[Linphone-users] LinPhone, Mac OS X and TLS

linphone-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Linphone-users] LinPhone, Mac OS X and TLS

From:	Mark Fawcett
Subject:	[Linphone-users] LinPhone, Mac OS X and TLS
Date:	Fri, 8 Jun 2012 17:37:00 +0100

Dear mailing lists,

I'm setting up a system to providing SIPS/SRTP connectivity between various SIP 
endpoints and an asterisk 1.8 platform. I've been looking at LinPhone due to 
its cross-platform support and on most system's it's worked like a charm. 
However, I'm having some difficulties in working TLS mode on Mac OS X 10.6.8 
with LinPhone 3.5.2 (SRTP and normal SIP works fine).

I've created both a self-signed server cert and also one signed using a Thawte 
evaluation intermediate / root. The server certs resides on asterisk and works 
with LinPhone on Windows etc. and with other sip endpoints on Windows and Mac.

I've imported the Thawte intermediate & root certs into Mac OS X's KeyChain 
Assistant and it seems happy with them (I've told it to trust the certs for all 
cases).

If I connect to asterisk's TLS port using Safari I see a successful TLSv1 
exchange (to the point at which encypted app traffic flows - naturally asterisk 
doesn't know about http so it gets no further).

When running LinPhone I see an unsuccessful TLSv1 trace as follows (from 
w/shark):

From asterisk
43      17:23:44.021735 192.168.0.202   5061    192.168.0.212   61579   TLSv1   
1260    Server Hello, Certificate, Server Hello Done

Response from Mac
45      17:23:44.022089 192.168.0.212   61579   192.168.0.202   5061    TLSv1   
75      Alert (Level: Fatal, Description: Unknown CA)

So something's not happy on the Mac side.


If I run an openssl s_client test, I get the following:

bash-3.2# openssl s_client -connect 192.168.0.202:5061
CONNECTED(00000003)
depth=0 /C=GB/ST=Northamptonshire/L=Northampton/O=noakesltd/OU=noakesltd/OU=For 
Test Purposes Only.  No assurances./CN=noakesltd.co.uk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=GB/ST=Northamptonshire/L=Northampton/O=noakesltd/OU=noakesltd/OU=For 
Test Purposes Only.  No assurances./CN=noakesltd.co.uk
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=GB/ST=Northamptonshire/L=Northampton/O=noakesltd/OU=noakesltd/OU=For 
Test Purposes Only.  No assurances./CN=noakesltd.co.uk
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=GB/ST=Northamptonshire/L=Northampton/O=noakesltd/OU=noakesltd/OU=For 
Test Purposes Only.  No assurances./CN=noakesltd.co.uk
   i:/C=US/O=Thawte, Inc./OU=Certification Services Division/OU=For Test 
Purposes Only.  No assurances./CN=Thawte Trial Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEUjCCAzqgAwIBAgIQIAj+JZ5lKs7wTe+HjjgTkDANBgkqhkiG9w0BAQUFADCB
qDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRl
c3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMSYwJAYDVQQDEx1UaGF3
dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBDQTAeFw0xMjA2MDgwMDAwMDBaFw0xMjA2
MjkyMzU5NTlaMIGyMQswCQYDVQQGEwJHQjEZMBcGA1UECBMQTm9ydGhhbXB0b25z
aGlyZTEUMBIGA1UEBxQLTm9ydGhhbXB0b24xEjAQBgNVBAoUCW5vYWtlc2x0ZDES
MBAGA1UECxQJbm9ha2VzbHRkMTAwLgYDVQQLFCdGb3IgVGVzdCBQdXJwb3NlcyBP
bmx5LiAgTm8gYXNzdXJhbmNlcy4xGDAWBgNVBAMUD25vYWtlc2x0ZC5jby51azCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALw/RXwb2uVplGLAmHTgpkLW
XIw4Wrc0iMjLIQ83czKBdDNWpKvEzr/4580m+r/315QPvmFKWZbNnqXYiAuMcnGx
CT8wW4FkpMY9xdKa7+tpD82z4jkUe6apzVDF8pYw0H17H5r+5kQ/xGKgsWf9du+v
eT78Ul+2Enl/x1d4cJUnoFLuYsYTd8Qe+clH6qSJAaecpwv1mcVvnGFt+QThL7XR
EpgN2LWoQrnRODdaludIKDpllyNMGQkjmcmvGsHRFszZ6vnRDKENFPH2c3P2mVLi
SVGPSoFhPvYpjs5BXN6ZSQoClP8FpPuaQ4OOKWQPPxXjX4dVciXNGSJniPZ8p2MC
AwEAAaNsMGowDAYDVR0TAQH/BAIwADA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8v
Y3JsLnRoYXd0ZS5jb20vVGhhd3RlVHJpYWxTU0xDQS5jcmwwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCtyT5RvhchhQ9v
07uEs2AKZS78S470UIhoEyssGphxyROVK2kJRCqDo4EmkfikBK0QvnfchOwvWqYk
bMFNvLDV+6hYaELzxEW+6NexTHPk1BPgXHxO1adO9eTUAkC3/glcmDO+M/mT/jFB
NiDH9fbg7VIys317yxzGfDnjPW+5hOpOCINXa69QHsFjCGfkedvxg3RJaskWvO5l
LUDFFo7FIJfiuxw33/DctydnlUEgqc6dbzLDHTgqtaWjCSQhwSOkDS1SHiVhi89r
BM7XuEKAi+HZW3O0wgmyE3Lq2nLdST1zoEL9x+JJHSptp2+FHE8VTkNIZxLBaM+j
Og1pvtmi
-----END CERTIFICATE-----
subject=/C=GB/ST=Northamptonshire/L=Northampton/O=noakesltd/OU=noakesltd/OU=For 
Test Purposes Only.  No assurances./CN=noakesltd.co.uk
issuer=/C=US/O=Thawte, Inc./OU=Certification Services Division/OU=For Test 
Purposes Only.  No assurances./CN=Thawte Trial Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1279 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: C8F05E0ABF79055B60C826866F3170A8F76B5332A2E78AC4BFACFA408C882F6E
    Session-ID-ctx: 
    Master-Key: 
A4E02BE74CAAAD951CF3090B889164E178266462514A2C268A8BEF13632F66B89637E3B5AB1525F7C8EBAB3F3286B4B0
    Key-Arg   : None
    Start Time: 1339173103
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---



I've tried manually adding the server cert, intermediate cert and CA root cert 
using c_rehash (it seems happy with them) into /System/Library/OpenSSL/certs) 
also to no avail. I'm starting to run out of ideas.



Does anybody have any thoughts / hints / views on what I need to do to get TLS 
working on the Mac?

Many thanks

Mark

[Prev in Thread]

Current Thread

[Next in Thread]

[Linphone-users] LinPhone, Mac OS X and TLS, Mark Fawcett <=
- Re: [Linphone-users] LinPhone, Mac OS X and TLS, Mark Fawcett, 2012/06/09

Prev by Date: Re: [Linphone-users] audio jitters on Linphone Android
Next by Date: Re: [Linphone-users] LinPhone, Mac OS X and TLS
Previous by thread: [Linphone-users] Fwd: Help
Next by thread: Re: [Linphone-users] LinPhone, Mac OS X and TLS
Index(es):
- Date
- Thread