< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate] Problem while establishing TLS connection betweenResiprocate Client and OpenSER Server..........................


Hi,

The earlier certificate.txt is for cacert.pem. Now I am attaching the Server side certificate text extracted using user_cert.pem from Server.

Thanks,
Irshad.

On 5/8/07, kapatralla ahmed <kapatralla80@xxxxxxxxx> wrote:
I have extracted the certificate info from the .pem file...Please find the same attached.


Thanks,
Irshad.

On 5/8/07, kapatralla ahmed < kapatralla80@xxxxxxxxx> wrote:
Hi,

On top of this, Can someone provide some detailed procedure for our Resiprocate Client to establish TLS connection with OpenSER Server or Repro Server ???

I will be very much obliged at your kind and earliest response.......
Thanks,
Irshad


On 5/8/07, kapatralla ahmed < kapatralla80@xxxxxxxxx> wrote:


On 5/8/07, kapatralla ahmed < kapatralla80@xxxxxxxxx> wrote:
Hi,

Please find the snippets of the Debug file,openser.cfg, cacert.pem at OPENSER Server and the root_cert_cacert.pem copied at our resiprocate Client.
At Openser Server the configuration is made such that Certificate request is not sent by Server. i.e., No Client Certificate. In this case, What are the necessary  .pem files required at the Client??

Thanks,
Irshad.



On 5/4/07, Ryan Kereliuk <ryker@xxxxxxxxx> wrote:
I would recommend running at the full debug level to generate a complete
but small execution trace for sharing.  Perhaps your certificate was
generated incorrectly?  Do you have any x509v3 subjectAltName extensions
in your certificate?  If so, are you running post-1.1 code from SVN?
Is the commonName 'OpenSER' part of the SIP URI you're connecting to in
this experiment?  Perhaps sharing the dump of your certificate using
'openssl x509 -text -in <cert>' would help?  Did you look at the TLS
handshake on the wire using Wireshark?

There could be lots of things wrong but it's difficult to say given
the information provided.  (And the information required to debug your
application may be too voluminous to get quick help on a volunteer basis.)
I do promise that the TLS code in resiprocate works, however.

Thanks,
-Ryan

On 2007-05-04 at 01h19, kapatralla ahmed wrote:
> Yeah ...Forgot to metion that I renamed the rootCA as root_cert_cacert.pem
> ....I guess this should suffice...Please let me know If I am wrong...
>
> Regarding the path....I set as
>
>                    Security* security = new
> Security("/resiprocate/resip/certs");
>                    SipStack stack(security);
>
>
> Thanks,
> Irshad.
>
>
> On 5/4/07, Scott Godin < slgodin@xxxxxxxxxxxx> wrote:
> >
> > Some notes:
> >
> >1.        The code snippet you show below does not pass the cert path that
> >you mentioned.
> >
> >2.        The Root cert must be named correctly ? please see the following
> >link for more info: http://www.resiprocate.org/Certificates
> >
> >
> >
> >Scott
> >
> >
> >
> >*From:* resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxxx [mailto:
> > resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxxx] *On Behalf Of *kapatralla
> >ahmed
> >*Sent:* Thursday, May 03, 2007 3:16 PM
> >*To:* resiprocate-devel@xxxxxxxxxxxxxxxxxxxx
> >*Subject:* [reSIProcate] Problem while establishing TLS connection
> >betweenResiprocate Client and OpenSER Server..........................
> >
> >
> >
> >Hi folks..
> >
> >
> >
> >I am using a Resiprocate Client in which TLS is being used as
> >transport...I am trying to register the same with a OpenSER server.
> >
> >On the server side,
> >
> >1. I configured the openser.cfg (tls_verify_client = 0 &
> >tls_request_certificate = 0) and openserctl.   (  * I am not providing the
> >whole cfg file as I dont have with me as of now...but its configured
> >properly  :-)   )
> >
> >2. I created a RootCA using # openserctl tls rootCA at OpenSER
> >
> >3. and then use certs using # openserctl tls usercert user at OpenSER
> >
> >
> >
> >On the Client side,
> >
> >
> >
> >3. Then I copied the exact OpenSER cacert.pem from server to the client
> >machine into the path resiprocate/resip/certs which has been given as my
> >certs path using security object passed to the stack constructor.
> >
> >                    Security* security = new Security;
> >                    SipStack stack(security);
> >
> >4. Now I tried running my client which gave me the following errors:
> >
> >
> >
> >
> >----------------------------------------------------------------------------------------------------------------------------------------
> >Its actually entering the VerifyCallback(ilnCode, plnStore) in the
> >Security.cxx  where the passed-in ilnCode = 0 coz the verification failed.
> >
> >
> >
> >Error when  verifying server's chain of certificates: self signed
> >certificate in certificate chain, depth=1
> >/CN=OpenSER/ST=SIP/C=IP/emailAddres
> >TLS connection failed ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)
> >
> >
> >----------------------------------------------------------------------------------------------------------------------------------------
> >
> >
> >
> >I have few questions here:
> >
> >
> >
> >1. If just adding the cacert.pem to the client is not enough, thn what
> >else should I do to add the same to the trusted root CA store of the client
> >in resiprocate??
> >
> > On OpenSER, I can do the same by appending the cacert.pem into the
> >ca_list.pem
> >
> >
> >
> >2. How to solve this OpenSER certificate verification problem at
> >resiprocate Client side.
> >
> >
> >
> >3. Do I need to do in addition to addin the cacert.pem at the Client.
> >
> >
> >
> >I used Repro server ..still the same problem persists...
> >
> >
> >
> >Can someone tell me the seuqential procedures to make resiprocate
> >Client connect on TLS  with OpenSER server and how to solve the above said
> >problem..
> >
> >
> >
> >I will be very much obliged at your kind and earliest response.
> >
> >
> >
> >Best regards,
> >
> >Irshad.
> >
> >

> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel@xxxxxxxxxxxxxxxxxxxx
> https://list.resiprocate.org/mailman/listinfo/resiprocate-devel








 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Your_NAME, ST=Your_STATE, C=CO/emailAddress=YOUR_EMAIL, 
O=YOUR_ORG_NAME
        Validity
            Not Before: May  7 14:45:13 2007 GMT
            Not After : May  6 14:45:13 2008 GMT
        Subject: C=XY, ST=Some State, O=My Large Organization Name, OU=My 
Subunit of Large Organization, 
CN=somename.somewhere.com/emailAddress=root@xxxxxxxxxxxxxxxxxxxxxx
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:d9:fa:43:13:30:06:f1:41:91:23:12:87:85:a3:
                    e0:7a:9a:90:d8:e5:b1:eb:0a:e1:fd:a2:b2:b9:b9:
                    2b:72:4c:96:b8:f5:2e:39:22:6c:5b:2d:8b:0f:d6:
                    44:ec:0e:8d:7c:03:49:03:46:3d:c5:62:a4:27:38:
                    af:f8:04:bf:d3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
    Signature Algorithm: sha1WithRSAEncryption
        b2:80:ad:12:df:db:0e:35:69:12:f7:27:e9:5a:6a:40:78:68:
        12:5e:06:e7:d8:21:46:dc:0c:59:a8:99:24:73:d8:72:84:c5:
        80:0f:83:df:81:09:d5:94:c0:dc:6a:bf:43:53:96:87:1e:2a:
        d6:9e:99:25:3e:ca:44:e0:10:40:ce:40:dc:25:a8:47:74:67:
        04:c8:cb:26:77:bf:cc:b1:9e:73:42:d2:f1:fe:56:f9:2b:a2:
        47:3e:ca:15:b4:ad:f8:91:82:9f:0b:14:dd:94:65:8b:ec:0f:
        4b:17:63:59:ae:2e:7a:d7:e6:e2:ff:0d:df:c3:8a:b3:16:56:
        e0:9d:f1:83:4d:46:34:5a:d2:18:3b:fb:40:73:e0:af:6b:e5:
        45:50:53:d5:ad:3b:fd:c0:29:e4:af:52:db:88:6a:f9:85:ed:
        94:f6:62:30:84:11:89:4c:78:c6:c7:f0:29:59:64:20:13:17:
        eb:46:2e:2c:37:0f:4a:eb:63:82:c2:75:99:b4:5c:44:aa:a0:
        fc:5b:27:2e:28:7d:fb:a4:83:55:9e:ac:97:fa:0f:61:fe:db:
        47:38:ce:36:23:96:57:1d:de:ad:84:a7:3a:72:7b:83:a1:c4:
        d6:f0:d8:45:8e:55:b0:91:ce:6e:5e:97:e7:27:ec:c3:8f:9a:
        9e:8b:93:a6
-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBpMRIwEAYDVQQDFAlZb3Vy
X05BTUUxEzARBgNVBAgUCllvdXJfU1RBVEUxCzAJBgNVBAYTAkNPMRkwFwYJKoZI
hvcNAQkBFgpZT1VSX0VNQUlMMRYwFAYDVQQKFA1ZT1VSX09SR19OQU1FMB4XDTA3
MDUwNzE0NDUxM1oXDTA4MDUwNjE0NDUxM1owgb8xCzAJBgNVBAYTAlhZMRMwEQYD
VQQIEwpTb21lIFN0YXRlMSMwIQYDVQQKExpNeSBMYXJnZSBPcmdhbml6YXRpb24g
TmFtZTEpMCcGA1UECxMgTXkgU3VidW5pdCBvZiBMYXJnZSBPcmdhbml6YXRpb24x
HzAdBgNVBAMTFnNvbWVuYW1lLnNvbWV3aGVyZS5jb20xKjAoBgkqhkiG9w0BCQEW
G3Jvb3RAc29tZW5hbWUuc29tZXdoZXJlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
MEgCQQDZ+kMTMAbxQZEjEoeFo+B6mpDY5bHrCuH9orK5uStyTJa49S45ImxbLYsP
1kTsDo18A0kDRj3FYqQnOK/4BL/TAgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZI
hvcNAQEFBQADggEBALKArRLf2w41aRL3J+laakB4aBJeBufYIUbcDFmomSRz2HKE
xYAPg9+BCdWUwNxqv0NTloceKtaemSU+ykTgEEDOQNwlqEd0ZwTIyyZ3v8yxnnNC
0vH+Vvkrokc+yhW0rfiRgp8LFN2UZYvsD0sXY1muLnrX5uL/Dd/DirMWVuCd8YNN
RjRa0hg7+0Bz4K9r5UVQU9WtO/3AKeSvUtuIavmF7ZT2YjCEEYlMeMbH8ClZZCAT
F+tGLiw3D0rrY4LCdZm0XESqoPxbJy4offukg1WerJf6D2H+20c4zjYjllcd3q2E
pzpye4OhxNbw2EWOVbCRzm5el+cn7MOPmp6Lk6Y=
-----END CERTIFICATE-----