[reSIProcate] TLS handshake failure
Hello,
I am looking for some help on how resiprocate validates/verifies server
certificates presented as part of TLS handshake.
The client is my application linked with resiprocate. The server is
another application that uses openssl.
The client tries to establish a TLS connection to server. On the client
(resip) side, following errors are seen..
TlsConnection.cxx:176 | TLS connection failed ok=-1 err=5
error:00000005:lib(0):func(0):DH lib
TlsConnection.cxx:196 | (SSL Error want syscall)
TlsConnection.cxx:197 | Error may be because trying ssl connection to
tls server
TlsConnection.cxx:228 | Couldn't TLS connect
Write failed on socket: 18, closing connection
On server side, they report errors like this:
SSL3_GET_CLIENT_CERTIFICATE: peer did not return a certificate.
I CAN establish a connection using openssl s_client using -ssl2, so I
know that the server is SSL2 (not TLS). In my application, I am using
SSLv23 as the method. This also proves that the server has been
provisioned with my (client's) self signed cert.
I read that openssl s_client does server certificate verification but
still continues if the verification fails. But looks like resip stops if
the verification fails.
I looked back into the logs from openssl s_client and sure enough, there
were messages related to server certificate verification failure.
openssl s_client -connect server:port -verify 10 -cert cert.pem -key
key.pem -showcerts -debug -nbio_test -state -crlf -ssl2
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=27:certificate not trusted
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
The server cert is issued by Verisign and the CN matches the machine
name that I am trying to connect to.
When I copy the server certificate on to my box and run openssl verify
on that cert, I get similar (not exactly same) errors.
I looked in resip code and found that there is some processing done with
files with prefix domain_cert_, user_cert_ and root_cert_ but did not
really understand what needs to be done.
So my specific questions are:
1) How does resip verify server certs presented as part of TLS
handshake? Where does it look for trusted issuers?
2) What is the difference between domain_cert_*.pem, user_cert_*.pem and
root_cert_*.pem? How are they used?
Any feedback, answers, suggestions and questions are welcome.
Thanks
--
Sandeep Sharma <ssharma@xxxxxxxxxx>
PS: I am using a fairly recent version of resiprocate (about a month
old).