[OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

Callum Guy callum.guy at x-on.co.uk
Tue Jul 25 10:27:20 EDT 2017 

Hi Bogdan,

Thanks for your response, based on your advice I performed a full packet
capture on the handshake and established that a certificate was indeed
being presented.

Following up on this I managed to establish that the problem was a missing
intermediary CA in the certificate chain, specifically:

https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca

The error message presented by OpenSIPs was certainly misleading in this
case. For others benefit the approach for installing a new CA is super
simple:

   1. create the file in /etc/pki/ca-trust/source/anchors
   (i.e. comodo-ca-rsa-ev-secure-server.pem)
   2. run "update-ca-trust" with root privs

Problem solved.

Have a good day all!

Callum

On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
wrote:

> Hi Callum,
>
> The error may indicate the fact that the TLS client does not present a TLS
> certificate while connection to your OpenSIPS. This has nothing to do with
> the TLS multi domain, which anyhow is supported. As the test, you can
> create a separate TLS domain (server) bound to the IP of that TLS client,
> TLS domain having the require_certificate option turned off.
>
> Best Regards,
>
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Bootcamp 2017, Houston, US
>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>
> On 07/25/2017 03:26 PM, Callum Guy wrote:
>
> Hi All,
>
> *Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7
>
> I have been working with new TLS connection and have been having problems
> validating their client certificate. My OpenSIPs configuration works fine
> for other providers (i.e. Twilio) however I am seeing the following error
> messages reported while verify_cert is enabled:
>
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: depth = 0
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: subject =
> /serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
> Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture
> Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain SSL/CN=simwood.com
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local
> issuer certificate
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error
> code is 20 (check x509_vfy.h)
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: verify return:0
> Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_accept:
> New TLS connection from 178.22.140.34:34281 failed to accept
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
>
> Part of my reason for resorting to the mailing list are old mailing list
> emails discussing that multi-domain certificates are not supported by
> OpenSIPs - is anyone able to confirm if this remains a problem?
>
> The openssl error code 20 is translated as
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>
> I have seen other reports that this issue may be related to an improperly
> chained certificate - does this sound at all likely?
>
> Any tips on debugging would be greatly appreciated, thanks.
>
> Callum
> --
> Callum Guy
> Head of Information Security
> X-on
>
>
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>   <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
> delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>
>
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> --
Callum Guy
Head of Information Security
X-on

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170725/16cbf714/attachment-0001.html>

More information about the Users mailing list