This article continue on series of articles about the Kamailio 3.1.x SIP proxy deployed on debian lenny and its features. In previous articles we have:<\/p>\n
1) installed clear Kamailio 3.1.x server <\/a><\/p>\n 2) added Mysql support <\/a>for persistance location storage<\/p>\n 3) SIREMIS web management interface for our kamailio server<\/a>.<\/p>\n 4) configured IM and presence service on Kamailio 3.1 – Howto<\/a><\/p>\n 5) configured XCAP support for SIMPLE<\/a>.<\/p>\n and now we will configure TLS support.<\/p>\n On the Kamailio site there is a mention, that <\/span><\/p>\n TLS is an optional part of the kamailio core and does not require special module installing.<\/em><\/p>\n<\/blockquote>\n But we have to install kamailio tls module with<\/p>\n Next, we have to add to your dns server correct SRV record for your SIPS TLS (SIP Secure) server. In my case it is<\/p>\n The dig dns utility have to return correct IP address pointing to your server<\/p>\n As a first step we have to generate certificates by which the SIP proxy will be identified during TLS connection setup. We will use the guide Create Certificates to be used with Kamailio<\/a>.<\/p>\n From the guide:<\/p>\n Creating suitable certificates for Kamailio is just as simple as configuring Apache with SSL<\/acronym>\/TLS. If you do not have certificates you can use the “openssl” tool to generate the certificate.<\/em><\/p>\n<\/blockquote>\n Open \/etc\/ssl\/openssl.cnf and change<\/p>\n to more flexible<\/p>\n The openssl req -new<\/strong><\/em> … will generate self-signed CA (cartificate authority) certificate valid for 10 years.<\/p>\n Then generating start, during the processing the system will ask you for certificates protection (put your password there) and will ask for some questions (country, city and etc.)<\/p>\n We may verify the content of the new CA certificates:<\/p>\n the command writes the cert.<\/p>\n writes the dates.<\/p>\n writes the purpose of the certs.<\/p>\n Now make a certificate for your SIP proxy (for example sip.mydomain.com), my domain is ps.sip.uniza.sk (create keys and a certificate signing request (CSR), then sign the CSR with your CA’s certificate).<\/p>\n It start the certificate creation<\/p>\n Go two directories up<\/p>\n or be carefull to write correct paths in next command (CA signing)<\/p>\n done! Yyou may verify if the cert is correct<\/p>\n We have to install our certificates, so our client will trust to our self signed SIP Kamailio certificates. To do that we have to download cert from \/etc\/certs\/demoCA\/cert.pem to the PC (with windows 7 in my case) and then we may either:<\/p>\n 1) Start→Control Panel→Internet import it<\/p>\n 2) or rename extension of the cert.pem to the cert.crt (cert.crt) and install with doubleclick (win). <\/p>\n 3) go with firefox to the https:\/\/<your_sip_server>:5061 and install cert<\/p>\n 4) ….<\/p>\n If we do not import certificate, we may see (using wireshark), that TLS establishment is dropped with reason Unknown CA.<\/p>\n and, maybe it is client dependent, eyabeam is displaying 503 Certificate validation failure <\/span><\/strong><\/em>message.<\/span><\/p>\n Be aware of client support for TLS and how it is implemented. From the guide<\/a> <\/span>eyeBeam should read CA authority from the local user or PC storage, but under Win7 32\/64bit eyeBeam does not work, it is returning unknown CA. The same for Bria 2.4. At least SIP Communicator work nice and fast.<\/p>\n Open \/etc\/kamailio.kamailio.cfg and<\/p>\n setup the server to listen on tls 5061 port, required for secure communication<\/p>\n then define (manualy write) zone directive for TLS<\/p>\n For this zone directive there is already preconfigured zone blocks (nothing need to be changed)<\/p>\n which will turn on TLS support.<\/p>\n Next, there are another already preconfigured zone block, which load required tls.so module (nothing need to be changed)<\/p>\n In module parameter section of the cfg file there is other zone block<\/p>\n It is pointing to the tls.cfg file of the kamailio server. During TLS module installation installer may ask you if you like to install tls.cfg file , if yes, then it install default tls.cfg. This file we will modify as next step. For more info look at Kamailio TLS module description<\/a>.<\/p>\n We have to add or modify lines, that they will pointing to correct certification files:<\/p>\n and we will add setting for 5061 port of our server<\/p>\n Be aware, as a default setting of the tls.cfg there is also a client section, which require correct certificates for clients. It look<\/p>\n Change it to "no<\/strong><\/em>", becasue this require client certificate validation<\/p>\n 1) We may use openssl tool connecting to our server. If everything is OK, we should see some output with cert listed. If there is not such output, check previous steps, something made wrong.<\/p>\n 2) Using your peferred SIP client with TLS support.<\/p>\n Some results are following. TLS suport for eyebeam 1.5 and Bria 2.4 under windows 7 32 or 64bit does not work. SIP communicator work well<\/strong><\/em>.<\/p>\n Tre log file of the Bria 2.4 is containing following messages:<\/p>\n 1) Check if there is correct DNS SRV record for SIPS (TLS), port 5061, tls transport<\/p>\n 2) Check if certificates are correctly created with proper values.<\/p>\n 3) Check if your server is listening on correct port (using command openssl s_client -connect 158.193.139.51:5061 -tls1)<\/p>\n 4) check tls.cfg file<\/p>\n 5) Look into syslog. To find some error reporting look into syslog -> \/var\/log\/syslog it should provide error message such as<\/p>\n "Nov 30 14:17:11 pstest \/usr\/sbin\/kamailio[27615]: ERROR: <core> [tcp_read.c:882]: ERROR: tcp_read_req: error reading This error is regarding of SIP Client, that do not accept CA certificates of the Kamailio server.<\/p>\n 6) use ssldump utility. For example in my case, ssldump provdides following info<\/p>\n In this case the SIP client resets connection due to SSL Alert, unknown CA authority. This lead you to check that your SIP client do not load CA certificate from trusted CA storage, of course if you import it.<\/p>","protected":false},"excerpt":{"rendered":" This article continue on series of articles about the Kamailio 3.1.x SIP proxy deployed on debian lenny and its features. In previous articles we have:<\/p>\nPrerequisities<\/strong><\/h2>\n
\n
Preparation<\/h2>\n
\n
\r\napt-get install kamailio-tls-modules\r\n<\/pre>\n
\r\n_sips._tcp IN SRV 200 1 5061 pstest\r\npstest IN A 158.193.139.51\r\n<\/pre>\n
\r\ndig SRV _sips._tcp<\/strong><\/span>.ps.sip.uniza.sk\r\n<\/pre>\nCreating certificates with OpenSSL<\/h2>\n
\n
Step 1 – editing openssl.cnf<\/h3>\n
\r\npolicy = policy_match\r\n<\/pre>\n
\r\npolicy = policy_anything\r\n<\/pre>\n
Step 2 – Preparing folders<\/h3>\n
\r\nmkdir \/etc\/certs\r\nchmod 0700 \/etc\/certs\r\ncd \/etc\/certs<\/pre>\n
Step 3 – generating certificates<\/h3>\n
\r\nmkdir demoCA\r\ncd demoCA\r\nmkdir newcerts\r\necho '01' > serial\r\ntouch index.txt\r\nopenssl req -new -x509 -extensions v3_ca -keyout key.pem -out cert.pem -days 3650<\/pre>\n<\/div>\n
\r\nGenerating a 1024 bit RSA private key\r\n...............++++++\r\n................++++++\r\nwriting new private key to 'key.pem'\r\nEnter PEM pass phrase:\r\nVerifying - Enter PEM pass phrase:\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [AU]:SK\r\nState or Province Name (full name) [Some-State]:Slovakia\r\nLocality Name (eg, city) []:Zilina\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:My private CA\r\nOrganizational Unit Name (eg, section) []:\r\nCommon Name (eg, YOUR name) []:My private CA\r\nEmail Address []:\r\n<\/pre>\n
\r\nopenssl x509 -in cert.pem -noout -text\r\n<\/pre>\n
\r\nopenssl x509 -in cert.pem -noout -dates\r\n<\/pre>\n
\r\nopenssl x509 -in cert.pem -noout -purpose\r\n<\/pre>\n
Step 4 – generating certificates for your sip proxy<\/h3>\n
\r\nmkdir ps.sip.uniza.sk\r\ncd ps.sip.uniza.sk\/\r\nopenssl req -new -nodes -keyout key.pem -out req.pem\r\n<\/pre>\n
\r\nGenerating a 1024 bit RSA private key\r\n......++++++\r\n..........++++++\r\nwriting new private key to 'key.pem'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [AU]:SK\r\nState or Province Name (full name) [Some-State]:SLOVAKIA\r\nLocality Name (eg, city) []:Zilina\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:ZU\r\nOrganizational Unit Name (eg, section) []:KIS\r\nCommon Name (eg, YOUR name) []:Have to be FQD<\/strong><\/span>N<\/strong> of your server<\/span>\r\nEmail Address []:\r\n\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:\r\nAn optional company name []:\r\n<\/pre>\n\r\ncd ..\/..<\/pre>\n
\r\nopenssl ca -days 730 -out demoCA\/ps.sip.uniza.sk\/cert.pem -keyfile demoCA\/key.pem -cert demoCA\/cert.pem -infiles demoCA\/ps.sip.uniza.sk\/req.pem\r\n<\/pre>\n
\r\nopenssl x509 -in ps.sip.uniza.sk\/cert.pem -noout -text\r\n<\/pre>\n
Importing certificate to the PC (SIP Client)<\/h2>\n
\r\n414 75.589466 192.168.1.101 158.193.139.51 TLSv1 Alert (Level: Fatal, Description: Unknown CA)\r\n<\/pre>\n
Configuring the Kamailio<\/h2>\n
\r\nlisten=tls:158.193.139.51:5061\r\n<\/pre>\n
\r\n#!define WITH_TLS\r\n<\/pre>\n
\r\n#!ifdef WITH_TLS\r\nenable_tls=yes\r\n#!endif<\/pre>\n
\r\n#!ifdef WITH_TLS\r\nloadmodule "tls.so"\r\n#!endif\r\n<\/pre>\n
\r\n#!ifdef WITH_TLS\r\n# ----- tls params -----\r\nmodparam("tls", "config", "\/etc\/kamailio\/tls.cfg")\r\n#!endif\r\n<\/pre>\n\r\n[server:default]\r\nmethod = TLSv1\r\nverify_certificate = yes\r\nrequire_certificate = no\r\nprivate_key = \/etc\/certs\/demoCA\/ps.sip.uniza.sk\/key.pem\r\ncertificate = \/etc\/certs\/demoCA\/ps.sip.uniza.sk\/cert.pem\r\n#ca_list = \/etc\/certs\/demoCA\/cert.pem\r\n<\/pre>\n
\r\n[server:158.193.139.51:5061]\r\nmethod = SSLv23\r\nverify_certificate = no\r\nrequire_certificate = no\r\nprivate_key = \/etc\/certs\/demoCA\/ps.sip.uniza.sk\/key.pem\r\ncertificate = \/etc\/certs\/demoCA\/ps.sip.uniza.sk\/cert.pem\r\n<\/pre>\n
\r\n[client:default]\r\nverify_certificate = yes\r\nrequire_certificate = yes\r\n<\/pre>\n
\r\n[client:default]\r\nverify_certificate = no\r\nrequire_certificate = no<\/pre>\n
Testing<\/h2>\n
openssl s_client -connect 158.193.139.51:5061 -tls1
CONNECTED(00000003)<\/strong>\r\ndepth=0 \/C=SK\/ST=Slovakia\/L=Zilina\/O=ZU\/OU=KIS\/CN=pstest.ps.sip.uniza.sk\r\nverify error:num=20:unable to get local issuer certificate\r\nverify return:1\r\ndepth=0 \/C=SK\/ST=Slovakia\/L=Zilina\/O=ZU\/OU=KIS\/CN=pstest.ps.sip.uniza.sk\r\nverify error:num=27:certificate not trusted\r\nverify return:1\r\ndepth=0 \/C=SK\/ST=Slovakia\/L=Zilina\/O=ZU\/OU=KIS\/CN=pstest.ps.sip.uniza.sk\r\nverify error:num=21:unable to verify the first certificate\r\nverify return:1\r\n---\r\nCertificate chain\r\n 0 s:\/C=SK\/ST=Slovakia\/L=Zilina\/O=ZU\/OU=KIS\/CN=pstest.ps.sip.uniza.sk\r\n i:\/C=SK\/ST=Slovakia\/L=Zilina\/O=My private CA\/CN=My private CA\r\n---\r\nServer certificate\r\n-----BEGIN CERTIFICATE-----\r\nMIICvzCCAiigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJTSzER\r\nMA8GA1UECBMIU2xvdmFraWExDzANBgNVBAcTBlppbGluYTEWMBQGA1UEChMNTXkg\r\ncHJpdmF0ZSBDQTEWMBQGA1UEAxMNTXkgcHJpdmF0ZSBDQTAeFw0xMDExMjkyMDQ1\r\nNDhaFw0xMjExMjgyMDQ1NDhaMG0xCzAJBgNVBAYTAlNLMREwDwYDVQQIEwhTbG92\r\nYWtpYTEPMA0GA1UEBxMGWmlsaW5hMQswCQYDVQQKEwJaVTEMMAoGA1UECxMDS0lT\r\nMR8wHQYDVQQDExZwc3Rlc3QucHMuc2lwLnVuaXphLnNrMIGfMA0GCSqGSIb3DQEB\r\nAQUAA4GNADCBiQKBgQC\/zrOZSEwpF6SfiOSBm6epmHStIdPLslxVLUAUbP1ga2KD\r\nYahZv43gC8\/D9LbL5cbwWoMJ3bU9Nxj2Y9u0tFq8OyyEYQyvbk3n7Dnx\/ddMX7wL\r\nhTpWUSdeKN2ObUtxQnBO4\/jlRQw3rlGtA9pOSpTLJnp4sAAJs096tr4KhtAchwID\r\nAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy\r\nYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU6MAimP6egglzK2iZ4a9t2\/cnRnkw\r\nHwYDVR0jBBgwFoAUWWHct7bIIBwHLD2313b\/+0\/vE8UwDQYJKoZIhvcNAQEFBQAD\r\ngYEAPyj3JA5\/eSJPZytMIUMUaWhGM0Y53D7CnFeqOe9LLgXg2LqaFivNapoTrXFr\r\nDlo9sKASSHMHUE3f51ApNjXRBQw0eOROXO8R+MYyMndfnvZieLAwOu4M6axh5NpF\r\nJhH9PiLqgyEn+pWq6JYmCJY1YVPyK51mucdudrSl8h9G4JM=\r\n-----END CERTIFICATE-----\r\nsubject=\/C=SK\/ST=Slovakia\/L=Zilina\/O=ZU\/OU=KIS\/CN=pstest.ps.sip.uniza.sk\r\nissuer=\/C=SK\/ST=Slovakia\/L=Zilina\/O=My private CA\/CN=My private CA\r\n---\r\nNo client certificate CA names sent\r\n---\r\nSSL handshake has read 1034 bytes and written 291 bytes\r\n---\r\nNew, TLSv1\/SSLv3, Cipher is AES256-SHA\r\nServer public key is 1024 bit\r\nCompression: NONE\r\nExpansion: NONE\r\nSSL-Session:\r\n Protocol : TLSv1\r\n Cipher : AES256-SHA\r\n Session-ID:\r\n Session-ID-ctx:\r\n Master-Key: CB95C02821211D87AF96CB57DD68E865C6061F9125D95B1B55EC57E92ADDB06E1D7DE39703C32E8F9A0BA56BDE9BC8D6\r\n Key-Arg : None\r\n TLS session ticket:\r\n 0000 - 5a 51 10 16 54 13 fc e8-3d f0 f6 76 0b 00 89 b6 ZQ..T...=..v....\r\n 0010 - 24 ee 31 9a f3 e7 cd 3d-0a 8e 42 8b 69 b4 a4 09 $.1....=..B.i...\r\n 0020 - 6a b3 87 1e 72 71 c0 4e-51 90 8f 27 b4 59 6b 46 j...rq.NQ..'.YkF\r\n 0030 - 57 28 68 73 2d 3f 75 4a-b0 67 3e 2e 2b 6a 95 72 W(hs-?uJ.g>.+j.r\r\n 0040 - 3e b6 44 f8 aa 49 76 dd-42 b4 65 a5 18 36 79 e7 >.D..Iv.B.e..6y.\r\n 0050 - 0a 09 a7 8c 8b 0c db a9-89 a4 b1 d5 f9 d4 fa 45 ...............E\r\n 0060 - 09 52 9a 6d ae 0e d4 51-12 8b b4 31 06 a7 5a 9e .R.m...Q...1..Z.\r\n 0070 - bc 98 c4 16 66 50 84 95-b9 75 cd 31 2f 84 5e 84 ....fP...u.1\/.^.\r\n 0080 - 0f 67 5f d9 7c 09 54 da-7e a7 d0 24 bf 30 26 f0 .g_.|.T.~..$.0&.\r\n 0090 - 39 aa 17 5b 21 6c 43 d6-f7 c6 31 d4 d2 b1 57 c9 9..[!lC...1...W.\r\n 00a0 - 2e ed 9c 53 9b 86 2a 24-69 f1 b6 ed ca 9a 94 7b ...S..*$i......{\r\n\r\n Start Time: 1291122977\r\n Timeout : 7200 (sec)\r\n Verify return code: 21 (unable to verify the first certificate)\r\n---\r\n\r\n<\/pre>\n\r\nRESIP:DUM | "Got a DumFeatureMessage099BD7C8" |\r\n[10-12-16]09:40:39.896 | Info | RESIP:TRANSPORT | "Creating TLS connection for domain [ V4 158.193.139.51:5061 TLS target domain=ps.sip.uniza.sk received on: Transport: [ V4 0.0.0.0:28829 TLS target domain=unspecified connectionId=0 ] connectionId=0 ] on 2232" |\r\n[10-12-16]09:40:39.897 | Info | RESIP:TRANSPORT | "TLS handshake starting (client mode)" |\r\n[10-12-16]09:40:39.902 | Info | RESIP:TRANSPORT | "TLS connected" |\r\n[10-12-16]09:40:39.902 | Info | RESIP:TRANSPORT | "TLS sessions set up with TLSv1 TLSv1\/SSLv3 AES256-SHA " |\r\n[10-12-16]09:40:39.903 | Error | RESIP:TRANSPORT | "Certificate name mismatch: trying to connect to <ps.sip.uniza.sk> remote cert domain(s) are <pstest.ps.sip.uniza.sk>" |\r\n[10-12-16]09:40:39.903 | Info | RESIP:TRANSACTION | "Sending ConnectionTerminated 17 to TUs" |\r\n[10-12-16]09:40:39.903 | Info | RESIP:TRANSACTION | "Try sending request to a different dns result" |\r\n[10-12-16]09:40:39.903 | Info | RESIP:TRANSACTION | "Ran out of dns entries for ps.sip.uniza.sk. Send 503" |\r\n[10-12-16]09:40:39.904 | Info | RESIP:DNS | "local hostname does not contain a domain part PC-T2" |\r\n[10-12-16]09:40:39.904 | Info | RESIP:DUM | "Got: SipResp: 503 tid=476c5d721d161a34 cseq=REGISTER \/ 1 from(wire)" |\r\n[10-12-16]09:40:39.904 | Warning | AbstractPhone | "SIP registration failed; reason: 'SipError'; SIP error-code: 503; error-phrase: 'Certificate Name Mismatch'" | cpsi::AccountImpl::OnRegistrationStatusChanged\r\n<\/pre>\n
Error solving<\/h2>\n
\nNov 30 14:20:11 pstest \/usr\/sbin\/kamailio[27613]: ERROR: tls [tls_server.c:1174]: TLS accept:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<\/em>"<\/p>\n\r\n18 2 0.0021 (0.0014) S>C Handshake\r\n ServerHello\r\n Version 3.1\r\n session_id[0]=\r\n\r\n cipherSuite Unknown value 0x35\r\n compressionMethod NULL\r\n18 3 0.0022 (0.0001) S>C Handshake\r\n Certificate\r\n18 4 0.0022 (0.0000) S>C Handshake\r\n ServerHelloDone\r\n18 5 0.0037 (0.0014) C>S Alert\r\n level fatal\r\n value unknown_ca\r\n18 0.0040 (0.0003) C>S TCP RST\r\n\r\n<\/pre>\n