Re: [SR-Users] Create Certificates to be used with Kamailio changes
Am 30.09.2010 17:27, schrieb Juha Heinanen: now that 3.1 has async tls support, i decided (first time ever) to try to test tls. things went quite smoothly when i followed Create Certificates to be used with Kamailio document http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_certificates_with_tls during the process, i fixed a typo in the doc, added two comments to cfg part: enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060 listen=tls:0.0.0.0:5061 # not needed in 3.1 I wonder which IP address is used as TLS socket if you do not specify it in the config file? I always specify it explicitly as I do not want any kind of automatism. regards Klaus ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Create Certificates to be used with Kamailio changes
I added note about configuring Snom phones to connect over TLS and created a section from that part: http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_tls_and_the_certificates_with_sip_phones Also, in my configs I set: tcp_connection_lifetime=3610 Which is slightly higher than max allowed registration time. Some clients do not reconnect if tcp/tls connection is closed by server. Maybe we should add this one in the wiki as well. Cheers, Daniel On 9/30/10 5:27 PM, Juha Heinanen wrote: now that 3.1 has async tls support, i decided (first time ever) to try to test tls. things went quite smoothly when i followed Create Certificates to be used with Kamailio document http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_certificates_with_tls during the process, i fixed a typo in the doc, added two comments to cfg part: enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060 listen=tls:0.0.0.0:5061 # not needed in 3.1 and fixed wrong file references in client configurations: eyebeam: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the Windows PC and add it to the Windows certificate store (Start→Control Panel→Internet) QjSimple: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the client PC and configure QjSimple to use this CA (“TLS CA file” and “verify TLS server certificate) earlier the paths pointed to certs/sip.mydomain.com files, which i think were wrong. at least i was not able to get them working. perhaps someone who is more familiar with tsl stuff could verify the above changes. -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla http://www.asipto.com ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Create Certificates to be used with Kamailio changes
one question about the certificate tutorial: is something else needed in the config or certificate business, when sr talks over tls with another sip proxy, e.g. another sr? namely in that case sr may be in client role when tls session is established. -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Create Certificates to be used with Kamailio changes
You are right. Thanks for fixing my bugs :-) Klaus Am 30.09.2010 17:27, schrieb Juha Heinanen: now that 3.1 has async tls support, i decided (first time ever) to try to test tls. things went quite smoothly when i followed Create Certificates to be used with Kamailio document http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_certificates_with_tls during the process, i fixed a typo in the doc, added two comments to cfg part: enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060 listen=tls:0.0.0.0:5061 # not needed in 3.1 and fixed wrong file references in client configurations: eyebeam: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the Windows PC and add it to the Windows certificate store (Start→Control Panel→Internet) QjSimple: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the client PC and configure QjSimple to use this CA (“TLS CA file” and “verify TLS server certificate) earlier the paths pointed to certs/sip.mydomain.com files, which i think were wrong. at least i was not able to get them working. perhaps someone who is more familiar with tsl stuff could verify the above changes. -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Create Certificates to be used with Kamailio changes
On Sep 30, 2010 at 18:27, Juha Heinanen j...@tutpro.com wrote: now that 3.1 has async tls support, i decided (first time ever) to try to test tls. things went quite smoothly when i followed Create Certificates to be used with Kamailio document http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_certificates_with_tls during the process, i fixed a typo in the doc, added two comments to cfg part: enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060 it should not be 0.0.0.0 but an actual IP. If you use 0.0.0.0 you _must_ set adevertised_adress or you will have some strange Vias RRs. listen=tls:0.0.0.0:5061 # not needed in 3.1 - it's optional only if you have another listen which does not specify the protocol (e.g. listen=10.0.0.2:5060 or listen=10.0.0.2). In this case ser will listen on all protocols on the default port). I This is true also for 3.0 and at least for all ser versions. In general I use http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#tls.certs_howto as a quick setup reminder. Andrei ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Create Certificates to be used with Kamailio changes
Daniel-Constantin Mierla writes: Also, in my configs I set: tcp_connection_lifetime=3610 so do i. i added that line to the wiki doc. -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Create Certificates to be used with Kamailio changes
On Sep 30, 2010 at 18:44, Juha Heinanen j...@tutpro.com wrote: one question about the certificate tutorial: is something else needed in the config or certificate business, when sr talks over tls with another sip proxy, e.g. another sr? namely in that case sr may be in client role when tls session is established. Nothing special if needed. However if you want to have different certificates in function of the role, or who are you talking with, you need to use a separate tls config file (http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#config) Andrei ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Create Certificates to be used with Kamailio changes
Andrei Pelinescu-Onciul writes: enable_tls=1 tcp_async=no # do not include in 3.1 listen=udp:0.0.0.0:5060 listen=tcp:0.0.0.0:5060 it should not be 0.0.0.0 but an actual IP. If you use 0.0.0.0 you _must_ set adevertised_adress or you will have some strange Vias RRs. listen=tls:0.0.0.0:5061 # not needed in 3.1 - it's optional only if you have another listen which does not specify the protocol (e.g. listen=10.0.0.2:5060 or listen=10.0.0.2). In this case ser will listen on all protocols on the default port). I This is true also for 3.0 and at least for all ser versions. ok, fixed. In general I use http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#tls.certs_howto as a quick setup reminder. i read that too, but it was not as easy to follow as the tuto. -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Create Certificates to be used with Kamailio changes
Andrei Pelinescu-Onciul writes: However if you want to have different certificates in function of the role (server or client, or who are you talking with, you need to use a separate tls config file (http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#config) ok thanks. i added a note about that to the tuto. one more thing i would like to add to the tuto if someone knows the answer: how to capture/see sip over ssl packets in the proxy host using wireshark, ngrep, or something? -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Create Certificates to be used with Kamailio changes
On Sep 30, 2010 at 19:56, Juha Heinanen j...@tutpro.com wrote: Andrei Pelinescu-Onciul writes: However if you want to have different certificates in function of the role (server or client, or who are you talking with, you need to use a separate tls config file (http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#config) ok thanks. i added a note about that to the tuto. one more thing i would like to add to the tuto if someone knows the answer: how to capture/see sip over ssl packets in the proxy host using wireshark, ngrep, or something? ssldump -k modules/tls/sip-router-selfsigned.key tcp and port 5061 Andrei ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Create Certificates to be used with Kamailio changes
Juha Heinanen writes: i tried with command ssldump -i any -k /etc/sip-proxy/certs/sip-proxy/key.pem tcp and port 5061 where /etc/sip-proxy/certs/sip-proxy/key.pem is the same file as specified as tls module private key: modparam(tls, private_key, /etc/sip-proxy/certs/sip-proxy/key.pem) nothing comes to console. i must have misunderstood the command. i also tried with -i eth0, but it didn't help. i was able to figure out how do to it using wireshark. one needs to go to Preferences/Protocols/SSL and there add to RSA keys list: ip-of-sip-proxy,5061,sip,/etc/certs/sip.mydomain.com/key.pem then in Options specify 'port 5061'. after that, new ssl connections will be shown in clear. i don't know why ssldump didn't work with the same key.pem file. -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users