subject:"\[OpenSIPS\-Users\] TLS_MGM\: Multi\-domain Client Certificate Validation"

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

2017-07-25 Thread Callum Guy

It's always easy to overlook the content in errors that haven't been seen
before, I agree that on reflection this should have been looked into in
more detail as it does cover the scenario. In the context of a Comodo
certificate (which we use regularly) it sounded implausible that we
wouldn't be able to validate it. TIL - intermediate certificates matter.



On Tue, Jul 25, 2017 at 4:27 PM Bogdan-Andrei Iancu 
wrote:

> I have to admit that you have to "know how to read the SSL errors" in
> order to really understand the root problem :) . Now that you find the
> issue and if we look back at the error description "verify
> error:num=20:unable to get local issuer certificate", it make sense - SSL
> complains it did not find the comodo CA in order to validate the
> certificate presented by the TLS client (which was probably signed by
> Comodo).
>
> Best regards,
>
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Bootcamp 2017, Houston, US
>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>
> On 07/25/2017 05:27 PM, Callum Guy wrote:
>
> Hi Bogdan,
>
> Thanks for your response, based on your advice I performed a full packet
> capture on the handshake and established that a certificate was indeed
> being presented.
>
> Following up on this I managed to establish that the problem was a missing
> intermediary CA in the certificate chain, specifically:
>
>
> https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca
>
> The error message presented by OpenSIPs was certainly misleading in this
> case. For others benefit the approach for installing a new CA is super
> simple:
>
>1. create the file in /etc/pki/ca-trust/source/anchors
>(i.e. comodo-ca-rsa-ev-secure-server.pem)
>2. run "update-ca-trust" with root privs
>
> Problem solved.
>
> Have a good day all!
>
> Callum
>
> On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei Iancu 
> wrote:
>
>> Hi Callum,
>>
>> The error may indicate the fact that the TLS client does not present a
>> TLS certificate while connection to your OpenSIPS. This has nothing to do
>> with the TLS multi domain, which anyhow is supported. As the test, you can
>> create a separate TLS domain (server) bound to the IP of that TLS client,
>> TLS domain having the require_certificate option turned off.
>>
>> Best Regards,
>>
>> Bogdan-Andrei Iancu
>>   OpenSIPS Founder and Developer
>>   http://www.opensips-solutions.com
>>
>> OpenSIPS Bootcamp 2017, Houston, US
>>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>>
>> On 07/25/2017 03:26 PM, Callum Guy wrote:
>>
>> Hi All,
>>
>> *Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7
>>
>> I have been working with new TLS connection and have been having problems
>> validating their client certificate. My OpenSIPs configuration works fine
>> for other providers (i.e. Twilio) however I am seeing the following error
>> messages reported while verify_cert is enabled:
>>
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: depth = 0
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: subject =
>> /serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
>> Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture
>> Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain SSL/CN=simwood.com
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local
>> issuer certificate
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error
>> code is 20 (check x509_vfy.h)
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: verify return:0
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_accept:
>> New TLS connection from 178.22.140.34:34281 failed to accept
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
>>
>> Part of my reason for resorting to the mailing list are old mailing list
>> emails discussing that multi-domain certificates are not supported by
>> OpenSIPs - is anyone able to confirm if this remains a problem?
>>
>> The openssl error code 20 is translated as
>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>>
>> I have seen other reports that this issue may be related to an improperly
>> chained certificate - does this sound at all likely?
>>
>> Any tips on debugging would be greatly appreciated, thanks.
>>
>> Callum
>> --
>> Callum Guy
>> Head of Information Security
>> X-on
>>
>>
>> *0333 332   |  www.x-on.co.uk   |   **
>>

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

2017-07-25 Thread Bogdan-Andrei Iancu

I have to admit that you have to "know how to read the SSL errors" in 
order to really understand the root problem :) . Now that you find the 
issue and if we look back at the error description "verify 
error:num=20:unable to get local issuer certificate", it make sense - 
SSL complains it did not find the comodo CA in order to validate the 
certificate presented by the TLS client (which was probably signed by 
Comodo).


Best regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 05:27 PM, Callum Guy wrote:

Hi Bogdan,

Thanks for your response, based on your advice I performed a full 
packet capture on the handshake and established that a certificate was 
indeed being presented.


Following up on this I managed to establish that the problem was a 
missing intermediary CA in the certificate chain, specifically:


https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca

The error message presented by OpenSIPs was certainly misleading in 
this case. For others benefit the approach for installing a new CA is 
super simple:


 1. create the file in /etc/pki/ca-trust/source/anchors
(i.e. comodo-ca-rsa-ev-secure-server.pem)
 2. run "update-ca-trust" with root privs

Problem solved.

Have a good day all!

Callum

On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei Iancu 
> wrote:


Hi Callum,

The error may indicate the fact that the TLS client does not
present a TLS certificate while connection to your OpenSIPS. This
has nothing to do with the TLS multi domain, which anyhow is
supported. As the test, you can create a separate TLS domain
(server) bound to the IP of that TLS client, TLS domain having the
require_certificate option turned off.

Best Regards,

Bogdan-Andrei Iancu
   OpenSIPS Founder and Developer
   http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 03:26 PM, Callum Guy wrote:

Hi All,

*Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7

I have been working with new TLS connection and have been having
problems validating their client certificate. My OpenSIPs
configuration works fine for other providers (i.e. Twilio)
however I am seeing the following error messages reported while
verify_cert is enabled:

Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: NOTICE:tls_mgm:verify_callback: depth = 0
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: NOTICE:tls_mgm:verify_callback: subject =
/serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2
Venture Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain
SSL/CN=simwood.com 
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: NOTICE:tls_mgm:verify_callback: verify
error:num=20:unable to get local issuer certificate
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: NOTICE:tls_mgm:verify_callback: something wrong
with the cert ... error code is 20 (check x509_vfy.h)
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: NOTICE:tls_mgm:verify_callback: verify return:0
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: ERROR:proto_tls:tls_accept: New TLS connection
from 178.22.140.34:34281  failed to
accept
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: ERROR:proto_tls:tls_print_errstack: TLS errstack:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: ERROR:proto_tls:tls_read_req: failed to do
pre-tls reading

Part of my reason for resorting to the mailing list are old
mailing list emails discussing that multi-domain certificates are
not supported by OpenSIPs - is anyone able to confirm if this
remains a problem?

The openssl error code 20 is translated as
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

I have seen other reports that this issue may be related to an
improperly chained certificate - does this sound at all likely?

Any tips on debugging would be greatly appreciated, thanks.

Callum
-- 
Callum Guy

Head of Information Security
X-on


*^0333 332   | www.x-on.co.uk   |
_**_^
  *
X-on is a trading name of Storacall Technology Ltd a limited
company

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

2017-07-25 Thread Callum Guy

Hi Bogdan,

Thanks for your response, based on your advice I performed a full packet
capture on the handshake and established that a certificate was indeed
being presented.

Following up on this I managed to establish that the problem was a missing
intermediary CA in the certificate chain, specifically:

https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca

The error message presented by OpenSIPs was certainly misleading in this
case. For others benefit the approach for installing a new CA is super
simple:

   1. create the file in /etc/pki/ca-trust/source/anchors
   (i.e. comodo-ca-rsa-ev-secure-server.pem)
   2. run "update-ca-trust" with root privs

Problem solved.

Have a good day all!

Callum

On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei Iancu 
wrote:

> Hi Callum,
>
> The error may indicate the fact that the TLS client does not present a TLS
> certificate while connection to your OpenSIPS. This has nothing to do with
> the TLS multi domain, which anyhow is supported. As the test, you can
> create a separate TLS domain (server) bound to the IP of that TLS client,
> TLS domain having the require_certificate option turned off.
>
> Best Regards,
>
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Bootcamp 2017, Houston, US
>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>
> On 07/25/2017 03:26 PM, Callum Guy wrote:
>
> Hi All,
>
> *Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7
>
> I have been working with new TLS connection and have been having problems
> validating their client certificate. My OpenSIPs configuration works fine
> for other providers (i.e. Twilio) however I am seeing the following error
> messages reported while verify_cert is enabled:
>
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: depth = 0
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: subject =
> /serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
> Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture
> Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain SSL/CN=simwood.com
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local
> issuer certificate
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error
> code is 20 (check x509_vfy.h)
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: verify return:0
> Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_accept:
> New TLS connection from 178.22.140.34:34281 failed to accept
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
>
> Part of my reason for resorting to the mailing list are old mailing list
> emails discussing that multi-domain certificates are not supported by
> OpenSIPs - is anyone able to confirm if this remains a problem?
>
> The openssl error code 20 is translated as
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>
> I have seen other reports that this issue may be related to an improperly
> chained certificate - does this sound at all likely?
>
> Any tips on debugging would be greatly appreciated, thanks.
>
> Callum
> --
> Callum Guy
> Head of Information Security
> X-on
>
>
> *0333 332   |  www.x-on.co.uk   |   **
>    
>    *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332  <+44%20333%20332%20> and
> delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. 
> Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>
>
>
> ___
> Users mailing 
> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

2017-07-25 Thread Bogdan-Andrei Iancu


Hi Callum,

The error may indicate the fact that the TLS client does not present a 
TLS certificate while connection to your OpenSIPS. This has nothing to 
do with the TLS multi domain, which anyhow is supported. As the test, 
you can create a separate TLS domain (server) bound to the IP of that 
TLS client, TLS domain having the require_certificate option turned off.


Best Regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 03:26 PM, Callum Guy wrote:

Hi All,

*Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7

I have been working with new TLS connection and have been having 
problems validating their client certificate. My OpenSIPs 
configuration works fine for other providers (i.e. Twilio) however I 
am seeing the following error messages reported while verify_cert is 
enabled:


Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
NOTICE:tls_mgm:verify_callback: depth = 0
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
NOTICE:tls_mgm:verify_callback: subject = 
/serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private 
Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture 
Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain 
SSL/CN=simwood.com 
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get 
local issuer certificate
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
NOTICE:tls_mgm:verify_callback: something wrong with the cert ... 
error code is 20 (check x509_vfy.h)
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
NOTICE:tls_mgm:verify_callback: verify return:0
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
ERROR:proto_tls:tls_accept: New TLS connection from 
178.22.140.34:34281  failed to accept
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
ERROR:proto_tls:tls_read_req: failed to do pre-tls reading


Part of my reason for resorting to the mailing list are old mailing 
list emails discussing that multi-domain certificates are not 
supported by OpenSIPs - is anyone able to confirm if this remains a 
problem?


The openssl error code 20 is translated as 
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY


I have seen other reports that this issue may be related to an 
improperly chained certificate - does this sound at all likely?


Any tips on debugging would be greatly appreciated, thanks.

Callum
--
Callum Guy
Head of Information Security
X-on


*^0333 332   | www.x-on.co.uk   | 
_**_^ 
  *
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please 
notify X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must 
not use, disclose, disseminate, distribute, copy, print or reply to 
this email. Views or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the 
absence of viruses in this email or any attachments.




___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

2017-07-25 Thread Callum Guy

Hi All,

*Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7

I have been working with new TLS connection and have been having problems
validating their client certificate. My OpenSIPs configuration works fine
for other providers (i.e. Twilio) however I am seeing the following error
messages reported while verify_cert is enabled:

Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: depth = 0
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: subject =
/serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture
Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain SSL/CN=simwood.com
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local
issuer certificate
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error
code is 20 (check x509_vfy.h)
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: verify return:0
Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_accept:
New TLS connection from 178.22.140.34:34281 failed to accept
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_read_req:
failed to do pre-tls reading

Part of my reason for resorting to the mailing list are old mailing list
emails discussing that multi-domain certificates are not supported by
OpenSIPs - is anyone able to confirm if this remains a problem?

The openssl error code 20 is translated as
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

I have seen other reports that this issue may be related to an improperly
chained certificate - does this sound at all likely?

Any tips on debugging would be greatly appreciated, thanks.

Callum
-- 
Callum Guy
Head of Information Security
X-on

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

[OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

5 matches

Site Navigation

Mail list logo

Footer information