[reSIProcate] Problem while establishing TLS connection betweenResiprocate Client and OpenSER Server..........................

kapatralla ahmed kapatralla80 at gmail.com
Mon May 7 23:50:56 CDT 2007 

On 5/8/07, kapatralla ahmed <kapatralla80 at gmail.com> wrote:
>
> Hi,
>
> Please find the snippets of the Debug file,openser.cfg, cacert.pem at
> OPENSER Server and the root_cert_cacert.pem copied at our resiprocate
> Client.
> At Openser Server the configuration is made such that Certificate request
> is not sent by Server. i.e., No Client Certificate. In this case, What are
> the necessary  .pem files required at the Client??
>
> Thanks,
> Irshad.
>
>
> On 5/4/07, Ryan Kereliuk <ryker at ryker.org> wrote:
> >
> > I would recommend running at the full debug level to generate a complete
> >
> > but small execution trace for sharing.  Perhaps your certificate was
> > generated incorrectly?  Do you have any x509v3 subjectAltName extensions
> > in your certificate?  If so, are you running post-1.1 code from SVN?
> > Is the commonName 'OpenSER' part of the SIP URI you're connecting to in
> > this experiment?  Perhaps sharing the dump of your certificate using
> > 'openssl x509 -text -in <cert>' would help?  Did you look at the TLS
> > handshake on the wire using Wireshark?
> >
> > There could be lots of things wrong but it's difficult to say given
> > the information provided.  (And the information required to debug your
> > application may be too voluminous to get quick help on a volunteer
> > basis.)
> > I do promise that the TLS code in resiprocate works, however.
> >
> > Thanks,
> > -Ryan
> >
> > On 2007-05-04 at 01h19, kapatralla ahmed wrote:
> > > Yeah ...Forgot to metion that I renamed the rootCA as
> > root_cert_cacert.pem
> > > ....I guess this should suffice...Please let me know If I am wrong...
> > >
> > > Regarding the path....I set as
> > >
> > >                    Security* security = new
> > > Security("/resiprocate/resip/certs");
> > >                    SipStack stack(security);
> > >
> > >
> > > Thanks,
> > > Irshad.
> > >
> > >
> > > On 5/4/07, Scott Godin <slgodin at icescape.com> wrote:
> > > >
> > > > Some notes:
> > > >
> > > >1.        The code snippet you show below does not pass the cert path
> > that
> > > >you mentioned.
> > > >
> > > >2.        The Root cert must be named correctly ? please see the
> > following
> > > >link for more info: http://www.resiprocate.org/Certificates
> > > >
> > > >
> > > >
> > > >Scott
> > > >
> > > >
> > > >
> > > >*From:* resiprocate-devel-bounces at list.resiprocate.org [mailto:
> > > > resiprocate-devel-bounces at list.resiprocate.org] *On Behalf Of
> > *kapatralla
> > > >ahmed
> > > >*Sent:* Thursday, May 03, 2007 3:16 PM
> > > >*To:* resiprocate-devel at list.resiprocate.org
> > > >*Subject:* [reSIProcate] Problem while establishing TLS connection
> > > >betweenResiprocate Client and OpenSER
> > Server..........................
> > > >
> > > >
> > > >
> > > >Hi folks..
> > > >
> > > >
> > > >
> > > >I am using a Resiprocate Client in which TLS is being used as
> > > >transport...I am trying to register the same with a OpenSER server.
> > > >
> > > >On the server side,
> > > >
> > > >1. I configured the openser.cfg (tls_verify_client = 0 &
> > > >tls_request_certificate = 0) and openserctl.   (  * I am not
> > providing the
> > > >whole cfg file as I dont have with me as of now...but its configured
> > > >properly  :-)   )
> > > >
> > > >2. I created a RootCA using # openserctl tls rootCA at OpenSER
> > > >
> > > >3. and then use certs using # openserctl tls usercert user at OpenSER
> >
> > > >
> > > >
> > > >
> > > >On the Client side,
> > > >
> > > >
> > > >
> > > >3. Then I copied the exact OpenSER cacert.pem from server to the
> > client
> > > >machine into the path resiprocate/resip/certs which has been given as
> > my
> > > >certs path using security object passed to the stack constructor.
> > > >
> > > >                    Security* security = new Security;
> > > >                    SipStack stack(security);
> > > >
> > > >4. Now I tried running my client which gave me the following errors:
> > > >
> > > >
> > > >
> > > >
> > >
> > >----------------------------------------------------------------------------------------------------------------------------------------
> >
> > > >Its actually entering the VerifyCallback(ilnCode, plnStore) in the
> > > >Security.cxx  where the passed-in ilnCode = 0 coz the verification
> > failed.
> > > >
> > > >
> > > >
> > > >Error when  verifying server's chain of certificates: self signed
> > > >certificate in certificate chain, depth=1
> > > >/CN=OpenSER/ST=SIP/C=IP/emailAddres
> > > >TLS connection failed ok=-1 err=1
> > error:00000001:lib(0):func(0):reason(1)
> > > >
> > > >
> > >
> > >----------------------------------------------------------------------------------------------------------------------------------------
> >
> > > >
> > > >
> > > >
> > > >I have few questions here:
> > > >
> > > >
> > > >
> > > >1. If just adding the cacert.pem to the client is not enough, thn
> > what
> > > >else should I do to add the same to the trusted root CA store of the
> > client
> > > >in resiprocate??
> > > >
> > > > On OpenSER, I can do the same by appending the cacert.pem into the
> > > >ca_list.pem
> > > >
> > > >
> > > >
> > > >2. How to solve this OpenSER certificate verification problem at
> > > >resiprocate Client side.
> > > >
> > > >
> > > >
> > > >3. Do I need to do in addition to addin the cacert.pem at the Client.
> > > >
> > > >
> > > >
> > > >I used Repro server ..still the same problem persists...
> > > >
> > > >
> > > >
> > > >Can someone tell me the seuqential procedures to make resiprocate
> > > >Client connect on TLS  with OpenSER server and how to solve the above
> > said
> > > >problem..
> > > >
> > > >
> > > >
> > > >I will be very much obliged at your kind and earliest response.
> > > >
> > > >
> > > >
> > > >Best regards,
> > > >
> > > >Irshad.
> > > >
> > > >
> >
> > > _______________________________________________
> > > resiprocate-devel mailing list
> > > resiprocate-devel at list.resiprocate.org
> > > https://list.resiprocate.org/mailman/listinfo/resiprocate-devel
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20070508/d55b1cb4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.pem
Type: application/x-x509-ca-cert
Size: 1302 bytes
Desc: not available
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20070508/d55b1cb4/attachment.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: root_cert_cacert.pem
Type: application/x-x509-ca-cert
Size: 1302 bytes
Desc: not available
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20070508/d55b1cb4/attachment-0001.crt>

More information about the resiprocate-devel mailing list