problem with TLS' ca_list_file

JC
Joel Centelles
Tue, Jun 3, 2014 2:31 PM

Hi everybody,

Currently I've a TLS connection properly configured and running with a
Kamailio server but, in order to verify my server's identity, I planned to
use tls_setting.ca_list_file option.

I configured it and everything was OK but, the strange behaviour came when,
just for checking that non valid certificates were properly rejected,  I
changed some bytes in cert file and the connection was still established.

I was expecting some kind of certification verification failure. May I be
misunderstanding something?

Thank you very much.

Regards,
Joel.

Hi everybody, Currently I've a TLS connection properly configured and running with a Kamailio server but, in order to verify my server's identity, I planned to use tls_setting.ca_list_file option. I configured it and everything was OK but, the strange behaviour came when, just for checking that non valid certificates were properly rejected, I changed some bytes in cert file and the connection was still established. I was expecting some kind of certification verification failure. May I be misunderstanding something? Thank you very much. Regards, Joel.
BG
Bill Gardner
Tue, Jun 3, 2014 6:29 PM

Did you also set --tls-verify-server option? - Bill

On 6/3/2014 10:31 AM, Joel Centelles wrote:

Hi everybody,

Currently I've a TLS connection properly configured and running with a
Kamailio server but, in order to verify my server's identity, I
planned to use tls_setting.ca_list_file option.

I configured it and everything was OK but, the strange behaviour came
when, just for checking that non valid certificates were properly
rejected,  I changed some bytes in cert file and the connection was
still established.

I was expecting some kind of certification verification failure. May I
be misunderstanding something?

Thank you very much.

Regards,
Joel.


Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

Did you also set --tls-verify-server option? - Bill On 6/3/2014 10:31 AM, Joel Centelles wrote: > Hi everybody, > > Currently I've a TLS connection properly configured and running with a > Kamailio server but, in order to verify my server's identity, I > planned to use tls_setting.ca_list_file option. > > I configured it and everything was OK but, the strange behaviour came > when, just for checking that non valid certificates were properly > rejected, I changed some bytes in cert file and the connection was > still established. > > I was expecting some kind of certification verification failure. May I > be misunderstanding something? > > Thank you very much. > > Regards, > Joel. > > > _______________________________________________ > Visit our blog: http://blog.pjsip.org > > pjsip mailing list > pjsip@lists.pjsip.org > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
JC
Joel Centelles
Thu, Jun 5, 2014 11:35 AM

Hi Bill,

thank for the answer and you're are right, I noticed, just after sending
the this mail, that the problem was that I missed enabling verify_server
flag.

Now certification verification is working properly.

Once again, thank you very much.

Best,
Joel.

2014-06-03 20:29 GMT+02:00 Bill Gardner billg@wavearts.com:

Did you also set --tls-verify-server option? - Bill

On 6/3/2014 10:31 AM, Joel Centelles wrote:

Hi everybody,

Currently I've a TLS connection properly configured and running with a
Kamailio server but, in order to verify my server's identity, I planned to
use tls_setting.ca_list_file option.

I configured it and everything was OK but, the strange behaviour came
when, just for checking that non valid certificates were properly
rejected,  I changed some bytes in cert file and the connection was still
established.

I was expecting some kind of certification verification failure. May I
be misunderstanding something?

Thank you very much.

Regards,
Joel.


Visit our blog: http://blog.pjsip.org

pjsip mailing listpjsip@lists.pjsip.orghttp://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org


Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

Hi Bill, thank for the answer and you're are right, I noticed, just after sending the this mail, that the problem was that I missed enabling verify_server flag. Now certification verification is working properly. Once again, thank you very much. Best, Joel. 2014-06-03 20:29 GMT+02:00 Bill Gardner <billg@wavearts.com>: > Did you also set --tls-verify-server option? - Bill > > > On 6/3/2014 10:31 AM, Joel Centelles wrote: > > Hi everybody, > > Currently I've a TLS connection properly configured and running with a > Kamailio server but, in order to verify my server's identity, I planned to > use tls_setting.ca_list_file option. > > I configured it and everything was OK but, the strange behaviour came > when, just for checking that non valid certificates were properly > rejected, I changed some bytes in cert file and the connection was still > established. > > I was expecting some kind of certification verification failure. May I > be misunderstanding something? > > Thank you very much. > > Regards, > Joel. > > > _______________________________________________ > Visit our blog: http://blog.pjsip.org > > pjsip mailing listpjsip@lists.pjsip.orghttp://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org > > > > _______________________________________________ > Visit our blog: http://blog.pjsip.org > > pjsip mailing list > pjsip@lists.pjsip.org > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org > >