Re: [reSIProcate] TLS handshake failure
Try and answer a few of your questions here - there should be better
documentation on all of this ...
the root_cert* files are the certs for CA that you trust - so you would need
to copy the versign cert to one of these.
The domain_cert are the things that are used for TLS - so this would be
your certificate for the serer.
The user_cers are only used for S/MIME and don't have anything to do with
TLS
Some of the code on a Resip client verifying the server cert has been
changing and I'm a not up to date on it. It should be checking the
SubjectAltName of the cert and that the date of the cert is valid. It is not
checking CRL stuff.
On 5/2/05 4:57 PM, "Sandeep Sharma" <ssharma@xxxxxxxxxx> wrote:
> Hello,
>
> I am looking for some help on how resiprocate validates/verifies server
> certificates presented as part of TLS handshake.
>
> The client is my application linked with resiprocate. The server is
> another application that uses openssl.
>
> The client tries to establish a TLS connection to server. On the client
> (resip) side, following errors are seen..
>
> TlsConnection.cxx:176 | TLS connection failed ok=-1 err=5
> error:00000005:lib(0):func(0):DH lib
> TlsConnection.cxx:196 | (SSL Error want syscall)
> TlsConnection.cxx:197 | Error may be because trying ssl connection to
> tls server
> TlsConnection.cxx:228 | Couldn't TLS connect
> Write failed on socket: 18, closing connection
>
> On server side, they report errors like this:
> SSL3_GET_CLIENT_CERTIFICATE: peer did not return a certificate.
>
> I CAN establish a connection using openssl s_client using -ssl2, so I
> know that the server is SSL2 (not TLS). In my application, I am using
> SSLv23 as the method. This also proves that the server has been
> provisioned with my (client's) self signed cert.
>
> I read that openssl s_client does server certificate verification but
> still continues if the verification fails. But looks like resip stops if
> the verification fails.
>
> I looked back into the logs from openssl s_client and sure enough, there
> were messages related to server certificate verification failure.
>
> openssl s_client -connect server:port -verify 10 -cert cert.pem -key
> key.pem -showcerts -debug -nbio_test -state -crlf -ssl2
>
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> verify error:num=27:certificate not trusted
> verify return:1
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
> The server cert is issued by Verisign and the CN matches the machine
> name that I am trying to connect to.
>
> When I copy the server certificate on to my box and run openssl verify
> on that cert, I get similar (not exactly same) errors.
>
> I looked in resip code and found that there is some processing done with
> files with prefix domain_cert_, user_cert_ and root_cert_ but did not
> really understand what needs to be done.
>
> So my specific questions are:
>
> 1) How does resip verify server certs presented as part of TLS
> handshake? Where does it look for trusted issuers?
>
> 2) What is the difference between domain_cert_*.pem, user_cert_*.pem and
> root_cert_*.pem? How are they used?
>
> Any feedback, answers, suggestions and questions are welcome.
>
> Thanks