TLS-issue: client certificate requested

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS-issue: client certificate requested

Franz Edler-3
Hi TLS-experts,

I have just made fresh installation of OpenSIPS 1.5.1 and also tried to
enable client access vie TLS.

The relevant statements for TLS in my opensips.cfg are:

   ...
   disable_tls = no                                  
   listen = tls:sip.technikum-wien.at:5061            
   tls_verify_server = 1                              
   tls_verify_client = 0                              
   tls_require_client_certificate = 0                
   tls_method = TLSv1                                
   tls_certificate = "/etc/ssl/sipserver.crt"        
   tls_private_key = "/etc/ssl/private/privatekey.pem"
   tls_ca_list = "/etc/ssl/calist.pem"                
   ...

Despite above statements the core does not accept a TLS connection of a
client due to the following log-message:
   INFO:core:tls_accept: client did not present a certificate

Please also have a look at the tracefile if required.

Why does OpenSIPS expect the client to present a certificate?
Maybe someone can help.

Regards
Franz

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

trace20.pcap (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS-issue: client certificate requested

Bogdan-Andrei Iancu
Hi Franz,

By disabling tls_verify_client  and tls_require_client_certificate any
connection from a client should be accepted without any problem.

usefull is to provide the logs (startup and INVITE processing) in
debug=6 - than we can see exactly what is going one.

Regards,
Bogdan

Franz Edler wrote:

> Hi TLS-experts,
>
> I have just made fresh installation of OpenSIPS 1.5.1 and also tried to
> enable client access vie TLS.
>
> The relevant statements for TLS in my opensips.cfg are:
>
>    ...
>    disable_tls = no                                  
>    listen = tls:sip.technikum-wien.at:5061            
>    tls_verify_server = 1                              
>    tls_verify_client = 0                              
>    tls_require_client_certificate = 0                
>    tls_method = TLSv1                                
>    tls_certificate = "/etc/ssl/sipserver.crt"        
>    tls_private_key = "/etc/ssl/private/privatekey.pem"
>    tls_ca_list = "/etc/ssl/calist.pem"                
>    ...
>
> Despite above statements the core does not accept a TLS connection of a
> client due to the following log-message:
>    INFO:core:tls_accept: client did not present a certificate
>
> Please also have a look at the tracefile if required.
>
> Why does OpenSIPS expect the client to present a certificate?
> Maybe someone can help.
>
> Regards
> Franz
>  
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: TLS-issue: client certificate requested

Franz Edler-3
Thanks Bogdan,

> By disabling tls_verify_client  and tls_require_client_certificate any
> connection from a client should be accepted without any problem.
>
> usefull is to provide the logs (startup and INVITE processing) in
> debug=6 - than we can see exactly what is going one.

I have re-generated and re-installed the rootCA and the domain-certificate
and now it works, but there is another issue: OpenSIPS does not reuse an
existing TLS-connection on outbound requests. I will create a different
thread on this.

Regards
Franz


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users