[OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

Callum Guy callum.guy at x-on.co.uk
Tue Jul 25 11:58:28 EDT 2017


It's always easy to overlook the content in errors that haven't been seen
before, I agree that on reflection this should have been looked into in
more detail as it does cover the scenario. In the context of a Comodo
certificate (which we use regularly) it sounded implausible that we
wouldn't be able to validate it. TIL - intermediate certificates matter.



On Tue, Jul 25, 2017 at 4:27 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
wrote:

> I have to admit that you have to "know how to read the SSL errors" in
> order to really understand the root problem :) . Now that you find the
> issue and if we look back at the error description "verify
> error:num=20:unable to get local issuer certificate", it make sense - SSL
> complains it did not find the comodo CA in order to validate the
> certificate presented by the TLS client (which was probably signed by
> Comodo).
>
> Best regards,
>
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Bootcamp 2017, Houston, US
>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>
> On 07/25/2017 05:27 PM, Callum Guy wrote:
>
> Hi Bogdan,
>
> Thanks for your response, based on your advice I performed a full packet
> capture on the handshake and established that a certificate was indeed
> being presented.
>
> Following up on this I managed to establish that the problem was a missing
> intermediary CA in the certificate chain, specifically:
>
>
> https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca
>
> The error message presented by OpenSIPs was certainly misleading in this
> case. For others benefit the approach for installing a new CA is super
> simple:
>
>    1. create the file in /etc/pki/ca-trust/source/anchors
>    (i.e. comodo-ca-rsa-ev-secure-server.pem)
>    2. run "update-ca-trust" with root privs
>
> Problem solved.
>
> Have a good day all!
>
> Callum
>
> On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
> wrote:
>
>> Hi Callum,
>>
>> The error may indicate the fact that the TLS client does not present a
>> TLS certificate while connection to your OpenSIPS. This has nothing to do
>> with the TLS multi domain, which anyhow is supported. As the test, you can
>> create a separate TLS domain (server) bound to the IP of that TLS client,
>> TLS domain having the require_certificate option turned off.
>>
>> Best Regards,
>>
>> Bogdan-Andrei Iancu
>>   OpenSIPS Founder and Developer
>>   http://www.opensips-solutions.com
>>
>> OpenSIPS Bootcamp 2017, Houston, US
>>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>>
>> On 07/25/2017 03:26 PM, Callum Guy wrote:
>>
>> Hi All,
>>
>> *Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7
>>
>> I have been working with new TLS connection and have been having problems
>> validating their client certificate. My OpenSIPs configuration works fine
>> for other providers (i.e. Twilio) however I am seeing the following error
>> messages reported while verify_cert is enabled:
>>
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: depth = 0
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: subject =
>> /serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
>> Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture
>> Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain SSL/CN=simwood.com
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local
>> issuer certificate
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error
>> code is 20 (check x509_vfy.h)
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: verify return:0
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_accept:
>> New TLS connection from 178.22.140.34:34281 failed to accept
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
>>
>> Part of my reason for resorting to the mailing list are old mailing list
>> emails discussing that multi-domain certificates are not supported by
>> OpenSIPs - is anyone able to confirm if this remains a problem?
>>
>> The openssl error code 20 is translated as
>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>>
>> I have seen other reports that this issue may be related to an improperly
>> chained certificate - does this sound at all likely?
>>
>> Any tips on debugging would be greatly appreciated, thanks.
>>
>> Callum
>> --
>> Callum Guy
>> Head of Information Security
>> X-on
>>
>>
>> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
>> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>>   <https://twitter.com/xonuk> *
>> X-on is a trading name of Storacall Technology Ltd a limited company
>> registered in England and Wales.
>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>> The information in this e-mail is confidential and for use by the
>> addressee(s) only. If you are not the intended recipient, please notify
>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
>> delete the
>> message from your computer. If you are not a named addressee you must not
>> use, disclose, disseminate, distribute, copy, print or reply to this email. Views
>> or opinions expressed by an individual
>> within this email may not necessarily reflect the views of X-on or its
>> associated companies. Although X-on routinely screens for viruses,
>> addressees should scan this email and any attachments
>> for viruses. X-on makes no representation or warranty as to the absence
>> of viruses in this email or any attachments.
>>
>>
>>
>> _______________________________________________
>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>> --
> Callum Guy
> Head of Information Security
> X-on
>
>
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>   <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
> delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>
>
> --
Callum Guy
Head of Information Security
X-on

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170725/faed7a12/attachment-0001.html>


More information about the Users mailing list