[OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation
Bogdan-Andrei Iancu
bogdan at opensips.org
Tue Jul 25 11:27:22 EDT 2017
I have to admit that you have to "know how to read the SSL errors" in
order to really understand the root problem :) . Now that you find the
issue and if we look back at the error description "verify
error:num=20:unable to get local issuer certificate", it make sense -
SSL complains it did not find the comodo CA in order to validate the
certificate presented by the TLS client (which was probably signed by
Comodo).
Best regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
OpenSIPS Bootcamp 2017, Houston, US
http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
On 07/25/2017 05:27 PM, Callum Guy wrote:
> Hi Bogdan,
>
> Thanks for your response, based on your advice I performed a full
> packet capture on the handshake and established that a certificate was
> indeed being presented.
>
> Following up on this I managed to establish that the problem was a
> missing intermediary CA in the certificate chain, specifically:
>
> https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca
>
> The error message presented by OpenSIPs was certainly misleading in
> this case. For others benefit the approach for installing a new CA is
> super simple:
>
> 1. create the file in /etc/pki/ca-trust/source/anchors
> (i.e. comodo-ca-rsa-ev-secure-server.pem)
> 2. run "update-ca-trust" with root privs
>
> Problem solved.
>
> Have a good day all!
>
> Callum
>
> On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei Iancu
> <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>
> Hi Callum,
>
> The error may indicate the fact that the TLS client does not
> present a TLS certificate while connection to your OpenSIPS. This
> has nothing to do with the TLS multi domain, which anyhow is
> supported. As the test, you can create a separate TLS domain
> (server) bound to the IP of that TLS client, TLS domain having the
> require_certificate option turned off.
>
> Best Regards,
>
> Bogdan-Andrei Iancu
> OpenSIPS Founder and Developer
> http://www.opensips-solutions.com
>
> OpenSIPS Bootcamp 2017, Houston, US
> http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>
> On 07/25/2017 03:26 PM, Callum Guy wrote:
>> Hi All,
>>
>> *Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7
>>
>> I have been working with new TLS connection and have been having
>> problems validating their client certificate. My OpenSIPs
>> configuration works fine for other providers (i.e. Twilio)
>> however I am seeing the following error messages reported while
>> verify_cert is enabled:
>>
>> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>> opensips[4881]: NOTICE:tls_mgm:verify_callback: depth = 0
>> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>> opensips[4881]: NOTICE:tls_mgm:verify_callback: subject =
>> /serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
>> Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2
>> Venture Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain
>> SSL/CN=simwood.com <http://simwood.com>
>> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>> opensips[4881]: NOTICE:tls_mgm:verify_callback: verify
>> error:num=20:unable to get local issuer certificate
>> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>> opensips[4881]: NOTICE:tls_mgm:verify_callback: something wrong
>> with the cert ... error code is 20 (check x509_vfy.h)
>> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>> opensips[4881]: NOTICE:tls_mgm:verify_callback: verify return:0
>> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>> opensips[4881]: ERROR:proto_tls:tls_accept: New TLS connection
>> from 178.22.140.34:34281 <http://178.22.140.34:34281> failed to
>> accept
>> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>> opensips[4881]: ERROR:proto_tls:tls_print_errstack: TLS errstack:
>> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
>> certificate returned
>> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com>
>> opensips[4881]: ERROR:proto_tls:tls_read_req: failed to do
>> pre-tls reading
>>
>> Part of my reason for resorting to the mailing list are old
>> mailing list emails discussing that multi-domain certificates are
>> not supported by OpenSIPs - is anyone able to confirm if this
>> remains a problem?
>>
>> The openssl error code 20 is translated as
>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>>
>> I have seen other reports that this issue may be related to an
>> improperly chained certificate - does this sound at all likely?
>>
>> Any tips on debugging would be greatly appreciated, thanks.
>>
>> Callum
>> --
>> Callum Guy
>> Head of Information Security
>> X-on
>>
>>
>> *^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> |
>> _**_^<https://www.linkedin.com/company/x-on>
>> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
>> X-on is a trading name of Storacall Technology Ltd a limited
>> company registered in England and Wales.
>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>> The information in this e-mail is confidential and for use by the
>> addressee(s) only. If you are not the intended recipient, please
>> notify X-on immediately on +44(0)333 332 0000
>> <tel:+44%20333%20332%200000> and delete the
>> message from your computer. If you are not a named addressee you
>> must not use, disclose, disseminate, distribute, copy, print or
>> reply to this email. Views or opinions expressed by an individual
>> within this email may not necessarily reflect the views of X-on
>> or its associated companies. Although X-on routinely screens for
>> viruses, addressees should scan this email and any attachments
>> for viruses. X-on makes no representation or warranty as to the
>> absence of viruses in this email or any attachments.
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> --
> Callum Guy
> Head of Information Security
> X-on
>
>
> *^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> |
> _**_^<https://www.linkedin.com/company/x-on>
> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please
> notify X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must
> not use, disclose, disseminate, distribute, copy, print or reply to
> this email. Views or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the
> absence of viruses in this email or any attachments.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170725/494ae7ed/attachment-0001.html>
More information about the Users
mailing list