[Users] TLS problem

Tao voiper at ureetone.com
Wed Jun 14 18:15:34 CEST 2006


hi guys,

happy OpenSER's 1st Anniversary and happy world cup!


I configure the TLS on OpenSER-1.0.1 release, but it doesn't work well.
i searched on the web and found the discussion (attach it below) which posted monthes ago, 
my problem is very similar to it.
but i can't find any conclusion about this discussion.
Does anyone has resolved the similar problem, can you share the experiences?
thanks in advance.

my openssl's version is 0.9.8a
when used snom360 to connect openser via tls, it blocked and freezed after receive ServerHelloDone.
windows messenger 5.1 can go further, but still popup the "There was a problem verifying the certificate..." msg.
and openser print the error are SSL_ERROR_WANT_READ and SSL_ERROR_SYSCALL...

my certificate should be right, i have checked and regenerated it heaps of times...

----------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       voipsec
Subject:    Re: [VOIPSEC] Snom Softphone with TLS and Openser
From:       dennis <m8939605 () yahoo ! com ! tw>
Date:       2006-02-24 13:44:01
Message-ID: 20060224134401.62975.qmail () web17506 ! mail ! tpe ! yahoo ! com
[Download message RAW]

Hi Martin,

I folllow your method, but I still have somme problem.

1.After receive ClientHello, openser will be
terminated.
  my openser is 1.0.0
1 1  0.0023 (0.0023)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_NULL_MD5
        TLS_RSA_WITH_NULL_SHA
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
        TLS_DH_anon_WITH_RC4_128_MD5
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_DH_anon_WITH_DES_CBC_SHA
        compression methods
                  NULL
1    0.2734 (0.2710)  S>C  TCP FIN
 ///////////////////////////////////
2. Add the tls_ciphers_list="NULL-SHA:NULL-MD5",
openser was ok, but snom soft phone was stuck
immediately after starting and did not accept any
input via the user interface.

1 1  0.0894 (0.0894)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_NULL_MD5
        TLS_RSA_WITH_NULL_SHA
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
        TLS_DH_anon_WITH_RC4_128_MD5
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_DH_anon_WITH_DES_CBC_SHA
        compression methods
                  NULL
1 2  0.0913 (0.0018)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          86 63 02 13 cd 51 12 d8 02 61 aa cc 66 63 84
d8
          21 42 01 8e c1 d6 8e b0 c3 b6 d1 26 68 73 0d
02
        cipherSuite         TLS_RSA_WITH_NULL_MD5
        compressionMethod                   NULL
1 3  0.0913 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0913 (0.0000)  S>C  Handshake
      ServerHelloDone
1    131.0737 (130.9823)  S>C  TCP FIN

When you re-executed the program, the ceritificate
will be clean away. I thought that the soft phone lost
it's certificate, so it hang on.
Another root causer may be openssl (0.97f), I will try
to upgrade or reinstall it.
///////////////////////////////////////
In my environment, Windows Messenger always has some
problems with Openser, when openser sent certificate,
WM  always pop up a error messange. 

3 1  0.8193 (0.8193)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        compression methods
                  NULL
3 2  0.8199 (0.0006)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
92
          1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
32
        cipherSuite        
TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
3 3  0.8199 (0.0000)  S>C  Handshake
      Certificate
3 4  0.8199 (0.0000)  S>C  Handshake
      ServerHelloDone
////////////////////////////////////
But after replaced key size from 2048 to 1024, there
was improvement in Windows Messenger, although it
still pop up the same error.

3 1  0.8193 (0.8193)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        compression methods
                  NULL
3 2  0.8199 (0.0006)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
92
          1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
32
        cipherSuite        
TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
3 3  0.8199 (0.0000)  S>C  Handshake
      Certificate
3 4  0.8199 (0.0000)  S>C  Handshake
      ServerHelloDone
3 5  0.8701 (0.0501)  C>S  Handshake
      ClientKeyExchange
3 6  0.8701 (0.0000)  C>S  ChangeCipherSpec
3 7  0.8701 (0.0000)  C>S  Handshake
3 8  0.8736 (0.0035)  S>C  ChangeCipherSpec
3 9  0.8738 (0.0001)  S>C  Handshake
3    1.6979 (0.8241)  C>S  TCP FIN
3 10 1.6985 (0.0006)  S>C  Alert
3    1.6986 (0.0000)  S>C  TCP FIN

The Alert was not a standard TLS alert description, so
I can't analyze it.
The Alter messange is below:
15 03 01 00 18 fe ef bc 84 a3 c7 8c 8c a5 91 e7 da e1
7c
            ^^^^^^^^ (there are some problems.....)
06 ee 35 9d 32 21 ec ef 8c 79 




--- Christian Stredicke <Christian.Stredicke at snom.de>
»¡¡G

> Instead of using DNS SRV you can also use a
> transport parameter in the
> outbound proxy. E.g.
> 
> server.example.at:5061;transport=tls
> 
> Christian
> 
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org 
> > [mailto:Voipsec-bounces at voipsa.org] On Behalf Of
> Martin Petraschek
> > Sent: Thursday, February 23, 2006 5:01 AM
> > To: Voipsec at voipsa.org
> > Subject: [VOIPSEC] Snom Softphone with TLS and
> Openser
> > 
> > Hi all,
> > 
> > I just wanted to share the experiences I made when
> trying to 
> > get the Snom 360 Softphone to work with TLS
> support together 
> > with Openser. Maybe my findings can be of use for
> other 
> > people having similar problems.
> > 
> > The Snom Softphone is one of the few Softphones I
> am aware of 
> > that support TLS as well as RTP encryption.
> Unfortunately it 
> > is not Open Source, but the binary is freely
> available at 
> > http://www.snom.com/download/snom360-5.3.exe
> > 
> > When trying to use TLS, one might be disappointed
> that the 
> > configuration menus do not offer any setting like
> "enable 
> > TLS". This is because the Snom phone uses DNS SRV
> queries in 
> > order to find out which connection method to use.
> The first 
> > task is therefore to configure SRV records of the
> DNS server. 
> > For bind, the following lines did the trick:
> > 
> > example.at.   IN NAPTR 10 50 "s" "SIPS+D2T" ""
> _sips._tcp.example.at.
> > example.at.   IN NAPTR 20 50 "s" "SIP+D2U" ""
> _sip._udp.example.at.
> > example.at.   IN NAPTR 30 50 "s" "SIP+D2T" ""
> _sip._tcp.example.at.
> > 
> > ; ----- SRV records -----
> > _sip._udp               IN SRV 0 0 5060
> server.example.at.
> > _sip._tcp               IN SRV 0 0 5060
> server.example.at.
> > _sips._tcp              IN SRV 0 0 5061
> server.example.at.
> > 
> > 
> > After that, the Snom phone tried to contact the
> SIP server via TLS. 
> > However, the program was stuck immediately after
> starting and 
> > did not accept any input via the user interface. I
> inspected 
> > the network traffic it generated with the help of
> the tool 
> > ssldump, which showed the following:
> > 
> > server:/etc/openser/tools# ssldump -i eth0 port
> 5061 New TCP 
> > connection #1: user.example.at(3695) <->
> server.example.at(5061)
> > 1 1  0.0124 (0.0124)  C>S  Handshake
> > ClientHello
> > Version 3.1
> > cipher suites
> > TLS_RSA_WITH_RC4_128_MD5
> > TLS_RSA_WITH_RC4_128_SHA
> > TLS_RSA_WITH_NULL_MD5
> > TLS_RSA_WITH_NULL_SHA
> > TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
> > TLS_DH_anon_WITH_RC4_128_MD5
> > TLS_RSA_WITH_DES_CBC_SHA
> > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> > TLS_DH_anon_WITH_DES_CBC_SHA
> > compression methods
> > NULL
> > 1 2  0.0145 (0.0021)  S>C  Handshake
> > ServerHello
> > Version 3.1
> > session_id[32]=
> > 5d a6 8d 61 58 ed c6 08 ae 76 d1 eb 24
> 82 6a c3
> > 2e 12 4c 29 17 7b 80 bf 1d 98 82 2c 67
> 53 ab f0
> > cipherSuite        
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> > compressionMethod                   NULL
> > 1 3  0.0146 (0.0000)  S>C  Handshake
> > Certificate
> > 1 4  0.0146 (0.0000)  S>C  Handshake
> > CertificateRequest
> > certificate_types                  
> rsa_sign
> > certificate_types                  
> dss_sign
> > ServerHelloDone
> > 1    9.5153 (9.5006)  C>S  TCP RST
> > 
> > 
> > I noticed that the chosen ciphersuite was 1024 bit
> RSA. 
> > Checking the certificate file 
> > /etc/openser/tls/user/user-cert.pem, I found that
> the 
> > certificate configured for openser is 2048 bit! To
> overcome 
> > this problem, I changed the configuration files
> ca.conf and 
> > user.conf as well as gen_rootCA.sh (just replaced
> 2048 with 
> > 1024 at every occurence). 
> > After re-generating the certificates and restaring
> openser, 
> > the TLS connection finally worked like a charm.
> > 
> > Cheers,
> > 
> > Martin
> > 
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > 
> 
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > 
> > 
> > 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> 
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 





More information about the Users mailing list