On Wed, 2010-05-05 at 18:49 +0530, Chaitra Sharma wrote: > Hi All, > > The following was observed while trying out -ve tests for the > certificates exchanged for TLS connection between 2 SCS sites.
> Setup: > SiteA - jupiter.qantom.int having SCS installed > SiteB - moon.qantom.int having SCS installed First and most important: I can tell because of which components are doing the logging here that this configuration is using sipXbridge at both ends. This is _NOT_ the right way to do this! The purpose of sipXbridge is to do the 'special' things that must be done to interface with ITSPs. sipXecs does not need this for proxy-to-proxy communications, and using it that was is not correct - don't do it! We did not quite get proxy-to-proxy TLS peering done for 4.2.0, but it's on the near term roadmap (whether it will get into a 4.2 update is tbd). Now on to why the TLS handshakes failed (since there are good certificate lessons to be learned despite the fact that this configuration is not correct)... > 1. The certificates of both the sites were first exchanged and TLS > connection was established between the 2 sites > 2. Basic calls over TLS were tested between the 2 sites. > 3. Next delete the certificate of SiteB from the 'certificates > authorities' screen of SiteA (restart the services prompted for > restart in SiteA) > 4. From SiteA make a call to SiteB > Observation: > The call fails (correct behavior) with the exception > "Exception Info com.ibm.jsse2.util.g: PKIX path building failed: > java.security.cert.CertPathBuilderException: PKIXCertPathBuil > derImpl could not build a valid CertPath.; internal cause is: > java.security.cert.CertPathValidatorException: The certificate > issued by [email protected], CN=ca.moo > n.qantom.int, OU=scs, O=qantom.int, L=AnyTown, ST=AnyState, C=US is > not trusted; internal cause is: > java.security.cert.CertPathValidatorException: Certificate > chaining error at SIPClientTransaction.java:972===========" The problem is that in order to validate the certificate presented by a peer, you must have the CA certificate that signed it - not just the certificate itself. That's what CertPathValidation is about... it's trying to check the signature on the cert it's gotten, and can't because it doesn't have the CA cert from the other side. _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
