<div dir="ltr">Answering my own post:<div><br></div><div>After cranking up Sofia debugging and reading through source Sofia really wants to see "-extensions server" on the "server" generated cert in this case, which makes sense but it's also problematic because any SIP UA can be a "server" or "client" with different keys (with full validation) and as far as I can tell FreeSWITCH only allows for one key+cert per profile (which can be a "client" or "server").</div>
<div><br></div><div>Kamailio provides for completely separate client and server TLS configuration, including key, cert, CA, CRL, etc, etc.</div><div><br></div><div>Is there a mechanism to provide different client and server certs per profile with Sofia? It looks like that's the only way this is going to work.</div>
<div><br></div><div>Thanks!</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 21, 2013 at 5:22 PM, Kristian Kielhofner <span dir="ltr"><<a href="mailto:kris@kriskinc.com" target="_blank">kris@kriskinc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Good question!<br>
<br>
I've tried a variety of certs, going all the way back to the CA. I<br>
started with your gentls_cert script and eventually moved to the<br>
openvpn-style "easy-rsa" package. I will tell you that using<br>
identical certs with a TLS-capable pjsip pjsua client results in a<br>
successful TLS connection to Kamailio (using the same CA cert, client<br>
cert, and client key used in FreeSWITCH). Of course I'm not changing<br>
the config in Kamailio either.<br>
<div class="HOEnZb"><div class="h5"><br>
On Wed, Aug 21, 2013 at 5:03 PM, Brian West <<a href="mailto:brian@freeswitch.org">brian@freeswitch.org</a>> wrote:<br>
> How art thou generated the certs?<br>
><br>
> On Aug 21, 2013, at 3:38 PM, Kristian Kielhofner <<a href="mailto:kris@kriskinc.com">kris@kriskinc.com</a>> wrote:<br>
><br>
>> Hello,<br>
>><br>
>> I'm trying to get TLS cert validation between FreeSWITCH (client)<br>
>> and Kamailio (server) up and running. Here's my config/setup so far:<br>
>><br>
>> FreeSWITCH 1.2.12 (client) configured with:<br>
>><br>
>> <!-- TLS: disabled by default, set to "true" to enable --><br>
>> <param name="tls" value="true"/><br>
>> <!-- additional bind parameters for TLS --><br>
>> <param name="tls-bind-params" value="transport=tls"/><br>
>> <!-- Port to listen on for TLS requests. (5061 will be used if<br>
>> unspecified) --><br>
>> <param name="tls-sip-port" value="5081"/><br>
>> <!-- Location of the agent.pem and cafile.pem ssl certificates<br>
>> (needed for TLS server) --><br>
>> <param name="tls-cert-dir" value="[my cert dir]"/><br>
>> <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may<br>
>> not work with TLSv1 --><br>
>> <param name="tls-version" value="tlsv1"/><br>
>> <param name="tls-verify-policy" value="out"/><br>
>><br>
>> I have a gateway configured with ;transport=tls<br>
>><br>
>> Kamailio 4.0 (also tried 4.1, etc) configured with (tls.cfg):<br>
>><br>
>> [server:default]<br>
>> method = TLSv1<br>
>> verify_certificate = no<br>
>> require_certificate = yes<br>
>> private_key = /etc/kamailio/generic-sip.key<br>
>> certificate = /etc/kamailio/generic-sip.pem<br>
>> ca_list = /etc/kamailio/generic-cacert.pem<br>
>> cipher_list = AES<br>
>><br>
>> I'm using my own CA with self-signed certs. I've verified that they<br>
>> check out by comparing the modulus on the cert and key pairs and<br>
>> verifying the CA chain with 'openssl verify ...'.<br>
>><br>
>> When I run without tls-verify-policy=none and require_certificate=no<br>
>> everything is golden and TLS works all day long. However, this is<br>
>> less than ideal and I'd like to at least make sure that my TLS clients<br>
>> are presenting a valid cert. Unfortunately when FS tries to connect<br>
>> to Kamailio it reports the following errors:<br>
>><br>
>> ERROR: tls [tls_server.c:1190]: TLS accept:error:140890B2:SSL<br>
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned<br>
>> ERROR: <core> [tcp_read.c:1275]: ERROR: tcp_read_req: error reading<br>
>><br>
>> What's interesting is that FreeSWITCH reports a successful<br>
>> registration and seems to exchange OPTIONS pings (over UDP!) with the<br>
>> remote Kamailio instance. However, Kamailio does not show the<br>
>> endpoint as registered (verified with 'kamctl ul show'). That seems<br>
>> like a bug and worthy of a JIRA but my main concern at this point is<br>
>> getting TLS with certificate validation up and running.<br>
>><br>
>> Any ideas? Thanks!<br>
>><br>
>> --<br>
>> Kristian Kielhofner<br>
>><br>
>> _________________________________________________________________________<br>
>> Professional FreeSWITCH Consulting Services:<br>
>> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
>> <a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
>><br>
>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
>> <a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
>><br>
>> Official FreeSWITCH Sites<br>
>> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
>> <a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
>> <a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
>><br>
>> FreeSWITCH-users mailing list<br>
>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
><br>
><br>
> _________________________________________________________________________<br>
> Professional FreeSWITCH Consulting Services:<br>
> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
> <a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
><br>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
> <a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
><br>
> Official FreeSWITCH Sites<br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
> <a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
> <a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
><br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Kristian Kielhofner<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Kristian Kielhofner
</div>