New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ca_path param to tls module #2682
Comments
Good idea. |
- used to provide path to directory with CA files in pem format, to be given as parameter to SSL_CTX_load_verify_locations() - GH #2682
Being Kamailio specific coding, I added the config option and set it value as parameter to SSL_CTX_load_verify_locations() based on the feature request description, but it might not be complete implementation because its manual specifies that the folder content is not send to client via SSL_CTX_set_client_CA_list(): I haven't tested at all, not having a system that I could easily simulate the scenario. If not complete, feel free to add the missing part related, otherwise, if not useful at all, it can be reverted. |
Thanks for your work on ca_path. It is so that currently ca_path can
only be given as tls module config parameter and not in tls config
file. I tried like this:
modparam("tls", "config", "/etc/sip-proxy/tls.cfg")
tls.cfg:
[server:default]
verify_certificate = yes
require_certificate = no
server_name = lohi.tutpro.com
tls_method = TLSv1.1+
private_key = /etc/sip-proxy/certs/key.pem
certificate = /etc/sip-proxy/certs/cert.pem
ca_path = /etc/sip-proxy/certs/ca_list
and got error at start:
Mar 23 11:47:18 lohi /usr/bin/sip-proxy[25175]: ERROR: <core> [core/cfg_parser.c:731]: sr_cfg_parse(): tls.cfg:7:1: Unsupported option 'ca_path'
|
Looks like installation of new version of kamailio had failed and tls
module was not updated. Trying again ...
|
I got latest master properly installed and gave ca_path a try.
I placed four ca certs in directory /etc/sip-proxy/certs/ca_list:
# ls /etc/sip-proxy/certs/ca_list
class3_X0E.crt dst_root_ca_x3.pem lets-encrypt-x3-cross-signed.pem root_X0F.crt
Then I created file ca_list.pem that contained all of them:
# cat /etc/sip-proxy/certs/ca_list/* > /etc/sip-proxy/certs/ca_list.pem
In tls config file I had:
[client:default]
...
ca_list = /etc/sip-proxy/certs/ca_list.pem
[server:default]
...
ca_list = /etc/sip-proxy/certs/ca_list.pem
Result was that kamailio started OK.
Then in tls config file I replaced ca_list with ca_path:
ca_path = /etc/sip-proxy/certs/ca_list
and kamailio failed to start:
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)'
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: INFO: tls [tls_domain.c:336]: ksr_tls_fill_missing(): TLSs<default>: ca_path='/etc/sip-proxy/certs/ca_list'
...
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_domain.c:601]: load_ca_list(): TLSs<default>: Error while setting client CA list
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0200100E:system library:fopen:Bad address
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:20074002:BIO routines:file_ctrl:system lib
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: <core> [core/sr_module.c:865]: init_mod_child(): error while initializing module tls (/usr/lib/x86_64-linux-gnu/sip-proxy/modules/tls.so) (idx: 0 rank: -127 desc: [main])
|
The error message seems to be related to failure to open |
Daniel-Constantin Mierla writes:
The error message seems to be related to failure to open `ca_list`
file, not to `ca_path` -- can you check if `ca_list` is still set
somewhere there to an invalid file path?
I checked and config file has only this:
modparam("tls", "config", "/etc/sip-proxy/tls.cfg")
and tls.cfg contains:
# more tls.cfg
[client:default]
verify_certificate = yes
require_certificate = yes
tls_method = TLSv1.2+
private_key = /etc/sip-proxy/certs/key.pem
certificate = /etc/sip-proxy/certs/cert.pem
ca_path = /etc/sip-proxy/certs/ca_list
[server:default]
verify_certificate = yes
require_certificate = no
server_name = lohi.tutpro.com
tls_method = TLSv1.1+
private_key = /etc/sip-proxy/certs/key.pem
certificate = /etc/sip-proxy/certs/cert.pem
ca_path = /etc/sip-proxy/certs/ca_list
There is no trace of ca_list anywhere. Also syslog shows that ca_list
is null:
Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/sip-proxy/certs/cert.pem'
Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)'
Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:336]: ksr_tls_fill_missing(): TLSs<default>: ca_path='/etc/sip-proxy/certs/ca_list'
|
I pushed a commit to make that error message print the file name. Try again with latest master and paste here again the new error message to see what's there. |
Daniel-Constantin Mierla writes:
I pushed a commit to make that error message print the file name. Try
again with latest master and paste here again the new error message to
see what's there.
Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_domain.c:604]: load_ca_list(): TLSs<default>: Error while setting client CA list file [/3]
Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0200100E:system library:fopen:Bad address
Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:20074002:BIO routines:file_ctrl:system lib
…-- Juha
|
Daniel-Constantin Mierla writes:
Being Kamailio specific coding, I added the config option and set it
value as parameter to SSL_CTX_load_verify_locations() based on the
feature request description, but it might not be complete
implementation because its manual specify that the folder content is
not send to client via SSL_CTX_set_client_CA_list():
* https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html
Neither is contents of CAfile sent to client:
In server mode, when requesting a client certificate, the server must
send the list of CAs of which it will accept client certificates. This
list is not influenced by the contents of CAfile or CApath and must
explicitly be set using the SSL_CTX_set_client_CA_list(3) family of
functions.
…-- Juha
|
Pushed a commit to fix the error message. The SSL_CTX_set_client_CA_list() is used with the ca_list file, the error message above is actually when that is done. |
Daniel-Constantin Mierla writes:
Pushed a commit to fix the error message.
Now kamailio starts, but when baresip sip client tries to connect over
TLS, I get these errors:
Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 192.168.43.253
Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 192.168.43.160
If I in tls.cfg replace ca_path with ca_list, the same client connects
without errors.
…-- Juha
|
As I said, I added the parameter based on the description of the feature request, but the manual suggested it might not be enough when acting as a tls server, see my first comment above. Probably works when it acts as a client (when opens the connection). You can dig further in the libssl docs to see what has to be done for server case and you can update the load_ca_list() function from tls_domain.c. |
Daniel-Constantin Mierla writes:
As I said, I added the parameter based on the description of the
feature request, but the manual suggested it might not be enough when
acting as a tls server, see my first comment above.
Probably works when it acts as a client (when opens the connection).
Yes, it does work as client. I have two kamailios A - B using TLS between
them. When A uses ca_path and B uses ca_list, A can connect to B without
errors. But when I change also B to use ca_path, I get errors on both.
On A:
Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS read:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 192.26.134.10
Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 192.168.43.160
On B:
Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 192.168.43.160
Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 192.26.134.10
…-- Juha
|
Both as client and as server work after command
Text on page https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html is not very clear about the links:
|
- used to provide path to directory with CA files in pem format, to be given as parameter to SSL_CTX_load_verify_locations() - GH kamailio#2682
- used to provide path to directory with CA files in pem format, to be given as parameter to SSL_CTX_load_verify_locations() - GH kamailio#2682
Currently tls module has
ca_list
param thatSets the CA list file name. This file contains a list of all the trusted CAs certificates used when connecting to other SIP implementations. If a signature in a certificate chain belongs to one of the listed CAs, the verification of that certificate will succeed.
This issue proposes adding a new tls param
ca_path
. Its value would be a directory that contains any number of CA certificate files thus making it unnecessary to cat these files to a singleca_list
file.Implementation could be based on the same
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath)
OpenSSL API function as now.The text was updated successfully, but these errors were encountered: