asterisk users - Jul 2019 - unsolved: Re: solved: how to create a working certificate for using TLS?

On 7/5/19 9:32 PM, John Runyon wrote:
> On Fri, 5 Jul 2019 at 14:28, hw <hw at gc-24.de <mailto:hw at
gc-24.de>> wrote:
> 
>     I thought about that and checked the configuration I've been using
to
>     create the certificate, and I can't see anywhere that it would
expire
>     earlier than after 3650 days.  Is there another way to check this?
> 
> openssl verify -CAfile ca.crt server.crt
openssl verify -CAfile ca.pem asterisk.pem
asterisk.pem: OK


When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
to the SIP provider and there is no error message).  Otherwise I'm
getting the error message and asterisk does not register.

Reading the comments in sip.conf.sample, I would assume that asterisk
can not verify the certificate of the SIP provider.  Yet


openssl s_client -connect secure.sip.easybell.de:5061


seems to verify the certificate just fine.  Previous tests seemed to
show the asterisk is trying to verify its own certificate instead, or
as well.

What exactly is asterisk trying to verify, and what fails the
verification?


Suspicious is this:


[Jul  5 12:48:00] NOTICE[7015]: chan_sip.c:30416 sip_poke_noanswer: Peer 
'aaa' is now UNREACHABLE!  Last qualify: 55
   == TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled
   == TLS/SSL certificate ok
[Jul  5 12:48:08] ERROR[1482]: tcptls.c:173 handle_tcptls_connection: 
Certificate did not verify: unable to get local issuer certificate


That's the point at which the certificate suddenly stopped working after
the SIP provider became unreachable.  Why?

On 05.07.19 at 22:02 hw wrote:
> 
> openssl verify -CAfile ca.pem asterisk.pem
> asterisk.pem: OK
> 
> 
> When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
> to the SIP provider and there is no error message).  Otherwise I'm
> getting the error message and asterisk does not register.
> 
> Reading the comments in sip.conf.sample, I would assume that asterisk
> can not verify the certificate of the SIP provider.  Yet
> 
> 
> openssl s_client -connect secure.sip.easybell.de:5061
You know that you don't need an own certificate to connect via tls to the
ISP?

To be able to verify the certificate of the ISP, asterisk has to know the local
CA database. For CentOS 7, this is /etc/pki/tls/certs/ca-bundle.crt.



Regards
Michael

On 7/6/19 10:40 AM, Michael Maier wrote:
> On 05.07.19 at 22:02 hw wrote:
>>
>> openssl verify -CAfile ca.pem asterisk.pem
>> asterisk.pem: OK
>>
>>
>> When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
>> to the SIP provider and there is no error message).  Otherwise I'm
>> getting the error message and asterisk does not register.
>>
>> Reading the comments in sip.conf.sample, I would assume that asterisk
>> can not verify the certificate of the SIP provider.  Yet
>>
>>
>> openssl s_client -connect secure.sip.easybell.de:5061
> 
> You know that you don't need an own certificate to connect via tls to
the ISP?
No, I didn't know that.  However, there are local clients connecting to
asterisk
using encryption, so I suppose my own certificate is required.
> To be able to verify the certificate of the ISP, asterisk has to know the
local CA database. For CentOS 7, this is /etc/pki/tls/certs/ca-bundle.crt.
How did you know I'm doing this on Centos? :)

Setting 'tlscapath' to /etc/pki or to /etc/pki/ca-trust/source/
didn't seem to
make a difference, so I figured that this might be figured out automatically
since 'openssl s_client ...' apparently does figure it out
automatically.
There is much figuring involved for the wanting of clear documentation ...

Now I've set 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' on the
asterisk at
work, but that one didn't have issues with certificates after I made a new
one.  I'll try the same at home when I get back to see if it makes a
difference.

Is 'tlscafile' the correct option for this?