rohc team mailing list archive

Thread
Date

Re: IPROHC certificate cannot be verified

To: ROHC Library <rohc@xxxxxxxxxxxxxxxxxxx>
From: syskan syskan <kandisyskimo@xxxxxxxxx>
Date: Wed, 28 Oct 2015 09:28:27 -0500
In-reply-to: <20151027175846.1a946377@satis.barvaux.org>

Hi Didier,
Thank you for the details. Please find the below information, attached CA
certificates(client and server) and suggest me further. CA password is
test.

Created the certificates as suggested
https://rohc-lib.org/wiki/doku.php?id=iprohc-run#create_a_certification_authority_ca

*iprohc_server --help*

IP/ROHC server, version 0.7.1

Usage: iprohc_server [opts]

Options:
 -c --conf     Path to configuration file
               (default: /etc/iprohc_server.conf)
 -b --basedev  Name of the underlying interface
 -d --debug    Enable debuging
 -h --help     Print this help message
* iprohc_client --help*

IP/ROHC client, version 0.7.1

Usage: iprohc_client --remote addr --dev itf_name [opts]

Options :
 --remote : Address of the remote server
 --port : Port of the remote server
 --dev : Name of the TUN interface that will be created
 --basedev : Name of the underlying interface
 --debug : Enable debuging
 --up : Path to a shell script that will be executed when network is up
 --p12 : Path to the pkcs12 file containing server CA, client key and
client crt
 --packing : Override packing

*pkg-config --modversion rohc*

Package rohc was not found in the pkg-config search path.
Perhaps you should add the directory containing `rohc.pc'
to the PKG_CONFIG_PATH environment variable
No package 'rohc' found

*ROHC version is rohc-1.7.0*

*pkg-config --modversion gnutls*
3.3.8
*pkg-config --modversion gnutls*
3.3.8

Issue still persists as below.

Oct 28 10:10:00  iprohc_server[2012]: listen on TCP 0.0.0.0:3126
Oct 28 10:10:00  iprohc_server[2012]: create TUN interface
Oct 28 10:10:00  iprohc_server[2012]: MTU of underlying interface 'eth0'
set to 1500 bytes
Oct 28 10:10:00  iprohc_server[2012]: MTU of tunnel interface 'tun_ipip'
set to 1458 bytes
Oct 28 10:10:00  iprohc_server[2012]: start TUN routing thread
Oct 28 10:10:00  iprohc_server[2012]: create RAW socket
Oct 28 10:10:00  iprohc_server[2012]: start RAW routing thread
Oct 28 10:10:00  iprohc_server[2012]: server is now ready to accept
requests from clients
Oct 28 10:10:00  iprohc_server[2012]: Initializing routing thread
Oct 28 10:10:00  iprohc_server[2012]: Initializing routing thread
Oct 28 10:14:06  iprohc_server[2012]: new connection from
162.243.143.112:59836
Oct 28 10:14:06  iprohc_server[2012]: TLS handshake succeeded
Oct 28 10:14:06  iprohc_server[2012]: certificate cannot be verified
(status 66)
Oct 28 10:14:06  iprohc_server[2012]: - Unable to trust certificate issuer
Oct 28 10:14:06  iprohc_server[2012]: new_client returned -3

Thanks,
Kimo

On Tue, Oct 27, 2015 at 11:58 AM, Didier Barvaux <didier@xxxxxxxxxxx> wrote:

> Hi Kimo,
>
>
> > Can you suggest me further? One more difference is that I am testing
> > in between public IP addresses.
>
> Public IP addresses should not be a problem for TLS negotiation.
>
>
> > I followed same steps and displayed the content of pkcs#12. They
> > contained two certificates and one encrypted private key.
>
> Good.
>
>
> > Please provide more details about as you mentioned "If yes, then
> > please ensure that you used the same CA for both client and server".
>
> The Certificate Authority (CA) is the entity that signs both client and
> server certificates. The server allows all clients that sends a
> certificate that is signed by the same CA as itself.
>
> The CA is created during the howto:
>
> https://rohc-lib.org/wiki/doku.php?id=iprohc-run#create_a_certification_authority_ca
>
> You should create only one CA, not two. That was the purpose of my
> question.
>
>
> > I have used same password for both server and client and did not use
> > export passwords. Gave every value as same for both client and server
> > except below
>
> That's fine.
>
>
> What are the software versions you use?
> * for IP/ROHC
>   $ iprohc_server --version
>   $ iprohc_client --version
> * for ROHC library
>   $ pkg-config --modversion rohc
> * for GnuTLS
>   $ pkg-config --modversion gnutls
>   $ pkg-config --modversion nettle
>
> If your CA and client/server certificates do not contain personal
> information (eg. names/emails), please send them. It would help me
> reproduce the problem.
>
> Regards,
> Didier
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~rohc
> Post to     : rohc@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~rohc
> More help   : https://help.launchpad.net/ListHelp
>
>

Attachment: client1.p12
Description: application/pkcs12

Attachment: server_voip.p12
Description: application/pkcs12

Follow ups

Re: IPROHC certificate cannot be verified
From: Didier Barvaux, 2015-10-29

References

IPROHC certificate cannot be verified
From: syskan syskan, 2015-10-15
Re: IPROHC certificate cannot be verified
From: Didier Barvaux, 2015-10-18
Re: IPROHC certificate cannot be verified
From: syskan syskan, 2015-10-20
Re: IPROHC certificate cannot be verified
From: syskan syskan, 2015-10-26
Re: IPROHC certificate cannot be verified
From: Didier Barvaux, 2015-10-27