the Users mailing list