TLS Question

anodin · Post by **anodin** » Tue Jul 10, 2012 7:49 am

1. Brekeke Product Name and version:
Brekeke SIP Server , Version 3.0.6.3 Evaluation

2. Java version:
1.7.0

3. OS type and the version:
Windows Server 2008 Standard Edition

4. UA (phone), gateway or other hardware/software involved:
OpenSSL

5. Network pattern:
1

6. Your problem:
Hi! I'm trying to configure TLS handling on Brekeke's SIP Server with OpenSSL following this :
http://wiki.brekeke.com/wiki/Key-and-Certificate

I've tried several keys and certificates I've generated with OpenSSL but I've never got "TLS" to be shown at the "Transport" field in the "Server Status"

Anybody succeeded ? What kind of certificate and key are needed : CA, server, user, self-signed ?

lakeview · Post by **lakeview** » Tue Jul 10, 2012 9:15 am

Are you using Advanced Edition of Brekeke SIP Server v3?
The TLS handling is available in the Advanced Edition only.

anodin · Post by **anodin** » Tue Jul 10, 2012 2:12 pm

Well I'm actually using an evaluation version that, as you said, states that only advanced version handles TLS.

But as I was able to activate TLS, upload certificate /key... I guessed that it was allowed for evaluation :

http://i45.tinypic.com/2uojvr8.png

lakeview · Post by **lakeview** » Tue Jul 10, 2012 8:53 pm

Did you follow the wiki?
http://wiki.brekeke.com/wiki/Key-and-Certificate

Did you set the server's IP address as the CN (Common Name) when you made the server certificate?

Are you using any CA service?

Harold · Post by **Harold** » Tue Jul 10, 2012 11:30 pm

It might help you.

CREATE THE CERTIFICATION AUTHORITY (CA) CERTIFICATE

1) Generate the key for the CA certificate
> openssl genrsa -des3 -out ca.key 2048
- Enter an appropriate pass phrase.

2) Show the key
> openssl rsa -noout -text -in ca.key

3) Compose the CA certificate from the key
> openssl req -new -x509 -days 2555 -key ca.key -out ca.crt
- Enter a certification authority name in [Common Name] (CN) field.
For example: TEST-CA

4) Show the CA certificate
> openssl x509 -noout -text -in ca.crt

CREATE THE SERVER CERTIFICATE

1) Generate the key for the server certificate
> openssl genrsa -out server.key 2048

2) Show the key
> openssl rsa -noout -text -in server.key

3) Compose the server certificate from the key
> openssl req -new -key server.key -out server.csr
- Enter a SIP server's IP address in [Common Name] (CN) field.
For example: 172.16.14.11

4) Sign the server certificate with the CA certificate
> openssl x509 -days 365 -CA ca.crt -CAkey ca.key -req -CAcreateserial -CAserial ca.srl -in server.csr -out server.crt

5) Show the server certificate
> openssl x509 -noout -text -in server.crt

6) Convert to DER file
> openssl x509 -in server.crt -out cert.der -outform der
> openssl pkcs8 -topk8 -nocrypt -in server.key -out key.der -outform der
- cert.der: server's certificate in DER format
- server.der: server's key in DER format

UPLOAD THE DER FILES

Upload DER files "server.der" and "cert.der" in the [Configuration] -> [SIP] page -> [TLS].

anodin · Post by **anodin** » Wed Jul 11, 2012 12:59 am

Thanks you both, yeah I had pretty much the same settings but with the hostname instead of the IP.

Harold, I've followed your OpenSSL commands, I still can't see that TLS appear. Maybe evaluation version doesn't handle TLS finally.

I'm trying the diagnostic commands to see if it is working anyway.

Harold · Post by **Harold** » Wed Jul 11, 2012 10:45 am

Have you restart the server after you uploaded DER files?

I could use TLS at Evaluation of Advanced Edition.
If you configure TLS logs, are there any error messages?
http://wiki.brekeke.com/wiki/Monitoring-and-Diagnostic

anodin · Post by **anodin** » Wed Jul 11, 2012 12:04 pm

Well, I had some tricky moves when I've uploaded several certs / keys before trying your solution. So I'm reinstalling the server to see what I can get from that.

Glad to know it works under evalution.

To be very clear, when you've uploaded key & cert and restarted your server, did TLS showed up in transport field ?

Harold · Post by **Harold** » Wed Jul 11, 2012 3:53 pm

I can see "TLS" in the [transport] field at the [Server Status] page.

If there is no "TLS", there are something wrong.
Are there any error messages in the log?

hope · Post by **hope** » Wed Jul 11, 2012 4:43 pm

tls key and cert can be uploaded even with eval license
but cannot use if not in advanced edition

janP · Post by **janP** » Wed Jul 11, 2012 4:54 pm

There are two types of evaluation versions.
Evaluation and Advanced Edition's Evaluation.

It seems you are using an Evaluation and Harold is using Advanced Edition's Evaluation.

An Evaluation version doesn't have TLS handling function as hope said.

If you want to try Advanced Edition's Evaluation, fill the request form.
http://www.brekeke.com/company/company_ ... ss-adv.php

anodin · Post by **anodin** » Thu Jul 12, 2012 2:47 am

Alright ok, it's clear now. I was confused by the fact that you can select advanced version and download on Brekeke's site.

Anyway, I've asked for an advanced evaluation version.
I had asked an academic version at the very begining, never had an answer, I hope it won't be the same this time.

anodin · Post by **anodin** » Thu Jul 12, 2012 12:00 pm

Great!!! Just got a license! I'll try it & let you know

Mike · Post by **Mike** » Thu Jul 12, 2012 12:04 pm

Hi anodin,

Thank you for using Brekeke SIP Server.
I've asked our licensing team to send an Academic license to you.

Have fun.