[VOIPSEC] minisip TLS connect server cert problem

Wed Feb 8 20:11:18 CST 2006

Pjothi wrote:

>Sorry about the deluge of emails. I am happy atleast to let people
>know that all is not well with minisip-openser tls interconnection,
>atleast for a beginner to get it running.So experts can get cautious
>when trying to do it now or in the future.
>
>I thank everyone for their time,
>
>regards,
>Pjothi
>
>  
>
>>On 2/8/06, Cesc <cesc.santa at gmail.com> wrote:
>>    
>>
>>>I really don't mean to be rude, but you asked the same question over
>>>and over, and noone replies for a reason: probably no one has the time
>>>to figure it out ... at least i don't.
>>>
>>>A suggestion, though. Read the code, find where it fails, try to
>>>understand TLS and how it works ... you may have a conceptual error
>>>... or not (minisip has bugs, as any other piece of software).
>>>
>>>Regards,
>>>
>>>Cesc
>>>
>>>On 2/8/06, Pjothi <pjothi at gmail.com> wrote:
>>>      
>>>
>>>>Hello all,
>>>>
>>>>I am trying to connect minisip with OpenSER in TLS mode. I created my own
>>>>rootCA and created certificates for OpenSER signed by rootCA-certificate.
>>>>
>>>>Now, I have the following
>>>>
>>>>rootCA-certificate
>>>>
>>>>the following certificates signed by rootCA-certificate:
>>>>
>>>>server-certificate
>>>>server-ca list
>>>>and also server private key.
>>>>
>>>>I added in the CA database - rootCA-cert.pem and try registering with
>>>>OpenSER, I get the following error:
>>>>___________________________________________________________________
>>>>Registering user user4 at 192.168.0.4 to proxy 192.168.0.4, requesting
>>>>domain 192.168.0.4
>>>>
>>>>SipMessageTransport: sendMessage: creating new socket
>>>>Creating new SSL_CTX
>>>>SSL connect: Protocol Error.
>>>>7875:error:14090086:SSL
>>>>routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>>>>failed:s3_clnt.c:844:
>>>>Could not get server certificate
>>>>SipMessageTransport: sendMessage: exception thrown!
>>>>SipMessageTransport: sendMessage: exception thrown!
>>>>SipMessageTransport: sendMessage: exception thrown!
>>>>____________________________________________________________________
>>>>
>>>>Does this mean, the client is not able to get the server certificate
>>>>or its not able to verify the server certificate, bcos I see both.
>>>>
>>>>How to properly configure the certificate settings in minisip client
>>>>side. I do not need any client authentication to be done, so I dont
>>>>worry about client certificates here.
>>>>
>>>>Any small suggestion/help would go a long way and I am trying with
>>>>this for a very long time. I appreciate all your time and help.
>>>>
>>>>thanks and regards,
>>>>Pjothi
>>>>_______________________________________________
>>>>Minisip-users mailing list
>>>>Minisip-users at minisip.org
>>>>http://lists.minisip.org/mailman/listinfo/minisip-users
>>>>
>>>>        
>>>>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>  
>
Also, in addition to what I sent earlier, you shouldnt use the root CA 
cert for the ser server cert, rather it should be imported as a trusted 
root cert (into the same area that you find the verisign, thawte, etc., 
certificates), and the server cerificate to import should be the signed 
certificate created by the root ca (the certificate request that you 
signed with the root ca certificate is the one that should be installed 
on the ser server).

If you are doing client side certificates then you should generate a 
certiificate request on behalf of the microsoft client. Then sign the 
request and import newkey.pem (created in the request processs, which 
contains the private key) on the client and import the signed 
certificate into the microsoft store as well).

All of this latter can be imported by using the browser and selected by 
the client.

Let me know if this help.

Giving the root ca cert up to the server essentially compromises the 
root CA that you created, delete it.