add ca_path param to tls module

[juha-h]

Currently tls module has ca_list param that

Sets the CA list file name. This file contains a list of all the trusted CAs certificates used when connecting to other SIP implementations. If a signature in a certificate chain belongs to one of the listed CAs, the verification of that certificate will succeed.

This issue proposes adding a new tls param ca_path. Its value would be a directory that contains any number of CA certificate files thus making it unnecessary to cat these files to a single ca_list file.

Implementation could be based on the same int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) OpenSSL API function as now.

[oej]

Good idea.

[miconda]

Being Kamailio specific coding, I added the config option and set it value as parameter to SSL_CTX_load_verify_locations() based on the feature request description, but it might not be complete implementation because its manual specifies that the folder content is not send to client via SSL_CTX_set_client_CA_list():

• https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html

I haven't tested at all, not having a system that I could easily simulate the scenario. If not complete, feel free to add the missing part related, otherwise, if not useful at all, it can be reverted.

[juha-h]

Thanks for your work on ca_path. It is so that currently ca_path can only be given as tls module config parameter and not in tls config file. I tried like this: modparam("tls", "config", "/etc/sip-proxy/tls.cfg") tls.cfg: [server:default] verify_certificate = yes require_certificate = no server_name = lohi.tutpro.com tls_method = TLSv1.1+ private_key = /etc/sip-proxy/certs/key.pem certificate = /etc/sip-proxy/certs/cert.pem ca_path = /etc/sip-proxy/certs/ca_list and got error at start: Mar 23 11:47:18 lohi /usr/bin/sip-proxy[25175]: ERROR: <core> [core/cfg_parser.c:731]: sr_cfg_parse(): tls.cfg:7:1: Unsupported option 'ca_path'

[juha-h]

Looks like installation of new version of kamailio had failed and tls module was not updated. Trying again ...

[kamailio-sync]

I got latest master properly installed and gave ca_path a try. I placed four ca certs in directory /etc/sip-proxy/certs/ca_list: # ls /etc/sip-proxy/certs/ca_list class3_X0E.crt dst_root_ca_x3.pem lets-encrypt-x3-cross-signed.pem root_X0F.crt Then I created file ca_list.pem that contained all of them: # cat /etc/sip-proxy/certs/ca_list/* > /etc/sip-proxy/certs/ca_list.pem In tls config file I had: [client:default] ... ca_list = /etc/sip-proxy/certs/ca_list.pem [server:default] ... ca_list = /etc/sip-proxy/certs/ca_list.pem Result was that kamailio started OK. Then in tls config file I replaced ca_list with ca_path: ca_path = /etc/sip-proxy/certs/ca_list and kamailio failed to start: Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)' Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: INFO: tls [tls_domain.c:336]: ksr_tls_fill_missing(): TLSs<default>: ca_path='/etc/sip-proxy/certs/ca_list' ... Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_domain.c:601]: load_ca_list(): TLSs<default>: Error while setting client CA list Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0200100E:system library:fopen:Bad address Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:20074002:BIO routines:file_ctrl:system lib Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: <core> [core/sr_module.c:865]: init_mod_child(): error while initializing module tls (/usr/lib/x86_64-linux-gnu/sip-proxy/modules/tls.so) (idx: 0 rank: -127 desc: [main])

[miconda]

The error message seems to be related to failure to open ca_list file, not to ca_path -- can you check if ca_list is still set somewhere there to an invalid file path?

[juha-h]

Daniel-Constantin Mierla writes:

The error message seems to be related to failure to open `ca_list` file, not to `ca_path` -- can you check if `ca_list` is still set somewhere there to an invalid file path?

I checked and config file has only this: modparam("tls", "config", "/etc/sip-proxy/tls.cfg") and tls.cfg contains: # more tls.cfg [client:default] verify_certificate = yes require_certificate = yes tls_method = TLSv1.2+ private_key = /etc/sip-proxy/certs/key.pem certificate = /etc/sip-proxy/certs/cert.pem ca_path = /etc/sip-proxy/certs/ca_list [server:default] verify_certificate = yes require_certificate = no server_name = lohi.tutpro.com tls_method = TLSv1.1+ private_key = /etc/sip-proxy/certs/key.pem certificate = /etc/sip-proxy/certs/cert.pem ca_path = /etc/sip-proxy/certs/ca_list There is no trace of ca_list anywhere. Also syslog shows that ca_list is null: Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/sip-proxy/certs/cert.pem' Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)' Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:336]: ksr_tls_fill_missing(): TLSs<default>: ca_path='/etc/sip-proxy/certs/ca_list'

[miconda]

I pushed a commit to make that error message print the file name. Try again with latest master and paste here again the new error message to see what's there.

[kamailio-sync]

Daniel-Constantin Mierla writes:

I pushed a commit to make that error message print the file name. Try again with latest master and paste here again the new error message to see what's there.

Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_domain.c:604]: load_ca_list(): TLSs<default>: Error while setting client CA list file [/3] Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0200100E:system library:fopen:Bad address Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:20074002:BIO routines:file_ctrl:system lib

…

-- Juha

[juha-h]

Daniel-Constantin Mierla writes:

Being Kamailio specific coding, I added the config option and set it value as parameter to SSL_CTX_load_verify_locations() based on the feature request description, but it might not be complete implementation because its manual specify that the folder content is not send to client via SSL_CTX_set_client_CA_list(): * https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html

Neither is contents of CAfile sent to client: In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list is not influenced by the contents of CAfile or CApath and must explicitly be set using the SSL_CTX_set_client_CA_list(3) family of functions.

…

-- Juha

[miconda]

Pushed a commit to fix the error message.

The SSL_CTX_set_client_CA_list() is used with the ca_list file, the error message above is actually when that is done.

[kamailio-sync]

Daniel-Constantin Mierla writes:

Pushed a commit to fix the error message.

Now kamailio starts, but when baresip sip client tries to connect over TLS, I get these errors: Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 192.168.43.253 Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 192.168.43.160 If I in tls.cfg replace ca_path with ca_list, the same client connects without errors.

…

-- Juha

[miconda]

As I said, I added the parameter based on the description of the feature request, but the manual suggested it might not be enough when acting as a tls server, see my first comment above.

Probably works when it acts as a client (when opens the connection).

You can dig further in the libssl docs to see what has to be done for server case and you can update the load_ca_list() function from tls_domain.c.

[juha-h]

Daniel-Constantin Mierla writes:

As I said, I added the parameter based on the description of the feature request, but the manual suggested it might not be enough when acting as a tls server, see my first comment above. Probably works when it acts as a client (when opens the connection).

Yes, it does work as client. I have two kamailios A - B using TLS between them. When A uses ca_path and B uses ca_list, A can connect to B without errors. But when I change also B to use ca_path, I get errors on both. On A: Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS read:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 192.26.134.10 Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 192.168.43.160 On B: Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 192.168.43.160 Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 192.26.134.10

…

-- Juha

[juha-h]

Both as client and as server work after command c_rehash . is executed in ca_path directory. It creates two (why two?) links to each ca certificate file, for example:

$ ls -ls
total 16
0 lrwxrwxrwx 1 jh jh   18 Mar 24 07:58 12d55845.0 -> dst_root_ca_x3.pem
0 lrwxrwxrwx 1 jh jh   18 Mar 24 07:58 2e5ac55d.0 -> dst_root_ca_x3.pem
0 lrwxrwxrwx 1 jh jh   32 Mar 24 07:58 4a0a35c0.0 -> lets-encrypt-x3-cross-signed.pem
0 lrwxrwxrwx 1 jh jh   32 Mar 24 07:58 4f06f81d.0 -> lets-encrypt-x3-cross-signed.pem
0 lrwxrwxrwx 1 jh jh   14 Mar 24 07:58 590d426f.0 -> class3_X0E.crt
0 lrwxrwxrwx 1 jh jh   12 Mar 24 07:58 5ed36f99.0 -> root_X0F.crt
0 lrwxrwxrwx 1 jh jh   12 Mar 24 07:58 99d0fa06.0 -> root_X0F.crt
4 -rw-r--r-- 1 jh jh 2427 Mar 23 16:40 class3_X0E.crt
4 -rw-r--r-- 1 jh jh 1200 Mar 23 16:40 dst_root_ca_x3.pem
0 lrwxrwxrwx 1 jh jh   14 Mar 24 07:58 e5662767.0 -> class3_X0E.crt
4 -rw-r--r-- 1 jh jh 1647 Mar 23 16:40 lets-encrypt-x3-cross-signed.pem
4 -rw-r--r-- 1 jh jh 2464 Mar 23 16:40 root_X0F.crt

Text on page https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html is not very clear about the links:

If CApath is not NULL, it points to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available. If more than one CA certificate with the same name hash value exist, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash utility to create the necessary links.