< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate] Problem while establishing TLS connection betweenResiprocate Client and OpenSER Server..........................




On 5/8/07, kapatralla ahmed <kapatralla80@xxxxxxxxx> wrote:
Hi,

Please find the snippets of the Debug file,openser.cfg, cacert.pem at OPENSER Server and the root_cert_cacert.pem copied at our resiprocate Client.
At Openser Server the configuration is made such that Certificate request is not sent by Server. i.e., No Client Certificate. In this case, What are the necessary  .pem files required at the Client??

Thanks,
Irshad.



On 5/4/07, Ryan Kereliuk <ryker@xxxxxxxxx> wrote:
I would recommend running at the full debug level to generate a complete
but small execution trace for sharing.  Perhaps your certificate was
generated incorrectly?  Do you have any x509v3 subjectAltName extensions
in your certificate?  If so, are you running post-1.1 code from SVN?
Is the commonName 'OpenSER' part of the SIP URI you're connecting to in
this experiment?  Perhaps sharing the dump of your certificate using
'openssl x509 -text -in <cert>' would help?  Did you look at the TLS
handshake on the wire using Wireshark?

There could be lots of things wrong but it's difficult to say given
the information provided.  (And the information required to debug your
application may be too voluminous to get quick help on a volunteer basis.)
I do promise that the TLS code in resiprocate works, however.

Thanks,
-Ryan

On 2007-05-04 at 01h19, kapatralla ahmed wrote:
> Yeah ...Forgot to metion that I renamed the rootCA as root_cert_cacert.pem
> ....I guess this should suffice...Please let me know If I am wrong...
>
> Regarding the path....I set as
>
>                    Security* security = new
> Security("/resiprocate/resip/certs");
>                    SipStack stack(security);
>
>
> Thanks,
> Irshad.
>
>
> On 5/4/07, Scott Godin < slgodin@xxxxxxxxxxxx> wrote:
> >
> > Some notes:
> >
> >1.        The code snippet you show below does not pass the cert path that
> >you mentioned.
> >
> >2.        The Root cert must be named correctly ? please see the following
> >link for more info: http://www.resiprocate.org/Certificates
> >
> >
> >
> >Scott
> >
> >
> >
> >*From:* resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxxx [mailto:
> > resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxxx] *On Behalf Of *kapatralla
> >ahmed
> >*Sent:* Thursday, May 03, 2007 3:16 PM
> >*To:* resiprocate-devel@xxxxxxxxxxxxxxxxxxxx
> >*Subject:* [reSIProcate] Problem while establishing TLS connection
> >betweenResiprocate Client and OpenSER Server..........................
> >
> >
> >
> >Hi folks..
> >
> >
> >
> >I am using a Resiprocate Client in which TLS is being used as
> >transport...I am trying to register the same with a OpenSER server.
> >
> >On the server side,
> >
> >1. I configured the openser.cfg (tls_verify_client = 0 &
> >tls_request_certificate = 0) and openserctl.   (  * I am not providing the
> >whole cfg file as I dont have with me as of now...but its configured
> >properly  :-)   )
> >
> >2. I created a RootCA using # openserctl tls rootCA at OpenSER
> >
> >3. and then use certs using # openserctl tls usercert user at OpenSER
> >
> >
> >
> >On the Client side,
> >
> >
> >
> >3. Then I copied the exact OpenSER cacert.pem from server to the client
> >machine into the path resiprocate/resip/certs which has been given as my
> >certs path using security object passed to the stack constructor.
> >
> >                    Security* security = new Security;
> >                    SipStack stack(security);
> >
> >4. Now I tried running my client which gave me the following errors:
> >
> >
> >
> >
> >----------------------------------------------------------------------------------------------------------------------------------------
> >Its actually entering the VerifyCallback(ilnCode, plnStore) in the
> >Security.cxx  where the passed-in ilnCode = 0 coz the verification failed.
> >
> >
> >
> >Error when  verifying server's chain of certificates: self signed
> >certificate in certificate chain, depth=1
> >/CN=OpenSER/ST=SIP/C=IP/emailAddres
> >TLS connection failed ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)
> >
> >
> >----------------------------------------------------------------------------------------------------------------------------------------
> >
> >
> >
> >I have few questions here:
> >
> >
> >
> >1. If just adding the cacert.pem to the client is not enough, thn what
> >else should I do to add the same to the trusted root CA store of the client
> >in resiprocate??
> >
> > On OpenSER, I can do the same by appending the cacert.pem into the
> >ca_list.pem
> >
> >
> >
> >2. How to solve this OpenSER certificate verification problem at
> >resiprocate Client side.
> >
> >
> >
> >3. Do I need to do in addition to addin the cacert.pem at the Client.
> >
> >
> >
> >I used Repro server ..still the same problem persists...
> >
> >
> >
> >Can someone tell me the seuqential procedures to make resiprocate
> >Client connect on TLS  with OpenSER server and how to solve the above said
> >problem..
> >
> >
> >
> >I will be very much obliged at your kind and earliest response.
> >
> >
> >
> >Best regards,
> >
> >Irshad.
> >
> >

> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel@xxxxxxxxxxxxxxxxxxxx
> https://list.resiprocate.org/mailman/listinfo/resiprocate-devel



Attachment: cacert.pem
Description: application/x509-ca-cert

Attachment: root_cert_cacert.pem
Description: application/x509-ca-cert