[sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Currently tls module has `ca_list` param that `Sets the CA list file name. This file contains a list of all the trusted CAs certificates used when connecting to other SIP implementations. If a signature in a certificate chain belongs to one of the listed CAs, the verification of that certificate will succeed.` This issue proposes adding a new tls param `ca_path`. Its value would be a directory that contains any number of CA certificate files thus making it unnecessary to cat these files to a single `ca_list` file. Implementation could be based on SSL_CTX_set_default_verify_dir() OpenSSL API function. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Good idea. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-801695929___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Being Kamailio specific coding, I added the config option and set it value as parameter to SSL_CTX_load_verify_locations() based on the feature request description, but it might not be complete implementation because its manual specify that the folder content is not send to client via SSL_CTX_set_client_CA_list(): * https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html I haven't tested at all, not having a system that I could easily simulate the scenario. If not complete, feel free to add the missing part related, otherwise, if not useful at all, it can be reverted. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-804710128___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Thanks for your work on ca_path. It is so that currently ca_path can only be given as tls module config parameter and not in tls config file. I tried like this: modparam("tls", "config", "/etc/sip-proxy/tls.cfg") tls.cfg: [server:default] verify_certificate = yes require_certificate = no server_name = lohi.tutpro.com tls_method = TLSv1.1+ private_key = /etc/sip-proxy/certs/key.pem certificate = /etc/sip-proxy/certs/cert.pem ca_path = /etc/sip-proxy/certs/ca_list and got error at start: Mar 23 11:47:18 lohi /usr/bin/sip-proxy[25175]: ERROR: [core/cfg_parser.c:731]: sr_cfg_parse(): tls.cfg:7:1: Unsupported option 'ca_path' -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-804768330___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Looks like installation of new version of kamailio had failed and tls module was not updated. Trying again ... -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-804775191___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
I got latest master properly installed and gave ca_path a try. I placed four ca certs in directory /etc/sip-proxy/certs/ca_list: # ls /etc/sip-proxy/certs/ca_list class3_X0E.crt dst_root_ca_x3.pem lets-encrypt-x3-cross-signed.pem root_X0F.crt Then I created file ca_list.pem that contained all of them: # cat /etc/sip-proxy/certs/ca_list/* > /etc/sip-proxy/certs/ca_list.pem In tls config file I had: [client:default] ... ca_list = /etc/sip-proxy/certs/ca_list.pem [server:default] ... ca_list = /etc/sip-proxy/certs/ca_list.pem Result was that kamailio started OK. Then in tls config file I replaced ca_list with ca_path: ca_path = /etc/sip-proxy/certs/ca_list and kamailio failed to start: Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs: ca_list='(null)' Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: INFO: tls [tls_domain.c:336]: ksr_tls_fill_missing(): TLSs: ca_path='/etc/sip-proxy/certs/ca_list' ... Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_domain.c:601]: load_ca_list(): TLSs: Error while setting client CA list Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0200100E:system library:fopen:Bad address Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:20074002:BIO routines:file_ctrl:system lib Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: [core/sr_module.c:865]: init_mod_child(): error while initializing module tls (/usr/lib/x86_64-linux-gnu/sip-proxy/modules/tls.so) (idx: 0 rank: -127 desc: [main]) ___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
The error message seems to be related to failure to open `ca_list` file, not to `ca_path` -- can you check if `ca_list` is still set somewhere there to an invalid file path? -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-804799367___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Daniel-Constantin Mierla writes: > The error message seems to be related to failure to open `ca_list` > file, not to `ca_path` -- can you check if `ca_list` is still set > somewhere there to an invalid file path? I checked and config file has only this: modparam("tls", "config", "/etc/sip-proxy/tls.cfg") and tls.cfg contains: # more tls.cfg [client:default] verify_certificate = yes require_certificate = yes tls_method = TLSv1.2+ private_key = /etc/sip-proxy/certs/key.pem certificate = /etc/sip-proxy/certs/cert.pem ca_path = /etc/sip-proxy/certs/ca_list [server:default] verify_certificate = yes require_certificate = no server_name = lohi.tutpro.com tls_method = TLSv1.1+ private_key = /etc/sip-proxy/certs/key.pem certificate = /etc/sip-proxy/certs/cert.pem ca_path = /etc/sip-proxy/certs/ca_list There is no trace of ca_list anywhere. Also syslog shows that ca_list is null: Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs: certificate='/etc/sip-proxy/certs/cert.pem' Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs: ca_list='(null)' Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:336]: ksr_tls_fill_missing(): TLSs: ca_path='/etc/sip-proxy/certs/ca_list' -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-804822963___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
I pushed a commit to make that error message print the file name. Try again with latest master and paste here again the new error message to see what's there. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-804828670___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Daniel-Constantin Mierla writes: > I pushed a commit to make that error message print the file name. Try > again with latest master and paste here again the new error message to > see what's there. Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_domain.c:604]: load_ca_list(): TLSs: Error while setting client CA list file [/3] Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0200100E:system library:fopen:Bad address Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:20074002:BIO routines:file_ctrl:system lib -- Juha ___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Daniel-Constantin Mierla writes: > Being Kamailio specific coding, I added the config option and set it > value as parameter to SSL_CTX_load_verify_locations() based on the > feature request description, but it might not be complete > implementation because its manual specify that the folder content is > not send to client via SSL_CTX_set_client_CA_list(): > > * > https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html Neither is contents of CAfile sent to client: In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list is not influenced by the contents of CAfile or CApath and must explicitly be set using the SSL_CTX_set_client_CA_list(3) family of functions. -- Juha -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-804840617___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Pushed a commit to fix the error message. The SSL_CTX_set_client_CA_list() is used with the ca_list file, the error message above is actually when that is done. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-804842521___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Daniel-Constantin Mierla writes: > Pushed a commit to fix the error message. Now kamailio starts, but when baresip sip client tries to connect over TLS, I get these errors: Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 192.168.43.253 Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 192.168.43.160 If I in tls.cfg replace ca_path with ca_list, the same client connects without errors. -- Juha ___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
As I said, I added the parameter based on the description of the feature request, but the manual suggested it might not be enough when acting as a tls server, see my first comment above. Probably works when it acts as a client (when opens the connection). You can dig further in the libssl docs to see what has to be done for server case and you can update the load_ca_list() function from tls_domain.c. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-804865913___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Daniel-Constantin Mierla writes: > As I said, I added the parameter based on the description of the > feature request, but the manual suggested it might not be enough when > acting as a tls server, see my first comment above. > > Probably works when it acts as a client (when opens the connection). Yes, it does work as client. I have two kamailios A - B using TLS between them. When A uses ca_path and B uses ca_list, A can connect to B without errors. But when I change also B to use ca_path, I get errors on both. On A: Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS read:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 192.26.134.10 Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 192.168.43.160 On B: Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 192.168.43.160 Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 192.26.134.10 -- Juha -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-804910135___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Closed #2682. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#event-4499952619___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Re: [sr-dev] [kamailio/kamailio] add ca_path param to tls module (#2682)
Both as client and as server work after command `c_rehash .` is executed in ca_path directory. It creates two (why two?) links to each ca certificate file, for example: ``` $ ls -ls total 16 0 lrwxrwxrwx 1 jh jh 18 Mar 24 07:58 12d55845.0 -> dst_root_ca_x3.pem 0 lrwxrwxrwx 1 jh jh 18 Mar 24 07:58 2e5ac55d.0 -> dst_root_ca_x3.pem 0 lrwxrwxrwx 1 jh jh 32 Mar 24 07:58 4a0a35c0.0 -> lets-encrypt-x3-cross-signed.pem 0 lrwxrwxrwx 1 jh jh 32 Mar 24 07:58 4f06f81d.0 -> lets-encrypt-x3-cross-signed.pem 0 lrwxrwxrwx 1 jh jh 14 Mar 24 07:58 590d426f.0 -> class3_X0E.crt 0 lrwxrwxrwx 1 jh jh 12 Mar 24 07:58 5ed36f99.0 -> root_X0F.crt 0 lrwxrwxrwx 1 jh jh 12 Mar 24 07:58 99d0fa06.0 -> root_X0F.crt 4 -rw-r--r-- 1 jh jh 2427 Mar 23 16:40 class3_X0E.crt 4 -rw-r--r-- 1 jh jh 1200 Mar 23 16:40 dst_root_ca_x3.pem 0 lrwxrwxrwx 1 jh jh 14 Mar 24 07:58 e5662767.0 -> class3_X0E.crt 4 -rw-r--r-- 1 jh jh 1647 Mar 23 16:40 lets-encrypt-x3-cross-signed.pem 4 -rw-r--r-- 1 jh jh 2464 Mar 23 16:40 root_X0F.crt ``` Text on page [https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html](url) is not very clear about the links: ` If CApath is not NULL, it points to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available. If more than one CA certificate with the same name hash value exist, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash utility to create the necessary links. ` -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2682#issuecomment-805528425___ Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev