< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate-users] Please help, TLS not working on XP, urgrently


Try logging the return value from the call to X509_STORE_add_cert.  

Scott

On Sat, Apr 18, 2009 at 11:50 PM, Xiexin <xiexin1008@xxxxxxxxx> wrote:
Hi Soctt, another ting, you told me add the login in for BaseSecurity::addCertX509 function, there is the code, what are items(parameters) need to log ?
thanks

void
BaseSecurity::addCertX509(PEMType type, const Data& key, X509* cert, bool write) const
{
   switch (type)
   {
      case DomainCert:
      {
         mDomainCerts.insert(std::make_pair(key, cert));
      }
      break;
      case UserCert:
      {
         mUserCerts.insert(std::make_pair(key, cert));
      }
      break;
      case RootCert:
      {
         X509_STORE_add_cert(mRootTlsCerts,cert);
         X509_STORE_add_cert(mRootSslCerts,cert);
         X509_free(cert);
      }
      break;
      default:
      {
         assert(0);
      }
   }
  
   if (write)
   {
      // creates a read/write BIO buffer.
      BIO *out = BIO_new(BIO_s_mem());
      assert(out);
      try
      {
         int ret = PEM_write_bio_X509(out, cert);
         assert(ret);
        
         BIO_flush(out);
         // get content in BIO buffer to our buffer.
         char* p = 0;
         size_t len = BIO_get_mem_data(out,&p);
         assert(p);
         assert(len);
         Data  buf(Data::Borrow, p, len);
        
         this->onWritePEM(key, type, buf);
      }
      catch(...)
      {
         ErrLog(<<"Caught exception: ");
         BIO_free(out);
         throw;
      }
      BIO_free(out);

   }
}


On Sun, Apr 19, 2009 at 11:48 AM, Xiexin <xiexin1008@xxxxxxxxx> wrote:
Thank you Scott, I have try to delete the duplicate certs, but still can't working.

I'm read the wiki: http://www.resiprocate.org/Certificates
there says:
Place the base64 PEM format certificates in the path specified, and use the following naming scheme:

    * root_cert_<rootCA-name>.pem - public key for root CA
    * domain_cert_<domain-name>.pem - public key used for domain validation in TLS
    * domain_key_<domain-name>.pem - private key used for domain validation in TLS (Server)

Do I need install three certificates in window?  Currently I just installed the root certificate only(I'm using WinSecurity class), do not install the domain_cert and domain_key certificates, so it leads my error ?  But on vista, my UA and eyebeam all are working with TLS  even if just install the
root certificates only.

Thanks




On Fri, Apr 17, 2009 at 9:08 AM, Scott Godin <sgodin@xxxxxxxxxxxxxxx> wrote:
On your XP logs it appears as if did not find the appropriate root certificate in the store.  I have seen issues with WinSecurity, that I never really got the bottom of, where the windows certificate store contains multiple copies of the same/similar certificate (ie. sometimes same certificate serial number, sometimes just the same certificate name).  I never really nailed down exactly what constituted a "duplicated" certificate, but adding the 2nd "duplicate" cert to the OpenSSL certificate store was getting an error.  Unfortunately I don't believe resiprocate will currently log anything if X509_STORE_add_cert fails - you might want to try adding some debugging code to BaseSecurity::addCertX509.  Also check your windows certificate store to see if you think there are "duplicate" certs, and try removing all but the correct one.

Scott

On Thu, Apr 16, 2009 at 1:41 PM, Xiexin <xiexin1008@xxxxxxxxx> wrote:
Hi all, I'm using the reSIProcate 1.4.1 for my UA, the UA use TLS for SIP message with SIP server,
now I got a strange issue, the UA working fine on Vista via TLS, but on XP, got the error: certificate verify failed.

These two PCs installed same root certificate file - it was installed in the root trusted store area. and I'm using the winSecureity for my UA.

I have attached two log files- the textfile1.txt which generated on XP, the textfile2.txt on the Vista.

Please help me, thank you in advance.


_______________________________________________
resiprocate-users mailing list
resiprocate-users@xxxxxxxxxxxxxxx
List Archive: http://list.resiprocate.org/archive/resiprocate-users/