Quick look at the logs "tlsv1 alert unknown ca"
This means your CA list does not include lets encrypt, download it from https://letsencrypt.org/certificates/ Not sure how you generate your ca_list.pem lets encrypt became trusted by default, at one point on Debian not sure about the exact details Regards Julien On Tue, Feb 5, 2019 at 2:33 AM Gertjan Wolzak <[email protected]> wrote: > Hello Kamailions, > > Ive beent trying to configure a tls connection between kamailio servers, > but looks like Im missing some knowledge. > > The situation: > > phone1 <> internet <> kamailio1 <internet> kamailio2<> internet <> phone2 > > The phones are yealink phones, they are connected using TLS v1.2, phone 1 > registers at kamailio1 and phone2 registers at kamailio2. > > Both kamailio servers have an letsencrypt certificate. > > When the connection between the two kamailio servers is set as sip, a call > from a phone1 to phone2 the singnaling is forwarded and rtp flows. > > When I set the connection between the two kamailio servers to tls, things > go wrong.. or better said I go wrong. > > The kamailio log on the receiving kamailio(kamailio2) shows that things go > wrong and where, but I just cant figure out how to solve it. > > The log shows that the tls connection will be handled by the TLS Default > configuration, the CA certificate is missing, well unknown. > > 15(7209) DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new > tcp connection: 116.203.53.212 > 15(7209) DEBUG: <core> [core/tcp_main.c:999]: tcpconn_new(): on port > 44153, type 3 > 15(7209) DEBUG: <core> [core/tcp_main.c:1309]: tcpconn_add(): hashes: > 1805:3331:3809, 3 > 15(7209) DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: > io_watch_add(0xa77de0, 32, 2, 0x7ff9596d4b10), fd_no=23 > 15(7209) DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: > io_watch_del (0xa77de0, 32, -1, 0x0) fd_no=24 called > 15(7209) DEBUG: <core> [core/tcp_main.c:4196]: handle_tcpconn_ev(): > sending to child, events 1 > 15(7209) DEBUG: <core> [core/tcp_main.c:3878]: send2child(): selected tcp > worker 1 8(7202) for activity on [tls:kamailio2:5061], 0x7ff9596d4b10 > 8(7202) DEBUG: <core> [core/tcp_read.c:1759]: handle_io(): received n=8 > con=0x7ff9596d4b10, fd=9 > 8(7202) DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing > tls connection initialization > 8(7202) DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial > TLS domain TLSs<default> (dom 0x7ff959498600 ctx 0x7ff9594b6430 sn []) > 8(7202) DEBUG: tls [tls_domain.c:724]: sr_ssl_ctx_info_callback(): SSL > handshake started > 8(7202) DEBUG: <core> [core/tcp_main.c:2460]: tcpconn_do_send(): > sending... > 8(7202) DEBUG: <core> [core/tcp_main.c:2494]: tcpconn_do_send(): after > real write: c= 0x7ff9596d4b10 n=2637 fd=9 > 8(7202) DEBUG: <core> [core/tcp_main.c:2495]: tcpconn_do_send(): buf= > > 8(7202) DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: > io_watch_add(0xac78a0, 9, 2, 0x7ff9596d4b10), fd_no=1 > 8(7202) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS > accept:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca > 8(7202) ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: > tcp_read_req: error reading - c: 0x7ff9596d4b10 r: 0x7ff9596d4b90 (-1) > 8(7202) DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: > io_watch_del (0xac78a0, 9, -1, 0x10) fd_no=2 called > 8(7202) DEBUG: <core> [core/tcp_read.c:1683]: release_tcpconn(): > releasing con 0x7ff9596d4b10, state -2, fd=9, id=3 (kamailio1]:44153 -> > [kamailio1]:5061) > 8(7202) DEBUG: <core> [core/tcp_read.c:1684]: release_tcpconn(): > extra_data 0x7ff9596d2ab0 > 15(7209) DEBUG: <core> [core/tcp_main.c:3308]: handle_tcp_child(): reader > response= 7ff9596d4b10, -2 from 1 > 15(7209) DEBUG: tls [tls_server.c:667]: tls_h_close(): Closing SSL > connection 0x7ff9596d2ab0 > > I assume I have configured tls.cfg partially correct, as the phones > register and can make tls calls. > > What I find strange is this line: 8(7202) DEBUG: <core> > [core/tcp_read.c:1683]: release_tcpconn(): releasing con 0x7ff9596d4b10, > state -2, fd=9, id=3 (kamailio1]:44153 -> [kamailio1]:5061) > > Would the "[kamailio1]:5061" be the client configuration? > > So, what do I need to configure within the tls.cfg file so when a tls > connection is initiated from the other server it will work. > > I have tried adding the other server as server within the tls.cfg, which > does not work as kamailio is not listening on the ip address configured. > > When I add the server as a client in the tls.cfg as follows, the > connection is handled by the default TLS configuration. > > [server:default] > method = TLSv1.2 > verify_certificate = no > require_certificate = no > private_key = /etc/letsencrypt/live/kamailio.kazlow.nl/privkey.pem > certificate = /etc/letsencrypt/live/kamailio.kazlow.nl/fullchain.pem > #ca_list = /etc/kamailio/tls/cacert.pem > #crl = /etc/kamailio/tls/crl.pem > > [client:kamailio1:5061] > method = TLSv1.2 > verify_certificate = no > require_certificate = yes > certificate = /etc/kamailio/tls/fullchain.pem > ca_list = /etc/kamailio/tls/cacert.pem > > > # This is the default client domain, settings > # in this domain will be used for all outgoing > # TLS connections that do not match any other > # client domain in this configuration file. > # We require that servers present valid certificate. > # > [client:default] > method = TLSv1.2 > verify_certificate = no > require_certificate = no > ca_list = /etc/kamailio/tls/cacert.pem > > I have tried forcing the socket on the sending kamailio, but that does not > work. > > Any feedback on what I am doing wrong or where I can find information to > extend my knowledge would be appreciated. > > Rgds, > > Gertjan Wolzak > > > > > _______________________________________________ > Kamailio (SER) - Users Mailing List > [email protected] > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >
_______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
