← Back to team overview

rohc team mailing list archive

Re: IPROHC certificate cannot be verified

 

Hi Didier,
Thank you for the details. Please find the below information, attached CA
certificates(client and server) and suggest me further. CA password is
test.

Created the certificates as suggested
https://rohc-lib.org/wiki/doku.php?id=iprohc-run#create_a_certification_authority_ca

*iprohc_server --help*

IP/ROHC server, version 0.7.1

Usage: iprohc_server [opts]

Options:
 -c --conf     Path to configuration file
               (default: /etc/iprohc_server.conf)
 -b --basedev  Name of the underlying interface
 -d --debug    Enable debuging
 -h --help     Print this help message
* iprohc_client --help*

IP/ROHC client, version 0.7.1

Usage: iprohc_client --remote addr --dev itf_name [opts]

Options :
 --remote : Address of the remote server
 --port : Port of the remote server
 --dev : Name of the TUN interface that will be created
 --basedev : Name of the underlying interface
 --debug : Enable debuging
 --up : Path to a shell script that will be executed when network is up
 --p12 : Path to the pkcs12 file containing server CA, client key and
client crt
 --packing : Override packing

*pkg-config --modversion rohc*

Package rohc was not found in the pkg-config search path.
Perhaps you should add the directory containing `rohc.pc'
to the PKG_CONFIG_PATH environment variable
No package 'rohc' found

*ROHC version is rohc-1.7.0*

*pkg-config --modversion gnutls*
3.3.8
*pkg-config --modversion gnutls*
3.3.8

Issue still persists as below.

Oct 28 10:10:00  iprohc_server[2012]: listen on TCP 0.0.0.0:3126
Oct 28 10:10:00  iprohc_server[2012]: create TUN interface
Oct 28 10:10:00  iprohc_server[2012]: MTU of underlying interface 'eth0'
set to 1500 bytes
Oct 28 10:10:00  iprohc_server[2012]: MTU of tunnel interface 'tun_ipip'
set to 1458 bytes
Oct 28 10:10:00  iprohc_server[2012]: start TUN routing thread
Oct 28 10:10:00  iprohc_server[2012]: create RAW socket
Oct 28 10:10:00  iprohc_server[2012]: start RAW routing thread
Oct 28 10:10:00  iprohc_server[2012]: server is now ready to accept
requests from clients
Oct 28 10:10:00  iprohc_server[2012]: Initializing routing thread
Oct 28 10:10:00  iprohc_server[2012]: Initializing routing thread
Oct 28 10:14:06  iprohc_server[2012]: new connection from
162.243.143.112:59836
Oct 28 10:14:06  iprohc_server[2012]: TLS handshake succeeded
Oct 28 10:14:06  iprohc_server[2012]: certificate cannot be verified
(status 66)
Oct 28 10:14:06  iprohc_server[2012]: - Unable to trust certificate issuer
Oct 28 10:14:06  iprohc_server[2012]: new_client returned -3

Thanks,
Kimo

On Tue, Oct 27, 2015 at 11:58 AM, Didier Barvaux <didier@xxxxxxxxxxx> wrote:

> Hi Kimo,
>
>
> > Can you suggest me further? One more difference is that I am testing
> > in between public IP addresses.
>
> Public IP addresses should not be a problem for TLS negotiation.
>
>
> > I followed same steps and displayed the content of pkcs#12. They
> > contained two certificates and one encrypted private key.
>
> Good.
>
>
> > Please provide more details about as you mentioned "If yes, then
> > please ensure that you used the same CA for both client and server".
>
> The Certificate Authority (CA) is the entity that signs both client and
> server certificates. The server allows all clients that sends a
> certificate that is signed by the same CA as itself.
>
> The CA is created during the howto:
>
> https://rohc-lib.org/wiki/doku.php?id=iprohc-run#create_a_certification_authority_ca
>
> You should create only one CA, not two. That was the purpose of my
> question.
>
>
> > I have used same password for both server and client and did not use
> > export passwords. Gave every value as same for both client and server
> > except below
>
> That's fine.
>
>
> What are the software versions you use?
> * for IP/ROHC
>   $ iprohc_server --version
>   $ iprohc_client --version
> * for ROHC library
>   $ pkg-config --modversion rohc
> * for GnuTLS
>   $ pkg-config --modversion gnutls
>   $ pkg-config --modversion nettle
>
> If your CA and client/server certificates do not contain personal
> information (eg. names/emails), please send them. It would help me
> reproduce the problem.
>
> Regards,
> Didier
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~rohc
> Post to     : rohc@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~rohc
> More help   : https://help.launchpad.net/ListHelp
>
>

Attachment: client1.p12
Description: application/pkcs12

Attachment: server_voip.p12
Description: application/pkcs12


Follow ups

References