| Author |
Message |
John123
Brekeke Newbie
Joined: 03 Jan 2022
Posts: 3
|
 Posted: Mon Jan 03, 2022 9:19 am Post subject: TLS client verification without IP in the name fields |
 |
|
1. Brekeke Product Name and Version: Brekeke SIP Server, Version 3.9.1.3
2. Java version: 1.8.0_201
3. OS type and the version: Windows 10 Pro, 64bit OS
4. UA (phone), gateway or other hardware/software involved: -
5. Your problem:
First of all if this problem is not related to Brekeke, I am sorry for taking your time. I am new to both SIP and TLS.
I am trying to use self signed certificates with both sides verifying each other.
When "Request Client certificate = on", client certificates with "common name = IP" are able to get to the "200 OK" message. However if common name is different of a client signed by the same root I get "alert certificate unknown".
My question is: is this problem related to me not being able to configure Brekeke properly? If so could you point me in the right direction?
I have read that it is highly recommended to not skip name verification (if it is possible to skip at all). However I would like to be able to verify certificates through only the signature verification process, without a need for IP or domain information in the certificate subject name fields (CN, SAN).
Thank you for your time. |
|
| Back to top |
|
Tata
Brekeke Master Guru
Joined: 27 Jan 2008
Posts: 223
|
| Posted: Mon Jan 03, 2022 11:19 am Post subject: |
|
|
| Let you set [Peer Certification Validation] = "off" in [Configuration]->[SIP] page. |
|
| Back to top |
|
John123
Brekeke Newbie
Joined: 03 Jan 2022
Posts: 3
|
| Posted: Tue Jan 04, 2022 12:57 am Post subject: |
|
|
Thank you for the reply Tata.
I currently have [Peer Certification Validation] = "off".
My other TLS related configuration on the same page are as follows:
[TLS-handling] = "on"
[Queue Size] = "50"
[Maximum Active Connections] = "0" which is unlimited
[Enable TLS 1.0 or older] = "disable"
[Request Client Certificate] = "on"
Also on the client side I am using PJSIP through the higher layer PJSUA API if that is relevant. |
|
| Back to top |
|
Tata
Brekeke Master Guru
Joined: 27 Jan 2008
Posts: 223
|
| Posted: Tue Jan 04, 2022 2:43 pm Post subject: |
|
|
Have you restarted the SIP Server after you changed the configuration?
Do you still have the issue? |
|
| Back to top |
|
John123
Brekeke Newbie
Joined: 03 Jan 2022
Posts: 3
|
| Posted: Wed Jan 05, 2022 3:40 am Post subject: |
|
|
Well... It is working now.
I guess I was trying too many "fixes" and missed the case where my base test (CN=IP certificate and CN=non-IP certificate) with [Peer Certification Validation] = "off" would pass and continued looking elsewhere...
Thank you again Tata for the help, much appreciated. |
|
| Back to top |
|
|
