Re: [reSIProcate-users] Please help, TLS not working on XP, urgrently

[Scott Godin <sgodin@xxxxxxxxxxxxxxx>]

It must be named root_cert_....   - see http://www.resiprocate.org/Certificates.

Scott

On Mon, Apr 20, 2009 at 9:53 AM, Xiexin <xiexin1008@xxxxxxxxx> wrote:

Thanks Soctt, if use the Security instead of WinSecurity, does the root certificate must named root_cert_<rootCA-name>.pem ?
Or it can be as xxxxxxx.pem ?

thanks

On Mon, Apr 20, 2009 at 8:16 PM, Scott Godin <sgodin@xxxxxxxxxxxxxxx> wrote:

Using a public cert should not really change anything, other than the
fact that using acert from a different root may avoid whatever issue
is happening here.  A workaround you can try is to use Security
instead of WinSecurity and place the cert pem files in a directory to
be loaded instead of the windows cert store.

Scott

On 4/20/09, Xiexin <xiexin1008@xxxxxxxxx> wrote:
> Dear Scott, if I'm not use the self-signed certificate and buy a certificate
> from verisign, then will avoid this issue, right ?
> thanks
>
>
> On Sun, Apr 19, 2009 at 9:32 PM, Scott Godin <sgodin@xxxxxxxxxxxxxxx> wrote:
>
>> Try logging the return value from the call to X509_STORE_add_cert.
>> Scott
>>
>> On Sat, Apr 18, 2009 at 11:50 PM, Xiexin <xiexin1008@xxxxxxxxx> wrote:
>>
>>> Hi Soctt, another ting, you told me add the login in for
>>> BaseSecurity::addCertX509 function, there is the code, what are
>>> items(parameters) need to log ?
>>> thanks
>>>
>>> void
>>> BaseSecurity::addCertX509(PEMType type, const Data& key, X509* cert, bool
>>> write) const
>>> {
>>>    switch (type)
>>>    {
>>>       case DomainCert:
>>>       {
>>>          mDomainCerts.insert(std::make_pair(key, cert));
>>>       }
>>>       break;
>>>       case UserCert:
>>>       {
>>>          mUserCerts.insert(std::make_pair(key, cert));
>>>       }
>>>       break;
>>>       case RootCert:
>>>       {
>>>          X509_STORE_add_cert(mRootTlsCerts,cert);
>>>          X509_STORE_add_cert(mRootSslCerts,cert);
>>>          X509_free(cert);
>>>       }
>>>       break;
>>>       default:
>>>       {
>>>          assert(0);
>>>       }
>>>    }
>>>
>>>    if (write)
>>>    {
>>>       // creates a read/write BIO buffer.
>>>       BIO *out = BIO_new(BIO_s_mem());
>>>       assert(out);
>>>       try
>>>       {
>>>          int ret = PEM_write_bio_X509(out, cert);
>>>          assert(ret);
>>>
>>>          BIO_flush(out);
>>>          // get content in BIO buffer to our buffer.
>>>          char* p = 0;
>>>          size_t len = BIO_get_mem_data(out,&p);
>>>          assert(p);
>>>          assert(len);
>>>          Data  buf(Data::Borrow, p, len);
>>>
>>>          this->onWritePEM(key, type, buf);
>>>       }
>>>       catch(...)
>>>       {
>>>          ErrLog(<<"Caught exception: ");
>>>          BIO_free(out);
>>>          throw;
>>>       }
>>>       BIO_free(out);
>>>
>>>    }
>>> }
>>>
>>>
>>> On Sun, Apr 19, 2009 at 11:48 AM, Xiexin <xiexin1008@xxxxxxxxx> wrote:
>>>
>>>> Thank you Scott, I have try to delete the duplicate certs, but still
>>>> can't working.
>>>>
>>>> I'm read the wiki: http://www.resiprocate.org/Certificates
>>>> there says:
>>>> Place the base64 PEM format certificates in the path specified, and use
>>>> the following naming scheme:
>>>>
>>>>     * root_cert_<rootCA-name>.pem - public key for root CA
>>>>     * domain_cert_<domain-name>.pem - public key used for domain
>>>> validation in TLS
>>>>     * domain_key_<domain-name>.pem - private key used for domain
>>>> validation in TLS (Server)
>>>>
>>>> Do I need install three certificates in window?  Currently I just
>>>> installed the root certificate only(I'm using WinSecurity class), do not
>>>> install the domain_cert and domain_key certificates, so it leads my
>>>> error ?
>>>> But on vista, my UA and eyebeam all are working with TLS  even if just
>>>> install the
>>>> root certificates only.
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Apr 17, 2009 at 9:08 AM, Scott Godin
>>>> <sgodin@xxxxxxxxxxxxxxx>wrote:
>>>>
>>>>> On your XP logs it appears as if did not find the appropriate root
>>>>> certificate in the store.  I have seen issues with WinSecurity, that I
>>>>> never
>>>>> really got the bottom of, where the windows certificate store contains
>>>>> multiple copies of the same/similar certificate (ie. sometimes same
>>>>> certificate serial number, sometimes just the same certificate name).
>>>>> I
>>>>> never really nailed down exactly what constituted a "duplicated"
>>>>> certificate, but adding the 2nd "duplicate" cert to the OpenSSL
>>>>> certificate
>>>>> store was getting an error.  Unfortunately I don't believe resiprocate
>>>>> will
>>>>> currently log anything if X509_STORE_add_cert fails - you might want to
>>>>> try
>>>>> adding some debugging code to BaseSecurity::addCertX509.  Also check
>>>>> your
>>>>> windows certificate store to see if you think there are "duplicate"
>>>>> certs,
>>>>> and try removing all but the correct one.
>>>>> Scott
>>>>>
>>>>> On Thu, Apr 16, 2009 at 1:41 PM, Xiexin <xiexin1008@xxxxxxxxx> wrote:
>>>>>
>>>>>> Hi all, I'm using the reSIProcate 1.4.1 for my UA, the UA use TLS for
>>>>>> SIP message with SIP server,
>>>>>> now I got a strange issue, the UA working fine on Vista via TLS, but
>>>>>> on
>>>>>> XP, got the error: certificate verify failed.
>>>>>>
>>>>>> These two PCs installed same root certificate file - it was installed
>>>>>> in the root trusted store area. and I'm using the winSecureity for my
>>>>>> UA.
>>>>>>
>>>>>> I have attached two log files- the textfile1.txt which generated on
>>>>>> XP,
>>>>>> the textfile2.txt on the Vista.
>>>>>>
>>>>>> Please help me, thank you in advance.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> resiprocate-users mailing list
>>>>>> resiprocate-users@xxxxxxxxxxxxxxx
>>>>>> List Archive: http://list.resiprocate.org/archive/resiprocate-users/
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

--
Sent from my mobile device