Re: [OpenSIPS-Users] TLS errors

2010-01-18 Thread nir elkayam 
hi,

attached the lines from the cfg file:

r...@:/usr/local/etc/opensips# cat opensips.cfg | grep tls
disable_tls = no
listen = tls:X.X.X.X:30100
tls_port_no = 30100
tls_verify_server = 0
tls_verify_client = 0
tls_require_client_certificate = 0
tls_method = TLSv1
tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"

thanks for the help,
nir

On Mon, Jan 18, 2010 at 3:41 PM, Bogdan-Andrei Iancu  wrote:

> Hi Nir,
>
> the last command does create (if not present) or adds to (if already
> present) the current CA to the CA list file.
>
> Also, have you properly set the TLS related parameters in the config file?
>
> Regards,
> Bogdan
>
> nir elkayam wrote:
> > hi,
> >
> > i follow the script on :
> > http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html
> >
> > mainly, generated root certificate with:
> > opensipsctl tls rootCA
> > and then generate user (i.e. sip server) certificate with:
> > opensipsctl tls userCERT user
> >
> > about the file ca_list, the wiki say:
> >
> > To add more CAs to your list, just do:
> >
> >*
> >
> >   cat add_cacert.pem >> calist.pem
> >
> > but not sure about that, doesn't the last command should have updated
> > the ca list? i see that the file isn't empty..
> >
> > nir
> >
> >
> >
> > On Fri, Jan 15, 2010 at 6:35 PM, Bogdan-Andrei Iancu
> > mailto:bog...@voice-system.ro>> wrote:
> >
> > Hi Nir,
> >
> > I see you manage to start opensips with TLS - what was your error?
> >
> > for _tls_read -> that is very funny: SSL_read return err 5
> > (SSL_ERROR_SYSCALL) which means to look at error stack/return
> > value/errno for the real error (the error was geerated somewhere
> > deep in
> > the SSL underlayers), but the errno is Success and stack is empty
> > :P. Looks like a ghost error...
> >
> > for tls_accept -> the error is in the stack, and after googling a
> > bit ->
> > "obviously the CA that signed your clients is not known to the
> server.
> > Take a look at"
> >
> > http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
> > http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14
> >
> >
> > Regards,
> > Bogdan
> >
> > nir elkayam wrote:
> > > hi,
> > >
> > > i am using opensips/TLS,
> > >
> > > i get the following error
> > > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: SYSCALL error -> (0)
> > > 
> > > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: something wrong in
> > SSL: 5
> > > Jan 14 22:53:54 [19740] ERROR:core:tcp_read_req: failed to read
> > > Jan 14 22:54:46 [19740] ERROR:core:tls_accept: some error in SSL
> > > (ret=0, err=1, errno=0/Success):
> > > Jan 14 22:54:46 [19740] ERROR:core:tls_print_errstack:
> > > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> > >
> > > any hinst about these?
> > > actually the client works but error in encryption process is not
> > good,
> > > i think
> > >
> > > thanks
> > >
> >
> 
> > >
> > > ___
> > > Users mailing list
> > > Users@lists.opensips.org 
> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > >
> >
> >
> > --
> > Bogdan-Andrei Iancu
> > www.voice-system.ro 
> >
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org 
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> >
> >
> >
> > --
> > ניר אלקיים
> > טל: 050-3930056
> > nir.elka...@gmail.com 
> >
> > 
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
>
> --
> Bogdan-Andrei Iancu
> www.voice-system.ro
>
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>



-- 
ניר אלקיים
טל: 050-3930056
nir.elka...@gmail.com
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] TLS errors

2010-01-18 Thread Bogdan-Andrei Iancu 
Hi Nir,

the last command does create (if not present) or adds to (if already 
present) the current CA to the CA list file.

Also, have you properly set the TLS related parameters in the config file?

Regards,
Bogdan

nir elkayam wrote:
> hi,
>
> i follow the script on :
> http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html
>
> mainly, generated root certificate with:
> opensipsctl tls rootCA
> and then generate user (i.e. sip server) certificate with:
> opensipsctl tls userCERT user
>
> about the file ca_list, the wiki say:
>
> To add more CAs to your list, just do:
>
>*
>
>   cat add_cacert.pem >> calist.pem
>
> but not sure about that, doesn't the last command should have updated 
> the ca list? i see that the file isn't empty..
>
> nir
>
>
>
> On Fri, Jan 15, 2010 at 6:35 PM, Bogdan-Andrei Iancu 
> mailto:bog...@voice-system.ro>> wrote:
>
> Hi Nir,
>
> I see you manage to start opensips with TLS - what was your error?
>
> for _tls_read -> that is very funny: SSL_read return err 5
> (SSL_ERROR_SYSCALL) which means to look at error stack/return
> value/errno for the real error (the error was geerated somewhere
> deep in
> the SSL underlayers), but the errno is Success and stack is empty
> :P. Looks like a ghost error...
>
> for tls_accept -> the error is in the stack, and after googling a
> bit ->
> "obviously the CA that signed your clients is not known to the server.
> Take a look at"
>
> http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
> http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14
>
>
> Regards,
> Bogdan
>
> nir elkayam wrote:
> > hi,
> >
> > i am using opensips/TLS,
> >
> > i get the following error
> > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: SYSCALL error -> (0)
> > 
> > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: something wrong in
> SSL: 5
> > Jan 14 22:53:54 [19740] ERROR:core:tcp_read_req: failed to read
> > Jan 14 22:54:46 [19740] ERROR:core:tls_accept: some error in SSL
> > (ret=0, err=1, errno=0/Success):
> > Jan 14 22:54:46 [19740] ERROR:core:tls_print_errstack:
> > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> >
> > any hinst about these?
> > actually the client works but error in encryption process is not
> good,
> > i think
> >
> > thanks
> >
> 
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org 
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
>
> --
> Bogdan-Andrei Iancu
> www.voice-system.ro 
>
>
> ___
> Users mailing list
> Users@lists.opensips.org 
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
>
> -- 
> ניר אלקיים
> טל: 050-3930056
> nir.elka...@gmail.com 
>
> 
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


-- 
Bogdan-Andrei Iancu
www.voice-system.ro


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] TLS errors

2010-01-15 Thread nir elkayam 
hi,

i follow the script on :
http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html

mainly, generated root certificate with:
opensipsctl tls rootCA
and then generate user (i.e. sip server) certificate with:
 opensipsctl tls userCERT user

about the file ca_list, the wiki say:

To add more CAs to your list, just do:

   -

   cat add_cacert.pem >> calist.pem

but not sure about that, doesn't the last command  should have updated the
ca list? i see that the file isn't empty..

nir



On Fri, Jan 15, 2010 at 6:35 PM, Bogdan-Andrei Iancu  wrote:

> Hi Nir,
>
> I see you manage to start opensips with TLS - what was your error?
>
> for _tls_read -> that is very funny: SSL_read return err 5
> (SSL_ERROR_SYSCALL) which means to look at error stack/return
> value/errno for the real error (the error was geerated somewhere deep in
> the SSL underlayers), but the errno is Success and stack is empty
> :P. Looks like a ghost error...
>
> for tls_accept -> the error is in the stack, and after googling a bit ->
> "obviously the CA that signed your clients is not known to the server.
> Take a look at"
>
>http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
>http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14
>
>
> Regards,
> Bogdan
>
> nir elkayam wrote:
> > hi,
> >
> > i am using opensips/TLS,
> >
> > i get the following error
> > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: SYSCALL error -> (0)
> > 
> > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: something wrong in SSL: 5
> > Jan 14 22:53:54 [19740] ERROR:core:tcp_read_req: failed to read
> > Jan 14 22:54:46 [19740] ERROR:core:tls_accept: some error in SSL
> > (ret=0, err=1, errno=0/Success):
> > Jan 14 22:54:46 [19740] ERROR:core:tls_print_errstack:
> > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> >
> > any hinst about these?
> > actually the client works but error in encryption process is not good,
> > i think
> >
> > thanks
> > 
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
>
> --
> Bogdan-Andrei Iancu
> www.voice-system.ro
>
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>



-- 
ניר אלקיים
טל: 050-3930056
nir.elka...@gmail.com
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] TLS errors

2010-01-15 Thread nir elkayam 
hi,

i have recompite/reinstall 1.6.1 (i used 1.6.0 before) and all went smooth
and ok.
i'll check the links u send and validate the error,
for now i have a problem with the TLS client and can't seem to make it work
with eyebeam (certificate issue related).
i'll keep the list updated..

thanks for all the help,
nir

On Fri, Jan 15, 2010 at 6:35 PM, Bogdan-Andrei Iancu  wrote:

> Hi Nir,
>
> I see you manage to start opensips with TLS - what was your error?
>
> for _tls_read -> that is very funny: SSL_read return err 5
> (SSL_ERROR_SYSCALL) which means to look at error stack/return
> value/errno for the real error (the error was geerated somewhere deep in
> the SSL underlayers), but the errno is Success and stack is empty
> :P. Looks like a ghost error...
>
> for tls_accept -> the error is in the stack, and after googling a bit ->
> "obviously the CA that signed your clients is not known to the server.
> Take a look at"
>
>http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
>http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14
>
>
> Regards,
> Bogdan
>
> nir elkayam wrote:
> > hi,
> >
> > i am using opensips/TLS,
> >
> > i get the following error
> > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: SYSCALL error -> (0)
> > 
> > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: something wrong in SSL: 5
> > Jan 14 22:53:54 [19740] ERROR:core:tcp_read_req: failed to read
> > Jan 14 22:54:46 [19740] ERROR:core:tls_accept: some error in SSL
> > (ret=0, err=1, errno=0/Success):
> > Jan 14 22:54:46 [19740] ERROR:core:tls_print_errstack:
> > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> >
> > any hinst about these?
> > actually the client works but error in encryption process is not good,
> > i think
> >
> > thanks
> > 
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
>
> --
> Bogdan-Andrei Iancu
> www.voice-system.ro
>
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>



-- 
ניר אלקיים
טל: 050-3930056
nir.elka...@gmail.com
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] TLS errors

2010-01-15 Thread Bogdan-Andrei Iancu 
Hi Nir,

I see you manage to start opensips with TLS - what was your error?

for _tls_read -> that is very funny: SSL_read return err 5 
(SSL_ERROR_SYSCALL) which means to look at error stack/return 
value/errno for the real error (the error was geerated somewhere deep in 
the SSL underlayers), but the errno is Success and stack is empty 
:P. Looks like a ghost error...

for tls_accept -> the error is in the stack, and after googling a bit -> 
"obviously the CA that signed your clients is not known to the server. 
Take a look at"

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14


Regards,
Bogdan

nir elkayam wrote:
> hi,
>
> i am using opensips/TLS,
>
> i get the following error
> Jan 14 22:53:54 [19740] ERROR:core:_tls_read: SYSCALL error -> (0) 
> 
> Jan 14 22:53:54 [19740] ERROR:core:_tls_read: something wrong in SSL: 5
> Jan 14 22:53:54 [19740] ERROR:core:tcp_read_req: failed to read
> Jan 14 22:54:46 [19740] ERROR:core:tls_accept: some error in SSL 
> (ret=0, err=1, errno=0/Success):
> Jan 14 22:54:46 [19740] ERROR:core:tls_print_errstack: 
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>
> any hinst about these?
> actually the client works but error in encryption process is not good, 
> i think
>
> thanks
> 
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


-- 
Bogdan-Andrei Iancu
www.voice-system.ro


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] TLS errors

2010-01-14 Thread nir elkayam 
hi,

i am using opensips/TLS,

i get the following error
Jan 14 22:53:54 [19740] ERROR:core:_tls_read: SYSCALL error -> (0) 
Jan 14 22:53:54 [19740] ERROR:core:_tls_read: something wrong in SSL: 5
Jan 14 22:53:54 [19740] ERROR:core:tcp_read_req: failed to read
Jan 14 22:54:46 [19740] ERROR:core:tls_accept: some error in SSL (ret=0,
err=1, errno=0/Success):
Jan 14 22:54:46 [19740] ERROR:core:tls_print_errstack: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

any hinst about these?
actually the client works but error in encryption process is not good, i
think

thanks
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users