Hello, the client has to be configured to present a certificate, and it doesn't do it based on kamailio log message:
INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate Check the phone config to see if you can set such option. Kamailio can just see if a certificate is sent and if not reject the connection, if you have require_certificate = yes in the server profile of tls.cfg You can eventually test with 'openssl s_client ...' to see details of client side certs in kamailio -- iirc, it has the options to specify client side certificate with -cert ... -key ... Cheers, Daniel On 03.07.20 09:52, Mark Boyce wrote: > Hi Daniel > > I’m testing with a Yealink T57W. It comes with a factory install > certificate which will probably fail validation as the common name is > the MAC. > > I'm not trying validate the client device’s certificate just get it to > offer what it has so I can check the details. > > Thanks > Mark > >> On 3 Jul 2020, at 08:38, Daniel-Constantin Mierla <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hello, >> >> what is the SIP client app you used? Is it configured to use its own >> tls certificate when connecting to the SIP server? >> >> Cheers, >> Daniel >> >> On 02.07.20 18:51, Mark Boyce wrote: >>> Hi all >>> >>> Been trying to grab the TLS cert details from incoming connections, >>> but failing :-( >>> >>> So with lines just before AUTH is called like this; >>> >>> if (proto == TLS) { >>> xlog("L_INFO", "TLSDUMP $ci peer_subject : >>> $tls_peer_subject\n"); >>> >>> Gets met with a log line line this; >>> >>> INFO: tls [tls_server.c:431]: tls_accept(): tls_accept: new >>> connection from 1.2.3.4:11797 using TLSv1.2 >>> ECDHE-RSA-AES256-GCM-SHA384 256 >>> INFO: tls [tls_server.c:434]: tls_accept(): tls_accept: local >>> socket: 5.6.7.8:5061 >>> INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did >>> not present a certificate >>> ... >>> INFO: tls [tls_select.c:168]: get_cert(): Unable to retrieve peer >>> TLS certificate from SSL structure >>> >>> This is with verify_certificate and require_certificate set to no in >>> tls.cfg >>> >>> If I try and set the following in tls.cfg >>> >>> [server:default] >>> method = TLSv1.2+ >>> verify_certificate = no >>> require_certificate = yes >>> >>> I see in the logs; >>> >>> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>: >>> tls_method=22 >>> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>: >>> certificate='/etc/kamailio/tls-certs/cert.pem' >>> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>: >>> ca_list='(null)' >>> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: >>> crl='(null)' >>> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>: >>> *require_certificate=1* >>> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>: >>> cipher_list='(null)' >>> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>: >>> private_key='/etc/kamailio/tls-certs/privkey.pem' >>> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>: >>> *verify_certificate=0* >>> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>: >>> verify_depth=9 >>> NOTICE: tls [tls_domain.c:1095]: ksr_tls_fix_domain(): registered >>> server_name callback handler for socket [:0], >>> server_name='<default>' ... >>> INFO: tls [tls_domain.c:692]: set_verification(): >>> TLSs<default>:*Client MUST present valid certificate* >>> INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>: >>> tls_method=20 >>> INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>: >>> certificate='(null)' >>> INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>: >>> ca_list='(null)' >>> INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>: >>> crl='(null)' >>> INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>: >>> *require_certificate=1* >>> INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>: >>> cipher_list='(null)' >>> INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>: >>> private_key='(null)' >>> INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>: >>> *verify_certificate=1* >>> INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>: >>> verify_depth=9 >>> INFO: tls [tls_domain.c:692]: set_verification(): TLSc<default>: >>> *Server MUST present valid certificate* >>> ... >>> ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS >>> accept:error:1417C086:SSL >>> routines:tls_process_client_certificate:certificate verify failed >>> >>> Which looks like verification is being enabled when I add require? >>> >>> >>> >>> Would someone be kind enough to point out what I am missing please? >>> (Assuming it’s not a bug :-) >>> >>> >>> Thanks >>> Mark >>> -- >>> Mark Boyce >>> Dark Origins Ltd >>> >>> _______________________________________________ >>> Kamailio (SER) - Users Mailing List >>> [email protected] >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> -- >> Daniel-Constantin Mierla -- www.asipto.com >> www.twitter.com/miconda -- www.linkedin.com/in/miconda >> Funding: https://www.paypal.me/dcmierla > > Mark > -- > Mark Boyce > Dark Origins Ltd > e: [email protected] <mailto:[email protected]> > t: 0345 0043 043 > f: 0345 0043 044 > -- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla
_______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
