By Date: <-- -->
By Thread: <-- -->

minisip TLS connect server cert problem

Pjothi wrote:

Sorry about the deluge of emails. I am happy atleast to let people
know that all is not well with minisip-openser tls interconnection,
atleast for a beginner to get it running.So experts can get cautious
when trying to do it now or in the future.

I thank everyone for their time,

regards,
Pjothi



On 2/8/06, Cesc <cesc.santa (at) gmail.com> wrote:


I really don't mean to be rude, but you asked the same question over
and over, and noone replies for a reason: probably no one has the time
to figure it out ... at least i don't.

A suggestion, though. Read the code, find where it fails, try to
understand TLS and how it works ... you may have a conceptual error
... or not (minisip has bugs, as any other piece of software).

Regards,

Cesc

On 2/8/06, Pjothi <pjothi (at) gmail.com> wrote:


Hello all,

I am trying to connect minisip with OpenSER in TLS mode. I created my own
rootCA and created certificates for OpenSER signed by rootCA-certificate.

Now, I have the following

rootCA-certificate

the following certificates signed by rootCA-certificate:

server-certificate
server-ca list
and also server private key.

I added in the CA database - rootCA-cert.pem and try registering with
OpenSER, I get the following error:
___________________________________________________________________
Registering user user4 (at) 192.168.0.4 to proxy 192.168.0.4, requesting
domain 192.168.0.4

SipMessageTransport: sendMessage: creating new socket
Creating new SSL_CTX
SSL connect: Protocol Error.
7875:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:844:
Could not get server certificate
SipMessageTransport: sendMessage: exception thrown!
SipMessageTransport: sendMessage: exception thrown!
SipMessageTransport: sendMessage: exception thrown!
____________________________________________________________________

Does this mean, the client is not able to get the server certificate
or its not able to verify the server certificate, bcos I see both.

How to properly configure the certificate settings in minisip client
side. I do not need any client authentication to be done, so I dont
worry about client certificates here.

Any small suggestion/help would go a long way and I am trying with
this for a very long time. I appreciate all your time and help.

thanks and regards,
Pjothi
_______________________________________________
Minisip-users mailing list
Minisip-users (at) minisip.org
http://lists.minisip.org/mailman/listinfo/minisip-users




_______________________________________________
Voipsec mailing list
Voipsec (at) voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org




Also, in addition to what I sent earlier, you shouldnt use the root CA cert for the ser server cert, rather it should be imported as a trusted root cert (into the same area that you find the verisign, thawte, etc., certificates), and the server cerificate to import should be the signed certificate created by the root ca (the certificate request that you signed with the root ca certificate is the one that should be installed on the ser server).

If you are doing client side certificates then you should generate a certiificate request on behalf of the microsoft client. Then sign the request and import newkey.pem (created in the request processs, which contains the private key) on the client and import the signed certificate into the microsoft store as well).

All of this latter can be imported by using the browser and selected by the client.

Let me know if this help.

Giving the root ca cert up to the server essentially compromises the root CA that you created, delete it. 
_______________________________________________
Voipsec mailing list
Voipsec (at) voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org