Re: [reSIProcate] Problem while establishing TLS connection betweenResiprocate Client and OpenSER Server..........................
I have extracted the certificate info from the .pem file...Please find the same attached.
Thanks,
Irshad.
On 5/8/07, kapatralla ahmed <
kapatralla80@xxxxxxxxx> wrote:Hi,
On top of this, Can someone provide some detailed procedure for our Resiprocate Client to establish TLS connection with OpenSER Server or Repro Server ???
I will be very much obliged at your kind and earliest response.......
Thanks,
Irshad
On 5/8/07, kapatralla ahmed <
kapatralla80@xxxxxxxxx> wrote:
On 5/8/07, kapatralla ahmed <
kapatralla80@xxxxxxxxx> wrote:
Hi,
Please find the snippets of the Debug file,openser.cfg, cacert.pem at OPENSER Server and the root_cert_cacert.pem copied at our resiprocate Client.
At Openser Server the configuration is made such that Certificate request is not sent by Server.
i.e., No Client Certificate. In this case, What are the necessary .pem files required at the Client??
Thanks,
Irshad.
On 5/4/07,
Ryan Kereliuk
<ryker@xxxxxxxxx> wrote:
I would recommend running at the full debug level to generate a complete
but small execution trace for sharing. Perhaps your certificate was
generated incorrectly? Do you have any x509v3 subjectAltName extensions
in your certificate? If so, are you running post-1.1 code from SVN?
Is the commonName 'OpenSER' part of the SIP URI you're connecting to in
this experiment? Perhaps sharing the dump of your certificate using
'openssl x509 -text -in <cert>' would help? Did you look at the TLS
handshake on the wire using Wireshark?
There could be lots of things wrong but it's difficult to say given
the information provided. (And the information required to debug your
application may be too voluminous to get quick help on a volunteer basis.)
I do promise that the TLS code in resiprocate works, however.
Thanks,
-Ryan
On 2007-05-04 at 01h19, kapatralla ahmed wrote:
> Yeah ...Forgot to metion that I renamed the rootCA as root_cert_cacert.pem
> ....I guess this should suffice...Please let me know If I am wrong...
>
> Regarding the path....I set as
>
> Security* security = new
> Security("/resiprocate/resip/certs");
> SipStack stack(security);
>
>
> Thanks,
> Irshad.
>
>
> On 5/4/07, Scott Godin <
slgodin@xxxxxxxxxxxx> wrote:
> >
> > Some notes:
> >
> >1. The code snippet you show below does not pass the cert path that
> >you mentioned.
> >
> >2. The Root cert must be named correctly ? please see the following
> >link for more info: http://www.resiprocate.org/Certificates
> >
> >
> >
> >Scott
> >
> >
> >
> >*From:* resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxxx [mailto:
> >
resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxxx] *On Behalf Of *kapatralla
> >ahmed
> >*Sent:* Thursday, May 03, 2007 3:16 PM
> >*To:*
resiprocate-devel@xxxxxxxxxxxxxxxxxxxx
> >*Subject:* [reSIProcate] Problem while establishing TLS connection
> >betweenResiprocate Client and OpenSER Server..........................
> >
> >
> >
> >Hi folks..
> >
> >
> >
> >I am using a Resiprocate Client in which TLS is being used as
> >transport...I am trying to register the same with a OpenSER server.
> >
> >On the server side,
> >
> >1. I configured the openser.cfg (tls_verify_client = 0 &
> >tls_request_certificate = 0) and openserctl. ( * I am not providing the
> >whole cfg file as I dont have with me as of now...but its configured
> >properly :-) )
> >
> >2. I created a RootCA using # openserctl tls rootCA at OpenSER
> >
> >3. and then use certs using # openserctl tls usercert user at OpenSER
> >
> >
> >
> >On the Client side,
> >
> >
> >
> >3. Then I copied the exact OpenSER cacert.pem from server to the client
> >machine into the path resiprocate/resip/certs which has been given as my
> >certs path using security object passed to the stack constructor.
> >
> > Security* security = new Security;
> > SipStack stack(security);
> >
> >4. Now I tried running my client which gave me the following errors:
> >
> >
> >
> >
> >----------------------------------------------------------------------------------------------------------------------------------------
> >Its actually entering the VerifyCallback(ilnCode, plnStore) in the
> >Security.cxx where the passed-in ilnCode = 0 coz the verification failed.
> >
> >
> >
> >Error when verifying server's chain of certificates: self signed
> >certificate in certificate chain, depth=1
> >/CN=OpenSER/ST=SIP/C=IP/emailAddres
> >TLS connection failed ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)
> >
> >
> >----------------------------------------------------------------------------------------------------------------------------------------
> >
> >
> >
> >I have few questions here:
> >
> >
> >
> >1. If just adding the cacert.pem to the client is not enough, thn what
> >else should I do to add the same to the trusted root CA store of the client
> >in resiprocate??
> >
> > On OpenSER, I can do the same by appending the cacert.pem into the
> >ca_list.pem
> >
> >
> >
> >2. How to solve this OpenSER certificate verification problem at
> >resiprocate Client side.
> >
> >
> >
> >3. Do I need to do in addition to addin the cacert.pem at the Client.
> >
> >
> >
> >I used Repro server ..still the same problem persists...
> >
> >
> >
> >Can someone tell me the seuqential procedures to make resiprocate
> >Client connect on TLS with OpenSER server and how to solve the above said
> >problem..
> >
> >
> >
> >I will be very much obliged at your kind and earliest response.
> >
> >
> >
> >Best regards,
> >
> >Irshad.
> >
> >
> _______________________________________________
> resiprocate-devel mailing list
>
resiprocate-devel@xxxxxxxxxxxxxxxxxxxx
> https://list.resiprocate.org/mailman/listinfo/resiprocate-devel
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
85:94:50:69:30:cf:00:24
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Your_NAME, ST=Your_STATE, C=CO/emailAddress=YOUR_EMAIL,
O=YOUR_ORG_NAME
Validity
Not Before: May 7 14:43:38 2007 GMT
Not After : May 6 14:43:38 2008 GMT
Subject: CN=Your_NAME, ST=Your_STATE, C=CO/emailAddress=YOUR_EMAIL,
O=YOUR_ORG_NAME
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:be:e0:9a:f7:11:02:e6:1f:20:cb:56:72:f5:72:
2f:e5:6a:50:f3:3d:a9:cd:82:75:44:bc:18:46:19:
31:70:f9:06:8c:94:21:28:fe:f9:40:7c:68:64:5a:
10:a7:2a:70:15:d1:78:68:ba:5b:17:f6:10:24:03:
72:dd:1a:71:33:0b:39:0a:0a:5d:66:2b:e8:7f:d7:
1d:d7:e7:d0:ab:59:67:aa:5e:ae:de:9b:1e:35:ad:
de:6b:8e:10:c2:86:85:d5:d2:4d:fe:85:68:9b:98:
ef:62:67:0d:91:3a:a8:0c:91:18:a6:c0:69:1d:ae:
49:b9:ab:46:e8:72:89:ae:dd:f6:81:8e:7b:b7:87:
72:38:85:42:3c:7a:ad:c2:28:20:92:12:06:a1:44:
09:70:ab:3d:59:9f:e6:be:c3:cf:df:3a:03:52:1d:
2c:9e:9e:0e:95:e4:3a:63:96:8d:0e:06:7b:36:03:
2a:99:86:11:ab:28:d8:61:33:d0:a9:46:2e:ef:94:
eb:f4:08:83:33:ff:f6:46:70:31:23:88:e7:06:d7:
0a:49:68:94:57:cd:81:84:e7:59:01:a3:d0:ab:54:
64:42:aa:9a:a2:8f:02:d3:b7:97:66:b0:ad:82:8c:
67:47:b3:93:cc:4b:fe:fc:93:47:ef:4d:b3:68:4a:
c2:8f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Alternative Name:
email:YOUR_EMAIL
X509v3 Issuer Alternative Name:
email:YOUR_EMAIL
Signature Algorithm: sha1WithRSAEncryption
07:fd:f4:a6:2f:e6:29:55:ed:1e:46:02:e6:f3:bd:de:81:00:
70:8e:e9:c5:eb:b8:41:60:e0:73:67:42:d5:ad:29:1d:43:2c:
0f:47:6c:90:4e:00:a2:cf:c6:65:dd:7b:4b:21:2a:60:a1:6c:
42:fb:29:2a:65:c7:56:a5:d4:9c:bf:e0:52:41:17:52:ce:60:
ef:b3:d5:78:b0:39:6e:cb:51:c7:4c:5c:99:48:04:44:ba:49:
66:5a:dd:32:a2:ae:58:d9:e9:cd:10:17:42:47:17:30:ec:65:
d9:05:fa:e6:f2:79:eb:bf:36:4d:1c:4c:6f:9b:f1:05:83:e6:
7c:3c:3e:30:75:d3:b5:2d:f5:e9:bb:fb:00:25:d5:e1:34:39:
c3:61:4f:7e:77:02:e0:7c:17:ac:c6:f0:b5:38:fe:10:b2:fe:
15:83:fd:c6:eb:5a:dc:e4:88:68:47:03:76:a1:65:55:70:c1:
cd:10:2b:31:7c:eb:2d:46:82:e4:bb:33:82:bb:ac:82:0a:2c:
4f:74:6b:7c:96:26:96:9e:1f:b4:c5:a1:83:16:5d:b8:f3:34:
e1:ec:4e:46:d7:4b:e8:d5:d2:dd:cf:84:c0:9e:be:68:f0:7d:
c4:12:07:3a:aa:d3:f0:da:6c:05:42:fb:68:bd:00:75:40:a1:
5a:87:1b:d4
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIJAIWUUGkwzwAkMA0GCSqGSIb3DQEBBQUAMGkxEjAQBgNV
BAMUCVlvdXJfTkFNRTETMBEGA1UECBQKWW91cl9TVEFURTELMAkGA1UEBhMCQ08x
GTAXBgkqhkiG9w0BCQEWCllPVVJfRU1BSUwxFjAUBgNVBAoUDVlPVVJfT1JHX05B
TUUwHhcNMDcwNTA3MTQ0MzM4WhcNMDgwNTA2MTQ0MzM4WjBpMRIwEAYDVQQDFAlZ
b3VyX05BTUUxEzARBgNVBAgUCllvdXJfU1RBVEUxCzAJBgNVBAYTAkNPMRkwFwYJ
KoZIhvcNAQkBFgpZT1VSX0VNQUlMMRYwFAYDVQQKFA1ZT1VSX09SR19OQU1FMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvuCa9xEC5h8gy1Zy9XIv5WpQ
8z2pzYJ1RLwYRhkxcPkGjJQhKP75QHxoZFoQpypwFdF4aLpbF/YQJANy3RpxMws5
CgpdZivof9cd1+fQq1lnql6u3pseNa3ea44QwoaF1dJN/oVom5jvYmcNkTqoDJEY
psBpHa5JuatG6HKJrt32gY57t4dyOIVCPHqtwiggkhIGoUQJcKs9WZ/mvsPP3zoD
Uh0snp4OleQ6Y5aNDgZ7NgMqmYYRqyjYYTPQqUYu75Tr9AiDM//2RnAxI4jnBtcK
SWiUV82BhOdZAaPQq1RkQqqaoo8C07eXZrCtgoxnR7OTzEv+/JNH702zaErCjwID
AQABoz4wPDAMBgNVHRMEBTADAQH/MBUGA1UdEQQOMAyBCllPVVJfRU1BSUwwFQYD
VR0SBA4wDIEKWU9VUl9FTUFJTDANBgkqhkiG9w0BAQUFAAOCAQEAB/30pi/mKVXt
HkYC5vO93oEAcI7pxeu4QWDgc2dC1a0pHUMsD0dskE4Aos/GZd17SyEqYKFsQvsp
KmXHVqXUnL/gUkEXUs5g77PVeLA5bstRx0xcmUgERLpJZlrdMqKuWNnpzRAXQkcX
MOxl2QX65vJ56782TRxMb5vxBYPmfDw+MHXTtS316bv7ACXV4TQ5w2FPfncC4HwX
rMbwtTj+ELL+FYP9xuta3OSIaEcDdqFlVXDBzRArMXzrLUaC5LszgrusggosT3Rr
fJYmlp4ftMWhgxZduPM04exORtdL6NXS3c+EwJ6+aPB9xBIHOqrT8NpsBUL7aL0A
dUChWocb1A==
-----END CERTIFICATE-----