Žilinská univerzita > Fakulta riadenia a informatiky > Katedra informačných sietí

Configuring TLS support in Kamailio 3.1 - Howto

This article continue on series of articles about the Kamailio 3.1.x SIP proxy deployed on debian lenny and its features. In previous articles we have:

1) installed clear Kamailio 3.1.x server

2) added Mysql support for persistance location storage

3) SIREMIS web management interface for our kamailio server.

4) configured IM and presence service on Kamailio 3.1 - Howto

5) configured XCAP support for SIMPLE.

and now we will configure TLS support.

Prerequisities

  1. Installed and working Kamailio (OpenSER) 3.1.0 server.

Preparation

On the Kamailio site there is a mention, that

TLS is an optional part of the kamailio core and does not require special module installing.

But we have to install kamailio tls module with

apt-get install kamailio-tls-modules

Next, we have to add to your dns server correct SRV record for your SIPS TLS (SIP Secure) server. In my case it is

_sips._tcp      IN      SRV     200 1 5061        pstest
pstest          IN      A       158.193.139.51

The dig dns utility have to return correct IP address pointing to your server

dig SRV _sips._tcp.ps.sip.uniza.sk

Creating certificates with OpenSSL

As a first step we have to generate certificates by which the SIP proxy will be identified during TLS connection setup. We will use the guide Create Certificates to be used with Kamailio.

From the guide:

Creating suitable certificates for Kamailio is just as simple as configuring Apache with SSL/TLS. If you do not have certificates you can use the “openssl” tool to generate the certificate.

Step 1 - editing openssl.cnf

Open /etc/ssl/openssl.cnf and change

policy          = policy_match

to more flexible

policy          = policy_anything

Step 2 - Preparing folders

mkdir /etc/certs
chmod 0700 /etc/certs
cd /etc/certs

Step 3 - generating certificates

mkdir demoCA
cd demoCA
mkdir newcerts
echo '01' > serial
touch index.txt
openssl req -new -x509 -extensions v3_ca -keyout key.pem -out cert.pem -days 3650

The openssl req -new ... will generate self-signed CA (cartificate authority) certificate valid for 10 years.

Then generating start, during the processing the system will ask you for certificates protection (put your password there) and will ask for some questions (country, city and etc.)

Generating a 1024 bit RSA private key
...............++++++
................++++++
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SK
State or Province Name (full name) [Some-State]:Slovakia
Locality Name (eg, city) []:Zilina
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My private CA
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:My private CA
Email Address []:

We may verify the content of the new CA certificates:

openssl x509 -in cert.pem -noout -text

the command writes the cert.

openssl x509 -in cert.pem -noout -dates

writes the dates.

openssl x509 -in cert.pem -noout -purpose

writes the purpose of the certs.

 Step 4 - generating certificates for your sip proxy

Now make a certificate for your SIP proxy (for example sip.mydomain.com), my domain is ps.sip.uniza.sk  (create keys and a certificate signing request (CSR), then sign the CSR with your CA's certificate).

mkdir ps.sip.uniza.sk
cd ps.sip.uniza.sk/
openssl req -new -nodes -keyout key.pem -out req.pem

It start the certificate creation

Generating a 1024 bit RSA private key
......++++++
..........++++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SK
State or Province Name (full name) [Some-State]:SLOVAKIA
Locality Name (eg, city) []:Zilina
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZU
Organizational Unit Name (eg, section) []:KIS
Common Name (eg, YOUR name) []:Have to be FQDN of your server
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Go two directories up

cd ../..

 or be carefull to write correct paths in next command (CA signing)

openssl ca -days 730 -out demoCA/ps.sip.uniza.sk/cert.pem -keyfile demoCA/key.pem -cert demoCA/cert.pem -infiles demoCA/ps.sip.uniza.sk/req.pem

done! Yyou may verify if the cert is correct

openssl x509 -in ps.sip.uniza.sk/cert.pem -noout -text

Importing certificate to the PC (SIP Client)

We have to install our certificates, so our client will trust to our self signed SIP Kamailio certificates. To do that we have to download cert from /etc/certs/demoCA/cert.pem to the PC (with windows 7 in my case) and then we may either:

1) Start→Control Panel→Internet import it

2) or rename extension of the cert.pem to the cert.crt (cert.crt) and install with doubleclick (win). 

3) go with firefox to the https://<your_sip_server>:5061 and install cert

4) ....

If we do not import certificate, we may see (using wireshark), that TLS establishment is dropped with reason Unknown CA.

414    75.589466    192.168.1.101    158.193.139.51    TLSv1    Alert (Level: Fatal, Description: Unknown CA)

and, maybe it is client dependent, eyabeam is displaying 503 Certificate validation failure message.

Be aware of client support for TLS and how it is implemented. From the guide eyeBeam should read CA authority from the local user or PC storage, but under Win7 32/64bit eyeBeam does not work, it is returning unknown CA. The same for Bria 2.4. At least SIP Communicator work nice and fast.

Configuring the Kamailio

Open /etc/kamailio.kamailio.cfg and

setup the server to listen on tls 5061 port, required for secure communication

listen=tls:158.193.139.51:5061

then define (manualy write) zone directive for TLS

#!define WITH_TLS

For this zone directive there is already preconfigured zone blocks (nothing need to be changed)

#!ifdef WITH_TLS
enable_tls=yes
#!endif

which will turn on TLS support.

Next, there are another already preconfigured zone block, which load required tls.so module (nothing need to be changed)

#!ifdef WITH_TLS
loadmodule "tls.so"
#!endif

In module parameter section of the cfg file there is other zone block

#!ifdef WITH_TLS
# ----- tls params -----
modparam("tls", "config", "/etc/kamailio/tls.cfg")
#!endif

It is pointing to the tls.cfg file of the kamailio server. During TLS module installation installer may ask you if you like to install tls.cfg file , if yes, then it install default tls.cfg. This file we will modify as next step. For more info look at Kamailio TLS module description.

We have to add or modify lines, that they will pointing to correct certification files:

[server:default]
method = TLSv1
verify_certificate = yes
require_certificate = no
private_key = /etc/certs/demoCA/ps.sip.uniza.sk/key.pem
certificate = /etc/certs/demoCA/ps.sip.uniza.sk/cert.pem
#ca_list = /etc/certs/demoCA/cert.pem

and we will add setting for 5061 port of our server

[server:158.193.139.51:5061]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/demoCA/ps.sip.uniza.sk/key.pem
certificate = /etc/certs/demoCA/ps.sip.uniza.sk/cert.pem

Be aware, as a default setting of the tls.cfg there is also a client section, which require correct certificates for clients. It look

[client:default]
verify_certificate = yes
require_certificate = yes

Change it to "no", becasue this require client certificate validation

[client:default]
verify_certificate = no
require_certificate = no

Testing

1) We may use openssl tool connecting to our server. If everything is OK, we should see some output with cert listed. If there is not such output, check previous steps, something made wrong.

openssl s_client -connect 158.193.139.51:5061 -tls1
CONNECTED(00000003)
depth=0 /C=SK/ST=Slovakia/L=Zilina/O=ZU/OU=KIS/CN=pstest.ps.sip.uniza.sk verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=SK/ST=Slovakia/L=Zilina/O=ZU/OU=KIS/CN=pstest.ps.sip.uniza.sk verify error:num=27:certificate not trusted verify return:1 depth=0 /C=SK/ST=Slovakia/L=Zilina/O=ZU/OU=KIS/CN=pstest.ps.sip.uniza.sk verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=SK/ST=Slovakia/L=Zilina/O=ZU/OU=KIS/CN=pstest.ps.sip.uniza.sk i:/C=SK/ST=Slovakia/L=Zilina/O=My private CA/CN=My private CA --- Server certificate -----BEGIN CERTIFICATE----- MIICvzCCAiigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJTSzER MA8GA1UECBMIU2xvdmFraWExDzANBgNVBAcTBlppbGluYTEWMBQGA1UEChMNTXkg cHJpdmF0ZSBDQTEWMBQGA1UEAxMNTXkgcHJpdmF0ZSBDQTAeFw0xMDExMjkyMDQ1 NDhaFw0xMjExMjgyMDQ1NDhaMG0xCzAJBgNVBAYTAlNLMREwDwYDVQQIEwhTbG92 YWtpYTEPMA0GA1UEBxMGWmlsaW5hMQswCQYDVQQKEwJaVTEMMAoGA1UECxMDS0lT MR8wHQYDVQQDExZwc3Rlc3QucHMuc2lwLnVuaXphLnNrMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC/zrOZSEwpF6SfiOSBm6epmHStIdPLslxVLUAUbP1ga2KD YahZv43gC8/D9LbL5cbwWoMJ3bU9Nxj2Y9u0tFq8OyyEYQyvbk3n7Dnx/ddMX7wL hTpWUSdeKN2ObUtxQnBO4/jlRQw3rlGtA9pOSpTLJnp4sAAJs096tr4KhtAchwID AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU6MAimP6egglzK2iZ4a9t2/cnRnkw HwYDVR0jBBgwFoAUWWHct7bIIBwHLD2313b/+0/vE8UwDQYJKoZIhvcNAQEFBQAD gYEAPyj3JA5/eSJPZytMIUMUaWhGM0Y53D7CnFeqOe9LLgXg2LqaFivNapoTrXFr Dlo9sKASSHMHUE3f51ApNjXRBQw0eOROXO8R+MYyMndfnvZieLAwOu4M6axh5NpF JhH9PiLqgyEn+pWq6JYmCJY1YVPyK51mucdudrSl8h9G4JM= -----END CERTIFICATE----- subject=/C=SK/ST=Slovakia/L=Zilina/O=ZU/OU=KIS/CN=pstest.ps.sip.uniza.sk issuer=/C=SK/ST=Slovakia/L=Zilina/O=My private CA/CN=My private CA --- No client certificate CA names sent --- SSL handshake has read 1034 bytes and written 291 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: CB95C02821211D87AF96CB57DD68E865C6061F9125D95B1B55EC57E92ADDB06E1D7DE39703C32E8F9A0BA56BDE9BC8D6 Key-Arg : None TLS session ticket: 0000 - 5a 51 10 16 54 13 fc e8-3d f0 f6 76 0b 00 89 b6 ZQ..T...=..v.... 0010 - 24 ee 31 9a f3 e7 cd 3d-0a 8e 42 8b 69 b4 a4 09 $.1....=..B.i... 0020 - 6a b3 87 1e 72 71 c0 4e-51 90 8f 27 b4 59 6b 46 j...rq.NQ..'.YkF 0030 - 57 28 68 73 2d 3f 75 4a-b0 67 3e 2e 2b 6a 95 72 W(hs-?uJ.g>.+j.r 0040 - 3e b6 44 f8 aa 49 76 dd-42 b4 65 a5 18 36 79 e7 >.D..Iv.B.e..6y. 0050 - 0a 09 a7 8c 8b 0c db a9-89 a4 b1 d5 f9 d4 fa 45 ...............E 0060 - 09 52 9a 6d ae 0e d4 51-12 8b b4 31 06 a7 5a 9e .R.m...Q...1..Z. 0070 - bc 98 c4 16 66 50 84 95-b9 75 cd 31 2f 84 5e 84 ....fP...u.1/.^. 0080 - 0f 67 5f d9 7c 09 54 da-7e a7 d0 24 bf 30 26 f0 .g_.|.T.~..$.0&. 0090 - 39 aa 17 5b 21 6c 43 d6-f7 c6 31 d4 d2 b1 57 c9 9..[!lC...1...W. 00a0 - 2e ed 9c 53 9b 86 2a 24-69 f1 b6 ed ca 9a 94 7b ...S..*$i......{ Start Time: 1291122977 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) ---

 2) Using your peferred SIP client with TLS support.

Some results are following. TLS suport for eyebeam 1.5 and Bria 2.4 under windows 7 32 or 64bit does not work. SIP communicator work well.

Tre log file of the Bria 2.4 is containing following messages:

RESIP:DUM | "Got a DumFeatureMessage099BD7C8" |
[10-12-16]09:40:39.896 | Info    | RESIP:TRANSPORT | "Creating TLS connection for domain  [ V4 158.193.139.51:5061 TLS target domain=ps.sip.uniza.sk received on: Transport: [ V4 0.0.0.0:28829 TLS target domain=unspecified connectionId=0 ] connectionId=0 ] on 2232" |
[10-12-16]09:40:39.897 | Info    | RESIP:TRANSPORT | "TLS handshake starting (client mode)" |
[10-12-16]09:40:39.902 | Info    | RESIP:TRANSPORT | "TLS connected" |
[10-12-16]09:40:39.902 | Info    | RESIP:TRANSPORT | "TLS sessions set up with TLSv1 TLSv1/SSLv3 AES256-SHA " |
[10-12-16]09:40:39.903 | Error   | RESIP:TRANSPORT | "Certificate name mismatch: trying to connect to <ps.sip.uniza.sk> remote cert domain(s) are <pstest.ps.sip.uniza.sk>" |
[10-12-16]09:40:39.903 | Info    | RESIP:TRANSACTION | "Sending ConnectionTerminated 17 to TUs" |
[10-12-16]09:40:39.903 | Info    | RESIP:TRANSACTION | "Try sending request to a different dns result" |
[10-12-16]09:40:39.903 | Info    | RESIP:TRANSACTION | "Ran out of dns entries for ps.sip.uniza.sk. Send 503" |
[10-12-16]09:40:39.904 | Info    | RESIP:DNS | "local hostname does not contain a domain part PC-T2" |
[10-12-16]09:40:39.904 | Info    | RESIP:DUM | "Got: SipResp: 503 tid=476c5d721d161a34 cseq=REGISTER / 1 from(wire)" |
[10-12-16]09:40:39.904 | Warning | AbstractPhone | "SIP registration failed; reason: 'SipError'; SIP error-code: 503; error-phrase: 'Certificate Name Mismatch'" | cpsi::AccountImpl::OnRegistrationStatusChanged

 Error solving

1) Check if there is correct DNS SRV record for SIPS (TLS), port 5061, tls transport

2) Check if certificates are correctly created with proper values.

3) Check if your server is listening on correct port (using  command openssl s_client -connect 158.193.139.51:5061 -tls1)

4) check tls.cfg file

5) Look into syslog. To find some error reporting look into syslog ->  /var/log/syslog it should provide error message such as

"Nov 30 14:17:11 pstest /usr/sbin/kamailio[27615]: ERROR: <core> [tcp_read.c:882]: ERROR: tcp_read_req: error reading
Nov 30 14:20:11 pstest /usr/sbin/kamailio[27613]: ERROR: tls [tls_server.c:1174]: TLS accept:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
"

This error is regarding of SIP Client, that do not accept CA certificates of the Kamailio server.

 6) use ssldump utility. For example in my case, ssldump provdides following info

18 2  0.0021 (0.0014)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[0]=

        cipherSuite         Unknown value 0x35
        compressionMethod                   NULL
18 3  0.0022 (0.0001)  S>C  Handshake
      Certificate
18 4  0.0022 (0.0000)  S>C  Handshake
      ServerHelloDone
18 5  0.0037 (0.0014)  C>S  Alert
    level           fatal
    value           unknown_ca
18    0.0040 (0.0003)  C>S  TCP RST

In this case the SIP client resets connection due to SSL Alert, unknown CA authority. This lead you to check that your SIP client do not load CA certificate from trusted CA storage, of course if you import it.

Groups: