Re: [SR-Users] TLS testing (with sipp)
Hi Julien, Thanks for this hint. A bit off topic the cert part but security should be forced :) Many ways to get an letsencryt certificate, I prefer the go-lang lego tool docker run -v $(pwd)/.lego:/.lego goacme/lego -d fqdn --email your@email -a --tls --pem run Saved stuff in dot lego folder. Cheers Karsten Horsmann Julien Chavanton schrieb am Do., 19. Dez. 2019, 17:08: > Hi, I guess I was the one stretching it :) > > If you need to generate a cert, check EFF let's encrypt, here is one > example to get a cert with HTTP validation > > #!/bin/bash > > > iptables -I INPUT -p tcp --dport 80 -j ACCEPT > sudo docker run -it --rm --name certbot \ > --net=host \ > -v "/etc/letsencrypt:/etc/letsencrypt" \ > -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ > certbot/certbot certonly --eff-email --agree-tos -m u...@domain.com > --standalone --preferred-challenges http -d $1 > iptables -D INPUT -p tcp --dport 80 -j ACCEPT > if [ "$2" == "copy" ] > then > cp /etc/letsencrypt/live/$1/fullchain.pem tls/certificate.pem > cp /etc/letsencrypt/live/$1/privkey.pem tls/key.pem > fi > > > On Thu, Dec 19, 2019 at 6:20 AM Sebastian Damm wrote: > >> Hi Julien, >> >> I had been thinking quite a while before posting it here, and maybe I >> shouldn't have mentioned the sipp SSL error. But I thought, end2end >> testing of kamailio setups could be of general interest from a >> Kamailio user point of view. And I hoped to get suggestions on how to >> do it. >> >> Thanks for the link to voip_patrol. I'm already playing with it. Still >> stuck with needing a client certificate, though. I shouldn't need that >> for a client, I'd think. But I'll try my best. >> >> Regards, >> Sebastian >> >> On Wed, Dec 18, 2019 at 7:31 PM Julien Chavanton >> wrote: >> > >> > Hi Sebastian, this is off topic for the Kamailio mailing list. >> > >> > You can use Voip_patrol : >> > https://github.com/jchavanton/voip_patrol >> > >> > Once you have your certificate, key and ca_list in default location >> > ./voip_patrol -c ./xml/tls.xml >> > >> > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list >> :tls/ca_list.pem >> > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.certFile >> :tls/certificate.pem >> > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.privKeyFile :tls/key.pem >> > >> > tls.xml >> > >> > >> > >> > >> > > expected_cause_code="200" username="VP_ENV_USERNAME" >> password="VP_ENV_PASSWORD" realm="domain.com" registrar="ep.domain.com"/> >> > >> > > max_duration="20" hangup="5"/> >> > > > wait_until="3" expected_cause_code="200" >> > caller="12062349971@1.1.1.1" callee=" >> 12012343...@ep.domain.com" max_duration="15" hangup="5" >> > username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD" >> realm="domain.com" >> > /> >> > >> > >> > >> > >> > On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm wrote: >> >> >> >> Hi, >> >> >> >> I'm trying to construct an end-to-end encrypted signalling test >> >> through our setup. I thought I could use sipp for that, as it supports >> >> TLS according to the man page. However, when I try to run it, I get >> >> this error: >> >> >> >> FI_init_ssl_context: SSL_CTX_use_certificate_file failed. >> >> >> >> I searched the web; however, all similar questions end up without >> >> answers. I tried specifying a local key and cert without success. I'd >> >> think I should not need a cert for my client, though. >> >> >> >> Has anyone ever successfully conducted an automated TLS test? I'm open >> >> to using a different tool if necessary. >> >> >> >> Thanks for all hints or examples. >> >> >> >> Regards, >> >> Sebastian >> >> >> >> -- >> >> Sebastian Damm >> >> Voice Engineer >> >> __ >> >> sipgate GmbH >> >> Gladbacher Straße 74 | 40219 Düsseldorf >> >> >> >> ___ >> >> Kamailio (SER) - Users Mailing List >> >> sr-users@lists.kamailio.org >> >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> > >> > ___ >> > Kamailio (SER) - Users Mailing List >> > sr-users@lists.kamailio.org >> > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> >> >> >> -- >> Sebastian Damm >> Voice Engineer >> >> ___ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] TLS testing (with sipp)
Hi, I guess I was the one stretching it :) If you need to generate a cert, check EFF let's encrypt, here is one example to get a cert with HTTP validation #!/bin/bash iptables -I INPUT -p tcp --dport 80 -j ACCEPT sudo docker run -it --rm --name certbot \ --net=host \ -v "/etc/letsencrypt:/etc/letsencrypt" \ -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ certbot/certbot certonly --eff-email --agree-tos -m u...@domain.com --standalone --preferred-challenges http -d $1 iptables -D INPUT -p tcp --dport 80 -j ACCEPT if [ "$2" == "copy" ] then cp /etc/letsencrypt/live/$1/fullchain.pem tls/certificate.pem cp /etc/letsencrypt/live/$1/privkey.pem tls/key.pem fi On Thu, Dec 19, 2019 at 6:20 AM Sebastian Damm wrote: > Hi Julien, > > I had been thinking quite a while before posting it here, and maybe I > shouldn't have mentioned the sipp SSL error. But I thought, end2end > testing of kamailio setups could be of general interest from a > Kamailio user point of view. And I hoped to get suggestions on how to > do it. > > Thanks for the link to voip_patrol. I'm already playing with it. Still > stuck with needing a client certificate, though. I shouldn't need that > for a client, I'd think. But I'll try my best. > > Regards, > Sebastian > > On Wed, Dec 18, 2019 at 7:31 PM Julien Chavanton > wrote: > > > > Hi Sebastian, this is off topic for the Kamailio mailing list. > > > > You can use Voip_patrol : > > https://github.com/jchavanton/voip_patrol > > > > Once you have your certificate, key and ca_list in default location > > ./voip_patrol -c ./xml/tls.xml > > > > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list > :tls/ca_list.pem > > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.certFile > :tls/certificate.pem > > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.privKeyFile :tls/key.pem > > > > tls.xml > > > > > > > > > > expected_cause_code="200" username="VP_ENV_USERNAME" > password="VP_ENV_PASSWORD" realm="domain.com" registrar="ep.domain.com"/> > > > > max_duration="20" hangup="5"/> > > > wait_until="3" expected_cause_code="200" > > caller="12062349971@1.1.1.1" callee=" > 12012343...@ep.domain.com" max_duration="15" hangup="5" > > username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD" realm=" > domain.com" > > /> > > > > > > > > > > On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm wrote: > >> > >> Hi, > >> > >> I'm trying to construct an end-to-end encrypted signalling test > >> through our setup. I thought I could use sipp for that, as it supports > >> TLS according to the man page. However, when I try to run it, I get > >> this error: > >> > >> FI_init_ssl_context: SSL_CTX_use_certificate_file failed. > >> > >> I searched the web; however, all similar questions end up without > >> answers. I tried specifying a local key and cert without success. I'd > >> think I should not need a cert for my client, though. > >> > >> Has anyone ever successfully conducted an automated TLS test? I'm open > >> to using a different tool if necessary. > >> > >> Thanks for all hints or examples. > >> > >> Regards, > >> Sebastian > >> > >> -- > >> Sebastian Damm > >> Voice Engineer > >> __ > >> sipgate GmbH > >> Gladbacher Straße 74 | 40219 Düsseldorf > >> > >> ___ > >> Kamailio (SER) - Users Mailing List > >> sr-users@lists.kamailio.org > >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > > > ___ > > Kamailio (SER) - Users Mailing List > > sr-users@lists.kamailio.org > > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > > > -- > Sebastian Damm > Voice Engineer > > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] TLS testing (with sipp)
Hi Sebastian, well end to end tests are quite useful. Personally I used scripting with freeswitch and python to call endpoints and check if billing seconds are in an correct range that I assume before. That script can be run from monitoring like icinga or whatever. I also used Asterisk for testing end to end. But that are all big b2buas. Voip_patrol was new for me. Always happy to subscribe this list. Cheers Karsten Horsmann Sebastian Damm schrieb am Do., 19. Dez. 2019, 15:20: > Hi Julien, > > I had been thinking quite a while before posting it here, and maybe I > shouldn't have mentioned the sipp SSL error. But I thought, end2end > testing of kamailio setups could be of general interest from a > Kamailio user point of view. And I hoped to get suggestions on how to > do it. > > Thanks for the link to voip_patrol. I'm already playing with it. Still > stuck with needing a client certificate, though. I shouldn't need that > for a client, I'd think. But I'll try my best. > > Regards, > Sebastian > > On Wed, Dec 18, 2019 at 7:31 PM Julien Chavanton > wrote: > > > > Hi Sebastian, this is off topic for the Kamailio mailing list. > > > > You can use Voip_patrol : > > https://github.com/jchavanton/voip_patrol > > > > Once you have your certificate, key and ca_list in default location > > ./voip_patrol -c ./xml/tls.xml > > > > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list > :tls/ca_list.pem > > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.certFile > :tls/certificate.pem > > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.privKeyFile :tls/key.pem > > > > tls.xml > > > > > > > > > > expected_cause_code="200" username="VP_ENV_USERNAME" > password="VP_ENV_PASSWORD" realm="domain.com" registrar="ep.domain.com"/> > > > > max_duration="20" hangup="5"/> > > > wait_until="3" expected_cause_code="200" > > caller="12062349971@1.1.1.1" callee=" > 12012343...@ep.domain.com" max_duration="15" hangup="5" > > username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD" realm=" > domain.com" > > /> > > > > > > > > > > On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm wrote: > >> > >> Hi, > >> > >> I'm trying to construct an end-to-end encrypted signalling test > >> through our setup. I thought I could use sipp for that, as it supports > >> TLS according to the man page. However, when I try to run it, I get > >> this error: > >> > >> FI_init_ssl_context: SSL_CTX_use_certificate_file failed. > >> > >> I searched the web; however, all similar questions end up without > >> answers. I tried specifying a local key and cert without success. I'd > >> think I should not need a cert for my client, though. > >> > >> Has anyone ever successfully conducted an automated TLS test? I'm open > >> to using a different tool if necessary. > >> > >> Thanks for all hints or examples. > >> > >> Regards, > >> Sebastian > >> > >> -- > >> Sebastian Damm > >> Voice Engineer > >> __ > >> sipgate GmbH > >> Gladbacher Straße 74 | 40219 Düsseldorf > >> > >> ___ > >> Kamailio (SER) - Users Mailing List > >> sr-users@lists.kamailio.org > >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > > > ___ > > Kamailio (SER) - Users Mailing List > > sr-users@lists.kamailio.org > > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > > > -- > Sebastian Damm > Voice Engineer > > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] TLS testing (with sipp)
Hi Julien, I had been thinking quite a while before posting it here, and maybe I shouldn't have mentioned the sipp SSL error. But I thought, end2end testing of kamailio setups could be of general interest from a Kamailio user point of view. And I hoped to get suggestions on how to do it. Thanks for the link to voip_patrol. I'm already playing with it. Still stuck with needing a client certificate, though. I shouldn't need that for a client, I'd think. But I'll try my best. Regards, Sebastian On Wed, Dec 18, 2019 at 7:31 PM Julien Chavanton wrote: > > Hi Sebastian, this is off topic for the Kamailio mailing list. > > You can use Voip_patrol : > https://github.com/jchavanton/voip_patrol > > Once you have your certificate, key and ca_list in default location > ./voip_patrol -c ./xml/tls.xml > > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list :tls/ca_list.pem > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.certFile > :tls/certificate.pem > [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.privKeyFile :tls/key.pem > > tls.xml > > > > > username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD" realm="domain.com" > registrar="ep.domain.com"/> > > hangup="5"/> > wait_until="3" expected_cause_code="200" > caller="12062349971@1.1.1.1" callee="12012343...@ep.domain.com" > max_duration="15" hangup="5" > username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD" > realm="domain.com" > /> > > > > > On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm wrote: >> >> Hi, >> >> I'm trying to construct an end-to-end encrypted signalling test >> through our setup. I thought I could use sipp for that, as it supports >> TLS according to the man page. However, when I try to run it, I get >> this error: >> >> FI_init_ssl_context: SSL_CTX_use_certificate_file failed. >> >> I searched the web; however, all similar questions end up without >> answers. I tried specifying a local key and cert without success. I'd >> think I should not need a cert for my client, though. >> >> Has anyone ever successfully conducted an automated TLS test? I'm open >> to using a different tool if necessary. >> >> Thanks for all hints or examples. >> >> Regards, >> Sebastian >> >> -- >> Sebastian Damm >> Voice Engineer >> __ >> sipgate GmbH >> Gladbacher Straße 74 | 40219 Düsseldorf >> >> ___ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- Sebastian Damm Voice Engineer ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] TLS testing (with sipp)
You just need to inform the certificate and key. It is informed in the docs (http://sipp.sourceforge.net/doc/reference.html#TLS+mono+socket) Use sipp options: t -l1 -tls_cert user-cert.pem -tls_key user-privkey.pem On Thu, 19 Dec 2019 at 03:33, Sebastian Damm wrote: > Hi, > > I'm trying to construct an end-to-end encrypted signalling test > through our setup. I thought I could use sipp for that, as it supports > TLS according to the man page. However, when I try to run it, I get > this error: > > FI_init_ssl_context: SSL_CTX_use_certificate_file failed. > > I searched the web; however, all similar questions end up without > answers. I tried specifying a local key and cert without success. I'd > think I should not need a cert for my client, though. > > Has anyone ever successfully conducted an automated TLS test? I'm open > to using a different tool if necessary. > > Thanks for all hints or examples. > > Regards, > Sebastian > > -- > Sebastian Damm > Voice Engineer > __ > sipgate GmbH > Gladbacher Straße 74 | 40219 Düsseldorf > > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] TLS testing (with sipp)
Hi, I'm trying to construct an end-to-end encrypted signalling test through our setup. I thought I could use sipp for that, as it supports TLS according to the man page. However, when I try to run it, I get this error: FI_init_ssl_context: SSL_CTX_use_certificate_file failed. I searched the web; however, all similar questions end up without answers. I tried specifying a local key and cert without success. I'd think I should not need a cert for my client, though. Has anyone ever successfully conducted an automated TLS test? I'm open to using a different tool if necessary. Thanks for all hints or examples. Regards, Sebastian -- Sebastian Damm Voice Engineer __ sipgate GmbH Gladbacher Straße 74 | 40219 Düsseldorf ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users