Hi Daniel I’m testing with a Yealink T57W. It comes with a factory install certificate which will probably fail validation as the common name is the MAC.
I'm not trying validate the client device’s certificate just get it to offer what it has so I can check the details. Thanks Mark > On 3 Jul 2020, at 08:38, Daniel-Constantin Mierla <[email protected]> wrote: > > Hello, > > what is the SIP client app you used? Is it configured to use its own tls > certificate when connecting to the SIP server? > > Cheers, > Daniel > On 02.07.20 18:51, Mark Boyce wrote: >> Hi all >> >> Been trying to grab the TLS cert details from incoming connections, but >> failing :-( >> >> So with lines just before AUTH is called like this; >> >> if (proto == TLS) { >> xlog("L_INFO", "TLSDUMP $ci peer_subject : >> $tls_peer_subject\n"); >> >> Gets met with a log line line this; >> >> INFO: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from >> 1.2.3.4:11797 using TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 >> INFO: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: >> 5.6.7.8:5061 >> INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not >> present a certificate >> ... >> INFO: tls [tls_select.c:168]: get_cert(): Unable to retrieve peer TLS >> certificate from SSL structure >> >> This is with verify_certificate and require_certificate set to no in tls.cfg >> >> If I try and set the following in tls.cfg >> >> [server:default] >> method = TLSv1.2+ >> verify_certificate = no >> require_certificate = yes >> >> I see in the logs; >> >> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>: >> tls_method=22 >> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>: >> certificate='/etc/kamailio/tls-certs/cert.pem' >> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>: >> ca_list='(null)' >> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: >> crl='(null)' >> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>: >> require_certificate=1 >> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>: >> cipher_list='(null)' >> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>: >> private_key='/etc/kamailio/tls-certs/privkey.pem' >> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>: >> verify_certificate=0 >> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>: >> verify_depth=9 >> NOTICE: tls [tls_domain.c:1095]: ksr_tls_fix_domain(): registered >> server_name callback handler for socket [:0], server_name='<default>' ... >> INFO: tls [tls_domain.c:692]: set_verification(): TLSs<default>: Client MUST >> present valid certificate >> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>: >> tls_method=20 >> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>: >> certificate='(null)' >> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>: >> ca_list='(null)' >> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>: >> crl='(null)' >> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>: >> require_certificate=1 >> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>: >> cipher_list='(null)' >> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>: >> private_key='(null)' >> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>: >> verify_certificate=1 >> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>: >> verify_depth=9 >> INFO: tls [tls_domain.c:692]: set_verification(): TLSc<default>: Server MUST >> present valid certificate >> ... >> ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL >> routines:tls_process_client_certificate:certificate verify failed >> >> Which looks like verification is being enabled when I add require? >> >> >> >> Would someone be kind enough to point out what I am missing please? >> (Assuming it’s not a bug :-) >> >> >> Thanks >> Mark >> -- >> Mark Boyce >> Dark Origins Ltd >> >> >> _______________________________________________ >> Kamailio (SER) - Users Mailing List >> [email protected] <mailto:[email protected]> >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users> > -- > Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com/> > www.twitter.com/miconda <http://www.twitter.com/miconda> -- > www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda> > Funding: https://www.paypal.me/dcmierla <https://www.paypal.me/dcmierla> Mark -- Mark Boyce Dark Origins Ltd e: [email protected] <mailto:[email protected]> t: 0345 0043 043 f: 0345 0043 044
_______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
