[Freeswitch-users] TLS with FreeSWITCH and Kamailio
Kristian Kielhofner
kris at kriskinc.com
Thu Aug 22 00:38:29 MSD 2013
Hello,
I'm trying to get TLS cert validation between FreeSWITCH (client)
and Kamailio (server) up and running. Here's my config/setup so far:
FreeSWITCH 1.2.12 (client) configured with:
<!-- TLS: disabled by default, set to "true" to enable -->
<param name="tls" value="true"/>
<!-- additional bind parameters for TLS -->
<param name="tls-bind-params" value="transport=tls"/>
<!-- Port to listen on for TLS requests. (5061 will be used if
unspecified) -->
<param name="tls-sip-port" value="5081"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates
(needed for TLS server) -->
<param name="tls-cert-dir" value="[my cert dir]"/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may
not work with TLSv1 -->
<param name="tls-version" value="tlsv1"/>
<param name="tls-verify-policy" value="out"/>
I have a gateway configured with ;transport=tls
Kamailio 4.0 (also tried 4.1, etc) configured with (tls.cfg):
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = yes
private_key = /etc/kamailio/generic-sip.key
certificate = /etc/kamailio/generic-sip.pem
ca_list = /etc/kamailio/generic-cacert.pem
cipher_list = AES
I'm using my own CA with self-signed certs. I've verified that they
check out by comparing the modulus on the cert and key pairs and
verifying the CA chain with 'openssl verify ...'.
When I run without tls-verify-policy=none and require_certificate=no
everything is golden and TLS works all day long. However, this is
less than ideal and I'd like to at least make sure that my TLS clients
are presenting a valid cert. Unfortunately when FS tries to connect
to Kamailio it reports the following errors:
ERROR: tls [tls_server.c:1190]: TLS accept:error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
ERROR: <core> [tcp_read.c:1275]: ERROR: tcp_read_req: error reading
What's interesting is that FreeSWITCH reports a successful
registration and seems to exchange OPTIONS pings (over UDP!) with the
remote Kamailio instance. However, Kamailio does not show the
endpoint as registered (verified with 'kamctl ul show'). That seems
like a bug and worthy of a JIRA but my main concern at this point is
getting TLS with certificate validation up and running.
Any ideas? Thanks!
--
Kristian Kielhofner
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list