[reSIProcate] Problem while establishing TLS connection betweenResiprocate Client and OpenSER Server..........................

kapatralla ahmed kapatralla80 at gmail.com
Tue May 8 02:35:37 CDT 2007 

Hi,

The earlier certificate.txt is for cacert.pem. Now I am attaching the Server
side certificate text extracted using user_cert.pem from Server.

Thanks,
Irshad.

On 5/8/07, kapatralla ahmed <kapatralla80 at gmail.com> wrote:
>
> I have extracted the certificate info from the .pem file...Please find the
> same attached.
>
> Thanks,
> Irshad.
>
> On 5/8/07, kapatralla ahmed < kapatralla80 at gmail.com> wrote:
> >
> > Hi,
> >
> > On top of this, Can someone provide some detailed procedure for our
> > Resiprocate Client to establish TLS connection with OpenSER Server or Repro
> > Server ???
> >
> > I will be very much obliged at your kind and earliest response.......
> > Thanks,
> > Irshad
> >
> > On 5/8/07, kapatralla ahmed < kapatralla80 at gmail.com> wrote:
> > >
> > >
> > >
> > > On 5/8/07, kapatralla ahmed < kapatralla80 at gmail.com> wrote:
> > > >
> > > > Hi,
> > > >
> > > > Please find the snippets of the Debug file,openser.cfg, cacert.pemat OPENSER Server and the root_cert_cacert.pem copied at our resiprocate
> > > > Client.
> > > > At Openser Server the configuration is made such that Certificate
> > > > request is not sent by Server. i.e., No Client Certificate. In this
> > > > case, What are the necessary  .pem files required at the Client??
> > > >
> > > > Thanks,
> > > > Irshad.
> > > >
> > > >
> > > > On 5/4/07, Ryan Kereliuk <ryker at ryker.org> wrote:
> > > > >
> > > > > I would recommend running at the full debug level to generate a
> > > > > complete
> > > > > but small execution trace for sharing.  Perhaps your certificate
> > > > > was
> > > > > generated incorrectly?  Do you have any x509v3 subjectAltName
> > > > > extensions
> > > > > in your certificate?  If so, are you running post-1.1 code from
> > > > > SVN?
> > > > > Is the commonName 'OpenSER' part of the SIP URI you're connecting
> > > > > to in
> > > > > this experiment?  Perhaps sharing the dump of your certificate
> > > > > using
> > > > > 'openssl x509 -text -in <cert>' would help?  Did you look at the
> > > > > TLS
> > > > > handshake on the wire using Wireshark?
> > > > >
> > > > > There could be lots of things wrong but it's difficult to say
> > > > > given
> > > > > the information provided.  (And the information required to debug
> > > > > your
> > > > > application may be too voluminous to get quick help on a volunteer
> > > > > basis.)
> > > > > I do promise that the TLS code in resiprocate works, however.
> > > > >
> > > > > Thanks,
> > > > > -Ryan
> > > > >
> > > > > On 2007-05-04 at 01h19, kapatralla ahmed wrote:
> > > > > > Yeah ...Forgot to metion that I renamed the rootCA as
> > > > > root_cert_cacert.pem
> > > > > > ....I guess this should suffice...Please let me know If I am
> > > > > wrong...
> > > > > >
> > > > > > Regarding the path....I set as
> > > > > >
> > > > > >                    Security* security = new
> > > > > > Security("/resiprocate/resip/certs");
> > > > > >                    SipStack stack(security);
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > > Irshad.
> > > > > >
> > > > > >
> > > > > > On 5/4/07, Scott Godin < slgodin at icescape.com> wrote:
> > > > > > >
> > > > > > > Some notes:
> > > > > > >
> > > > > > >1.        The code snippet you show below does not pass the
> > > > > cert path that
> > > > > > >you mentioned.
> > > > > > >
> > > > > > >2.        The Root cert must be named correctly ? please see
> > > > > the following
> > > > > > >link for more info: http://www.resiprocate.org/Certificates
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >Scott
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >*From:* resiprocate-devel-bounces at list.resiprocate.org [mailto:
> > > > > > > resiprocate-devel-bounces at list.resiprocate.org] *On Behalf Of
> > > > > *kapatralla
> > > > > > >ahmed
> > > > > > >*Sent:* Thursday, May 03, 2007 3:16 PM
> > > > > > >*To:* resiprocate-devel at list.resiprocate.org
> > > > > > >*Subject:* [reSIProcate] Problem while establishing TLS
> > > > > connection
> > > > > > >betweenResiprocate Client and OpenSER
> > > > > Server..........................
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >Hi folks..
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >I am using a Resiprocate Client in which TLS is being used as
> > > > > > >transport...I am trying to register the same with a OpenSER
> > > > > server.
> > > > > > >
> > > > > > >On the server side,
> > > > > > >
> > > > > > >1. I configured the openser.cfg (tls_verify_client = 0 &
> > > > > > >tls_request_certificate = 0) and openserctl.   (  * I am not
> > > > > providing the
> > > > > > >whole cfg file as I dont have with me as of now...but its
> > > > > configured
> > > > > > >properly  :-)   )
> > > > > > >
> > > > > > >2. I created a RootCA using # openserctl tls rootCA at OpenSER
> > > > > > >
> > > > > > >3. and then use certs using # openserctl tls usercert user at
> > > > > OpenSER
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >On the Client side,
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >3. Then I copied the exact OpenSER cacert.pem from server to
> > > > > the client
> > > > > > >machine into the path resiprocate/resip/certs which has been
> > > > > given as my
> > > > > > >certs path using security object passed to the stack
> > > > > constructor.
> > > > > > >
> > > > > > >                    Security* security = new Security;
> > > > > > >                    SipStack stack(security);
> > > > > > >
> > > > > > >4. Now I tried running my client which gave me the following
> > > > > errors:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >----------------------------------------------------------------------------------------------------------------------------------------
> > > > >
> > > > > > >Its actually entering the VerifyCallback(ilnCode, plnStore) in
> > > > > the
> > > > > > >Security.cxx  where the passed-in ilnCode = 0 coz the
> > > > > verification failed.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >Error when  verifying server's chain of certificates: self
> > > > > signed
> > > > > > >certificate in certificate chain, depth=1
> > > > > > >/CN=OpenSER/ST=SIP/C=IP/emailAddres
> > > > > > >TLS connection failed ok=-1 err=1
> > > > > error:00000001:lib(0):func(0):reason(1)
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >----------------------------------------------------------------------------------------------------------------------------------------
> > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >I have few questions here:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >1. If just adding the cacert.pem to the client is not enough,
> > > > > thn what
> > > > > > >else should I do to add the same to the trusted root CA store
> > > > > of the client
> > > > > > >in resiprocate??
> > > > > > >
> > > > > > > On OpenSER, I can do the same by appending the cacert.pem into
> > > > > the
> > > > > > >ca_list.pem
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >2. How to solve this OpenSER certificate verification problem
> > > > > at
> > > > > > >resiprocate Client side.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >3. Do I need to do in addition to addin the cacert.pem at the
> > > > > Client.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >I used Repro server ..still the same problem persists...
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >Can someone tell me the seuqential procedures to make
> > > > > resiprocate
> > > > > > >Client connect on TLS  with OpenSER server and how to solve the
> > > > > above said
> > > > > > >problem..
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >I will be very much obliged at your kind and earliest response.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >Best regards,
> > > > > > >
> > > > > > >Irshad.
> > > > > > >
> > > > > > >
> > > > >
> > > > > > _______________________________________________
> > > > > > resiprocate-devel mailing list
> > > > > > resiprocate-devel at list.resiprocate.org
> > > > > > https://list.resiprocate.org/mailman/listinfo/resiprocate-devel
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20070508/de589790/attachment.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ServerCertificate.txt
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20070508/de589790/attachment.txt>

More information about the resiprocate-devel mailing list