You are correct, so just for the trial purposes if I want the TLS handshake to be successful what credentials for the client should I use? i.e. can I do something like:
openssl s_client -cert user-cert.pem -key user-privkey.pem -state -connect 10.30.00.41:5061 on doing this it comes back with an error saying Verify Return Code: 21 (Unable to verify the first certificate), Should I be using new certificates or with the same set of certificates I can achive a successful handshake? Thanks a lot.. Ncheeku On 12/29/06, Steffen Witt <[EMAIL PROTECTED]> wrote:
Hello, openssl can play client and/or server role. Best regards, Steffen 2006/12/29, Ncheeku Baranov <[EMAIL PROTECTED]>: > Thanks Steffen. Is there any freely available tls client which can be used > to check this settings and the handshake? That will be really helpful.. > > Best regards, > NCheeku > > > > On 12/28/06, Steffen Witt <[EMAIL PROTECTED]> wrote: > > Hello Ncheeku, > > > > change to the directory with your ".pem" files: > /usr/local/etc/openser/tls/user > > > > > > Then you can test your TLS handshake with the following command: > > > > openssl s_server -cert user-cert.pem -key user-privkey.pem -state -accept > 5061 > > > > Openssl simulates a TLS server with your certificate/private key files > > and it accepts only requests at port 5061. > > > > > > Best regards, > > Steffen > > > > > > > > 2006/12/28, Ncheeku Baranov <[EMAIL PROTECTED]>: > > > Thanks a lot Steffen. Adding the new listen = udp: 10.30.100.41:5060 > indeed > > > worked. How can I check the TLS handshake using openssl at the server? > > > Thanks a lot.. > > > > > > > > > > > > On 12/28/06, Steffen Witt < [EMAIL PROTECTED]> wrote: > > > > Hello again, > > > > > > > > maybe you should add the following line to test your non-TLS UAs: > > > > > > > > disable_tls = 0 > > > > listen = udp:10.30.100.41:5060 <--- > > > > listen = tls:10.30.100.41:5061 > > > > > > > > > > > > You can check your TLS handshake by simulating your server with > openssl. > > > > > > > > > > > > Please have a look at the following link that describes the TLS > support: > > > > > > > > http://www.openser.org/docs/tls.html > > > > > > > > > > > > Best regards, > > > > Steffen > > > > > > > > > > > > > > > > > > > > 2006/12/28, Ncheeku Baranov < [EMAIL PROTECTED]>: > > > > > Hi, > > > > > > > > > > I am trying to make my non-TLS/TLS UA register with my TLS enabled > > > openSER. > > > > > Currently I am just working on my local machine with the client UAs > on > > > the > > > > > same subnet,(so there is only one domain, but its not named). Below > is > > > my > > > > > configuration file: > > > > > > > > > > disable_tls = 0 > > > > > listen = tls:10.30.100.41:5061 > > > > > tls_verify_server = 1 > > > > > tls_verify_client = 0 > > > > > tls_require_client_certificate = 0 > > > > > tls_method = TLSv1 > > > > > tls_certificate = > > > "/usr/local/etc/openser/tls/user/user- > > > > > cert.pem" > > > > > tls_private_key = > > > "/usr/local/etc/openser/tls/user/user- > > > > > privkey.pem" > > > > > tls_ca_list = > > > > > "usr/local/etc/openser/tls/user/user-calist.pem" > > > > > > > > > > However, with the above configuration the client UAs couldnot > register > > > and I > > > > > got 408 Request Time out Message. Is there any field that is missing > to > > > make > > > > > this simple scenario work? What should be the values of > > > "tls_client_domain" > > > > > and "tls_server_domain" fields in this case? > > > > > > > > > > I noticed that when I start the openSER without TLS support using > > > > > "openserctl start" and do "ps -e" after that, there are more openSER > > > > > processes running than if I start openSER with TLS support in which > case > > > I > > > > > see very few of these processes running. > > > > > > > > > > Your help is much appreciated.... > > > > > > > > > > Best regards, > > > > > NCheeku > > > > > > > > > > _______________________________________________ > > > > > Users mailing list > > > > > [email protected] > > > > > http://openser.org/cgi-bin/mailman/listinfo/users > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
_______________________________________________ Users mailing list [email protected] http://openser.org/cgi-bin/mailman/listinfo/users
