[reSIProcate] Problem while establishing TLS connection betweenResiprocate Client and OpenSER Server..........................

kapatralla ahmed kapatralla80 at gmail.com
Tue May 8 01:56:27 CDT 2007 

Hi,

On top of this, Can someone provide some detailed procedure for our
Resiprocate Client to establish TLS connection with OpenSER Server or Repro
Server ???

I will be very much obliged at your kind and earliest response.......
Thanks,
Irshad

On 5/8/07, kapatralla ahmed <kapatralla80 at gmail.com> wrote:
>
>
>
> On 5/8/07, kapatralla ahmed <kapatralla80 at gmail.com> wrote:
> >
> > Hi,
> >
> > Please find the snippets of the Debug file,openser.cfg, cacert.pem at
> > OPENSER Server and the root_cert_cacert.pem copied at our resiprocate
> > Client.
> > At Openser Server the configuration is made such that Certificate
> > request is not sent by Server. i.e., No Client Certificate. In this
> > case, What are the necessary  .pem files required at the Client??
> >
> > Thanks,
> > Irshad.
> >
> >
> > On 5/4/07, Ryan Kereliuk <ryker at ryker.org> wrote:
> > >
> > > I would recommend running at the full debug level to generate a
> > > complete
> > > but small execution trace for sharing.  Perhaps your certificate was
> > > generated incorrectly?  Do you have any x509v3 subjectAltName
> > > extensions
> > > in your certificate?  If so, are you running post-1.1 code from SVN?
> > > Is the commonName 'OpenSER' part of the SIP URI you're connecting to
> > > in
> > > this experiment?  Perhaps sharing the dump of your certificate using
> > > 'openssl x509 -text -in <cert>' would help?  Did you look at the TLS
> > > handshake on the wire using Wireshark?
> > >
> > > There could be lots of things wrong but it's difficult to say given
> > > the information provided.  (And the information required to debug your
> > > application may be too voluminous to get quick help on a volunteer
> > > basis.)
> > > I do promise that the TLS code in resiprocate works, however.
> > >
> > > Thanks,
> > > -Ryan
> > >
> > > On 2007-05-04 at 01h19, kapatralla ahmed wrote:
> > > > Yeah ...Forgot to metion that I renamed the rootCA as
> > > root_cert_cacert.pem
> > > > ....I guess this should suffice...Please let me know If I am
> > > wrong...
> > > >
> > > > Regarding the path....I set as
> > > >
> > > >                    Security* security = new
> > > > Security("/resiprocate/resip/certs");
> > > >                    SipStack stack(security);
> > > >
> > > >
> > > > Thanks,
> > > > Irshad.
> > > >
> > > >
> > > > On 5/4/07, Scott Godin < slgodin at icescape.com> wrote:
> > > > >
> > > > > Some notes:
> > > > >
> > > > >1.        The code snippet you show below does not pass the cert
> > > path that
> > > > >you mentioned.
> > > > >
> > > > >2.        The Root cert must be named correctly ? please see the
> > > following
> > > > >link for more info: http://www.resiprocate.org/Certificates
> > > > >
> > > > >
> > > > >
> > > > >Scott
> > > > >
> > > > >
> > > > >
> > > > >*From:* resiprocate-devel-bounces at list.resiprocate.org [mailto:
> > > > > resiprocate-devel-bounces at list.resiprocate.org] *On Behalf Of
> > > *kapatralla
> > > > >ahmed
> > > > >*Sent:* Thursday, May 03, 2007 3:16 PM
> > > > >*To:* resiprocate-devel at list.resiprocate.org
> > > > >*Subject:* [reSIProcate] Problem while establishing TLS connection
> > > > >betweenResiprocate Client and OpenSER
> > > Server..........................
> > > > >
> > > > >
> > > > >
> > > > >Hi folks..
> > > > >
> > > > >
> > > > >
> > > > >I am using a Resiprocate Client in which TLS is being used as
> > > > >transport...I am trying to register the same with a OpenSER server.
> > >
> > > > >
> > > > >On the server side,
> > > > >
> > > > >1. I configured the openser.cfg (tls_verify_client = 0 &
> > > > >tls_request_certificate = 0) and openserctl.   (  * I am not
> > > providing the
> > > > >whole cfg file as I dont have with me as of now...but its
> > > configured
> > > > >properly  :-)   )
> > > > >
> > > > >2. I created a RootCA using # openserctl tls rootCA at OpenSER
> > > > >
> > > > >3. and then use certs using # openserctl tls usercert user at
> > > OpenSER
> > > > >
> > > > >
> > > > >
> > > > >On the Client side,
> > > > >
> > > > >
> > > > >
> > > > >3. Then I copied the exact OpenSER cacert.pem from server to the
> > > client
> > > > >machine into the path resiprocate/resip/certs which has been given
> > > as my
> > > > >certs path using security object passed to the stack constructor.
> > > > >
> > > > >                    Security* security = new Security;
> > > > >                    SipStack stack(security);
> > > > >
> > > > >4. Now I tried running my client which gave me the following
> > > errors:
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >----------------------------------------------------------------------------------------------------------------------------------------
> > >
> > > > >Its actually entering the VerifyCallback(ilnCode, plnStore) in the
> > > > >Security.cxx  where the passed-in ilnCode = 0 coz the verification
> > > failed.
> > > > >
> > > > >
> > > > >
> > > > >Error when  verifying server's chain of certificates: self signed
> > > > >certificate in certificate chain, depth=1
> > > > >/CN=OpenSER/ST=SIP/C=IP/emailAddres
> > > > >TLS connection failed ok=-1 err=1
> > > error:00000001:lib(0):func(0):reason(1)
> > > > >
> > > > >
> > > >
> > > >----------------------------------------------------------------------------------------------------------------------------------------
> > >
> > > > >
> > > > >
> > > > >
> > > > >I have few questions here:
> > > > >
> > > > >
> > > > >
> > > > >1. If just adding the cacert.pem to the client is not enough, thn
> > > what
> > > > >else should I do to add the same to the trusted root CA store of
> > > the client
> > > > >in resiprocate??
> > > > >
> > > > > On OpenSER, I can do the same by appending the cacert.pem into the
> > > > >ca_list.pem
> > > > >
> > > > >
> > > > >
> > > > >2. How to solve this OpenSER certificate verification problem at
> > > > >resiprocate Client side.
> > > > >
> > > > >
> > > > >
> > > > >3. Do I need to do in addition to addin the cacert.pem at the
> > > Client.
> > > > >
> > > > >
> > > > >
> > > > >I used Repro server ..still the same problem persists...
> > > > >
> > > > >
> > > > >
> > > > >Can someone tell me the seuqential procedures to make resiprocate
> > > > >Client connect on TLS  with OpenSER server and how to solve the
> > > above said
> > > > >problem..
> > > > >
> > > > >
> > > > >
> > > > >I will be very much obliged at your kind and earliest response.
> > > > >
> > > > >
> > > > >
> > > > >Best regards,
> > > > >
> > > > >Irshad.
> > > > >
> > > > >
> > >
> > > > _______________________________________________
> > > > resiprocate-devel mailing list
> > > > resiprocate-devel at list.resiprocate.org
> > > > https://list.resiprocate.org/mailman/listinfo/resiprocate-devel
> > >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20070508/d1bdc345/attachment.htm>

More information about the resiprocate-devel mailing list