This article continue on series of articles about the Kamailio 3.1.x SIP proxy deployed on debian lenny and its features. In previous articles we have:
1) installed clear Kamailio 3.1.x server
2) added Mysql support for persistance location storage
3) SIREMIS web management interface for our kamailio server.
4) configured IM and presence service on Kamailio 3.1 – Howto
5) configured XCAP support for SIMPLE.
and now we will configure TLS support.
Prerequisities
- Installed and working Kamailio (OpenSER) 3.1.0 server.
Preparation
On the Kamailio site there is a mention, that
TLS is an optional part of the kamailio core and does not require special module installing.
But we have to install kamailio tls module with
apt-get install kamailio-tls-modules
Next, we have to add to your dns server correct SRV record for your SIPS TLS (SIP Secure) server. In my case it is
_sips._tcp IN SRV 200 1 5061 pstest pstest IN A 158.193.139.51
The dig dns utility have to return correct IP address pointing to your server
dig SRV _sips._tcp.ps.sip.uniza.sk
Creating certificates with OpenSSL
As a first step we have to generate certificates by which the SIP proxy will be identified during TLS connection setup. We will use the guide Create Certificates to be used with Kamailio.
From the guide:
Creating suitable certificates for Kamailio is just as simple as configuring Apache with SSL/TLS. If you do not have certificates you can use the “openssl” tool to generate the certificate.
Step 1 – editing openssl.cnf
Open /etc/ssl/openssl.cnf and change
policy = policy_match
to more flexible
policy = policy_anything
Step 2 – Preparing folders
mkdir /etc/certs chmod 0700 /etc/certs cd /etc/certs
Step 3 – generating certificates
mkdir demoCA cd demoCA mkdir newcerts echo '01' > serial touch index.txt openssl req -new -x509 -extensions v3_ca -keyout key.pem -out cert.pem -days 3650
The openssl req -new … will generate self-signed CA (cartificate authority) certificate valid for 10 years.
Then generating start, during the processing the system will ask you for certificates protection (put your password there) and will ask for some questions (country, city and etc.)
Generating a 1024 bit RSA private key ...............++++++ ................++++++ writing new private key to 'key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:SK State or Province Name (full name) [Some-State]:Slovakia Locality Name (eg, city) []:Zilina Organization Name (eg, company) [Internet Widgits Pty Ltd]:My private CA Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:My private CA Email Address []:
We may verify the content of the new CA certificates:
openssl x509 -in cert.pem -noout -text
the command writes the cert.
openssl x509 -in cert.pem -noout -dates
writes the dates.
openssl x509 -in cert.pem -noout -purpose
writes the purpose of the certs.
Step 4 – generating certificates for your sip proxy
Now make a certificate for your SIP proxy (for example sip.mydomain.com), my domain is ps.sip.uniza.sk (create keys and a certificate signing request (CSR), then sign the CSR with your CA’s certificate).
mkdir ps.sip.uniza.sk cd ps.sip.uniza.sk/ openssl req -new -nodes -keyout key.pem -out req.pem
It start the certificate creation
Generating a 1024 bit RSA private key ......++++++ ..........++++++ writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:SK State or Province Name (full name) [Some-State]:SLOVAKIA Locality Name (eg, city) []:Zilina Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZU Organizational Unit Name (eg, section) []:KIS Common Name (eg, YOUR name) []:Have to be FQDN of your server Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Go two directories up
cd ../..
or be carefull to write correct paths in next command (CA signing)
openssl ca -days 730 -out demoCA/ps.sip.uniza.sk/cert.pem -keyfile demoCA/key.pem -cert demoCA/cert.pem -infiles demoCA/ps.sip.uniza.sk/req.pem
done! Yyou may verify if the cert is correct
openssl x509 -in ps.sip.uniza.sk/cert.pem -noout -text
Importing certificate to the PC (SIP Client)
We have to install our certificates, so our client will trust to our self signed SIP Kamailio certificates. To do that we have to download cert from /etc/certs/demoCA/cert.pem to the PC (with windows 7 in my case) and then we may either:
1) Start→Control Panel→Internet import it
2) or rename extension of the cert.pem to the cert.crt (cert.crt) and install with doubleclick (win).
3) go with firefox to the https://<your_sip_server>:5061 and install cert
4) ….
If we do not import certificate, we may see (using wireshark), that TLS establishment is dropped with reason Unknown CA.
414 75.589466 192.168.1.101 158.193.139.51 TLSv1 Alert (Level: Fatal, Description: Unknown CA)
and, maybe it is client dependent, eyabeam is displaying 503 Certificate validation failure message.
Be aware of client support for TLS and how it is implemented. From the guide eyeBeam should read CA authority from the local user or PC storage, but under Win7 32/64bit eyeBeam does not work, it is returning unknown CA. The same for Bria 2.4. At least SIP Communicator work nice and fast.
Configuring the Kamailio
Open /etc/kamailio.kamailio.cfg and
setup the server to listen on tls 5061 port, required for secure communication
listen=tls:158.193.139.51:5061
then define (manualy write) zone directive for TLS
#!define WITH_TLS
For this zone directive there is already preconfigured zone blocks (nothing need to be changed)
#!ifdef WITH_TLS enable_tls=yes #!endif
which will turn on TLS support.
Next, there are another already preconfigured zone block, which load required tls.so module (nothing need to be changed)
#!ifdef WITH_TLS loadmodule "tls.so" #!endif
In module parameter section of the cfg file there is other zone block
#!ifdef WITH_TLS # ----- tls params ----- modparam("tls", "config", "/etc/kamailio/tls.cfg") #!endif
It is pointing to the tls.cfg file of the kamailio server. During TLS module installation installer may ask you if you like to install tls.cfg file , if yes, then it install default tls.cfg. This file we will modify as next step. For more info look at Kamailio TLS module description.
We have to add or modify lines, that they will pointing to correct certification files:
[server:default] method = TLSv1 verify_certificate = yes require_certificate = no private_key = /etc/certs/demoCA/ps.sip.uniza.sk/key.pem certificate = /etc/certs/demoCA/ps.sip.uniza.sk/cert.pem #ca_list = /etc/certs/demoCA/cert.pem
and we will add setting for 5061 port of our server
[server:158.193.139.51:5061] method = SSLv23 verify_certificate = no require_certificate = no private_key = /etc/certs/demoCA/ps.sip.uniza.sk/key.pem certificate = /etc/certs/demoCA/ps.sip.uniza.sk/cert.pem
Be aware, as a default setting of the tls.cfg there is also a client section, which require correct certificates for clients. It look
[client:default] verify_certificate = yes require_certificate = yes
Change it to "no", becasue this require client certificate validation
[client:default] verify_certificate = no require_certificate = no
Testing
1) We may use openssl tool connecting to our server. If everything is OK, we should see some output with cert listed. If there is not such output, check previous steps, something made wrong.
openssl s_client -connect 158.193.139.51:5061 -tls1
CONNECTED(00000003) depth=0 /C=SK/ST=Slovakia/L=Zilina/O=ZU/OU=KIS/CN=pstest.ps.sip.uniza.sk verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=SK/ST=Slovakia/L=Zilina/O=ZU/OU=KIS/CN=pstest.ps.sip.uniza.sk verify error:num=27:certificate not trusted verify return:1 depth=0 /C=SK/ST=Slovakia/L=Zilina/O=ZU/OU=KIS/CN=pstest.ps.sip.uniza.sk verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=SK/ST=Slovakia/L=Zilina/O=ZU/OU=KIS/CN=pstest.ps.sip.uniza.sk i:/C=SK/ST=Slovakia/L=Zilina/O=My private CA/CN=My private CA --- Server certificate -----BEGIN CERTIFICATE----- MIICvzCCAiigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJTSzER MA8GA1UECBMIU2xvdmFraWExDzANBgNVBAcTBlppbGluYTEWMBQGA1UEChMNTXkg cHJpdmF0ZSBDQTEWMBQGA1UEAxMNTXkgcHJpdmF0ZSBDQTAeFw0xMDExMjkyMDQ1 NDhaFw0xMjExMjgyMDQ1NDhaMG0xCzAJBgNVBAYTAlNLMREwDwYDVQQIEwhTbG92 YWtpYTEPMA0GA1UEBxMGWmlsaW5hMQswCQYDVQQKEwJaVTEMMAoGA1UECxMDS0lT MR8wHQYDVQQDExZwc3Rlc3QucHMuc2lwLnVuaXphLnNrMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC/zrOZSEwpF6SfiOSBm6epmHStIdPLslxVLUAUbP1ga2KD YahZv43gC8/D9LbL5cbwWoMJ3bU9Nxj2Y9u0tFq8OyyEYQyvbk3n7Dnx/ddMX7wL hTpWUSdeKN2ObUtxQnBO4/jlRQw3rlGtA9pOSpTLJnp4sAAJs096tr4KhtAchwID AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU6MAimP6egglzK2iZ4a9t2/cnRnkw HwYDVR0jBBgwFoAUWWHct7bIIBwHLD2313b/+0/vE8UwDQYJKoZIhvcNAQEFBQAD gYEAPyj3JA5/eSJPZytMIUMUaWhGM0Y53D7CnFeqOe9LLgXg2LqaFivNapoTrXFr Dlo9sKASSHMHUE3f51ApNjXRBQw0eOROXO8R+MYyMndfnvZieLAwOu4M6axh5NpF JhH9PiLqgyEn+pWq6JYmCJY1YVPyK51mucdudrSl8h9G4JM= -----END CERTIFICATE----- subject=/C=SK/ST=Slovakia/L=Zilina/O=ZU/OU=KIS/CN=pstest.ps.sip.uniza.sk issuer=/C=SK/ST=Slovakia/L=Zilina/O=My private CA/CN=My private CA --- No client certificate CA names sent --- SSL handshake has read 1034 bytes and written 291 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: CB95C02821211D87AF96CB57DD68E865C6061F9125D95B1B55EC57E92ADDB06E1D7DE39703C32E8F9A0BA56BDE9BC8D6 Key-Arg : None TLS session ticket: 0000 - 5a 51 10 16 54 13 fc e8-3d f0 f6 76 0b 00 89 b6 ZQ..T...=..v.... 0010 - 24 ee 31 9a f3 e7 cd 3d-0a 8e 42 8b 69 b4 a4 09 $.1....=..B.i... 0020 - 6a b3 87 1e 72 71 c0 4e-51 90 8f 27 b4 59 6b 46 j...rq.NQ..'.YkF 0030 - 57 28 68 73 2d 3f 75 4a-b0 67 3e 2e 2b 6a 95 72 W(hs-?uJ.g>.+j.r 0040 - 3e b6 44 f8 aa 49 76 dd-42 b4 65 a5 18 36 79 e7 >.D..Iv.B.e..6y. 0050 - 0a 09 a7 8c 8b 0c db a9-89 a4 b1 d5 f9 d4 fa 45 ...............E 0060 - 09 52 9a 6d ae 0e d4 51-12 8b b4 31 06 a7 5a 9e .R.m...Q...1..Z. 0070 - bc 98 c4 16 66 50 84 95-b9 75 cd 31 2f 84 5e 84 ....fP...u.1/.^. 0080 - 0f 67 5f d9 7c 09 54 da-7e a7 d0 24 bf 30 26 f0 .g_.|.T.~..$.0&. 0090 - 39 aa 17 5b 21 6c 43 d6-f7 c6 31 d4 d2 b1 57 c9 9..[!lC...1...W. 00a0 - 2e ed 9c 53 9b 86 2a 24-69 f1 b6 ed ca 9a 94 7b ...S..*$i......{ Start Time: 1291122977 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) ---
2) Using your peferred SIP client with TLS support.
Some results are following. TLS suport for eyebeam 1.5 and Bria 2.4 under windows 7 32 or 64bit does not work. SIP communicator work well.
Tre log file of the Bria 2.4 is containing following messages:
RESIP:DUM | "Got a DumFeatureMessage099BD7C8" | [10-12-16]09:40:39.896 | Info | RESIP:TRANSPORT | "Creating TLS connection for domain [ V4 158.193.139.51:5061 TLS target domain=ps.sip.uniza.sk received on: Transport: [ V4 0.0.0.0:28829 TLS target domain=unspecified connectionId=0 ] connectionId=0 ] on 2232" | [10-12-16]09:40:39.897 | Info | RESIP:TRANSPORT | "TLS handshake starting (client mode)" | [10-12-16]09:40:39.902 | Info | RESIP:TRANSPORT | "TLS connected" | [10-12-16]09:40:39.902 | Info | RESIP:TRANSPORT | "TLS sessions set up with TLSv1 TLSv1/SSLv3 AES256-SHA " | [10-12-16]09:40:39.903 | Error | RESIP:TRANSPORT | "Certificate name mismatch: trying to connect to <ps.sip.uniza.sk> remote cert domain(s) are <pstest.ps.sip.uniza.sk>" | [10-12-16]09:40:39.903 | Info | RESIP:TRANSACTION | "Sending ConnectionTerminated 17 to TUs" | [10-12-16]09:40:39.903 | Info | RESIP:TRANSACTION | "Try sending request to a different dns result" | [10-12-16]09:40:39.903 | Info | RESIP:TRANSACTION | "Ran out of dns entries for ps.sip.uniza.sk. Send 503" | [10-12-16]09:40:39.904 | Info | RESIP:DNS | "local hostname does not contain a domain part PC-T2" | [10-12-16]09:40:39.904 | Info | RESIP:DUM | "Got: SipResp: 503 tid=476c5d721d161a34 cseq=REGISTER / 1 from(wire)" | [10-12-16]09:40:39.904 | Warning | AbstractPhone | "SIP registration failed; reason: 'SipError'; SIP error-code: 503; error-phrase: 'Certificate Name Mismatch'" | cpsi::AccountImpl::OnRegistrationStatusChanged
Error solving
1) Check if there is correct DNS SRV record for SIPS (TLS), port 5061, tls transport
2) Check if certificates are correctly created with proper values.
3) Check if your server is listening on correct port (using command openssl s_client -connect 158.193.139.51:5061 -tls1)
4) check tls.cfg file
5) Look into syslog. To find some error reporting look into syslog -> /var/log/syslog it should provide error message such as
"Nov 30 14:17:11 pstest /usr/sbin/kamailio[27615]: ERROR: <core> [tcp_read.c:882]: ERROR: tcp_read_req: error reading
Nov 30 14:20:11 pstest /usr/sbin/kamailio[27613]: ERROR: tls [tls_server.c:1174]: TLS accept:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"
This error is regarding of SIP Client, that do not accept CA certificates of the Kamailio server.
6) use ssldump utility. For example in my case, ssldump provdides following info
18 2 0.0021 (0.0014) S>C Handshake ServerHello Version 3.1 session_id[0]= cipherSuite Unknown value 0x35 compressionMethod NULL 18 3 0.0022 (0.0001) S>C Handshake Certificate 18 4 0.0022 (0.0000) S>C Handshake ServerHelloDone 18 5 0.0037 (0.0014) C>S Alert level fatal value unknown_ca 18 0.0040 (0.0003) C>S TCP RST
In this case the SIP client resets connection due to SSL Alert, unknown CA authority. This lead you to check that your SIP client do not load CA certificate from trusted CA storage, of course if you import it.