< Previous by Date	Date Index	Next by Date >
	Thread Index	Next in Thread >

[reSIProcate] TLS handshake failure

From: Sandeep Sharma <ssharma@xxxxxxxxxx>
Date: Mon, 02 May 2005 17:57:42 -0600

Hello,

I am looking for some help on how resiprocate validates/verifies server
certificates presented as part of TLS handshake.

The client is my application linked with resiprocate. The server is
another application that uses openssl.

The client tries to establish a TLS connection to server. On the client
(resip) side, following errors are seen..

TlsConnection.cxx:176 | TLS connection failed ok=-1 err=5
error:00000005:lib(0):func(0):DH lib
TlsConnection.cxx:196 |  (SSL Error want syscall)
TlsConnection.cxx:197 | Error may be because trying ssl connection to
tls server
TlsConnection.cxx:228 | Couldn't TLS connect
Write failed on socket: 18, closing connection

On server side, they report errors like this:
SSL3_GET_CLIENT_CERTIFICATE: peer did not return a certificate.

I CAN establish a connection using openssl s_client using -ssl2, so I
know that the server is SSL2 (not TLS). In my application, I am using
SSLv23 as the method. This also proves that the server has been
provisioned with my (client's) self signed cert.

I read that openssl s_client does server certificate verification but
still continues if the verification fails. But looks like resip stops if
the verification fails. 

I looked back into the logs from openssl s_client and sure enough, there
were messages related to server certificate verification failure. 

openssl s_client -connect server:port -verify 10 -cert cert.pem -key
key.pem -showcerts -debug -nbio_test -state -crlf -ssl2

verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=27:certificate not trusted
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1

The server cert is issued by Verisign and the CN matches the machine
name that I am trying to connect to.

When I copy the server certificate on to my box and run openssl verify
on that cert, I get similar (not exactly same) errors.

I looked in resip code and found that there is some processing done with
files with prefix domain_cert_, user_cert_ and root_cert_ but did not
really understand what needs to be done.

So my specific questions are:

1) How does resip verify server certs presented as part of TLS
handshake? Where does it look for trusted issuers? 

2) What is the difference between domain_cert_*.pem, user_cert_*.pem and
root_cert_*.pem? How are they used?

Any feedback, answers, suggestions and questions are welcome.

Thanks
-- 
Sandeep Sharma <ssharma@xxxxxxxxxx>

PS: I am using a fairly recent version of resiprocate (about a month
old).

Follow-Ups:
- Re: [reSIProcate] TLS handshake failure
  - From: Cullen Jennings

Prev by Date: Re: [reSIProcate] repro linking problem
Next by Date: Re: [reSIProcate] TLS handshake failure
Previous by thread: Re: [reSIProcate] repro linking problem
Next by thread: Re: [reSIProcate] TLS handshake failure
Index(es):
- Date
- Thread