After some wireshark analysis, I found that :
- Client packet Secure Socket Layer "Client Hello" : Version TLS 1.2 - Server packet Secure Socket Layer "Server Hello" : Version TLS 1.0 Shouldn't the client adapt its version to the "Server Hello" response? If not, can we force Linphone to use TLS 1.0? The best solution would be to force kamailio server to use TLS 1.2, I'm currently working on that but my question still makes sense as this scenario should happen. The certificate is ok as I could connect with "openssl s_client ..." command while forcing TLS 1.0. Regards, Frederic From: [email protected] [mailto:[email protected]] On Behalf Of Guillaume Bienkowski Sent: Thursday 30 April 2015 15:53 To: [email protected] Subject: Re: [Linphone-users] TLS failed on windows host and self-signed certificate Can you check that openssl can connect using your RootCa.pem file ? I don't remember the CLI correctly, it should be something along 'openssl -client something something' Otherwise it should be OK to append your rootCa public key, we do that all the time for people that need their own self-signed certificates. Guillaume Bienkowski [email protected]<mailto:[email protected]> Le 30 avr. 2015 à 15:11, Mathys Frédéric <[email protected]<mailto:[email protected]>> a écrit : Hello, Using Linphone 3.8.1 for Windows, I've set a user to connect with TLS to a Kamailio server; this server has a self-signed certificate. When connecting with the client, I have the following error : error: 2015-04-30 14:58:33:040 Channel [06B887E8]: SSL handshake failed : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed error: 2015-04-30 14:58:33:040 Cannot connect to [TLS://10.3.3.19:5061<tls://10.3.3.19:5061>] I understand (and at ease) that Linphone doesn't want to connect to a server with an unknown certificate, but even after added it at the end of the .../Linphone/share/linphone/rootca.pem file of the user hosts the connection is refused. How should I proceed to allow my client to connect to this server? I also tried with the Linux client (linphone 3.7.0) with the same result. I confident my server is well configured as I could connect with another client which is accepting all certificates. Thank you Frederic Mathys System Integration & Validation Engineer P Please consider the environment - do you really need to print this email ? _______________________________________________ Linphone-users mailing list [email protected]<mailto:[email protected]> https://lists.nongnu.org/mailman/listinfo/linphone-users
_______________________________________________ Linphone-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/linphone-users
