I even used the openssl command line tool to verify my CA certificate against the?two certificates I created using ?? - openssl verify -CAfile Testing\CA.pem Testing\cert.pem? --------------------------------------------------------------------------------------------- Original Message ----------------------------------------------------------------------------------------- From: Hemsley Bien-aise <impaq_2@xxxxxxxxx> To: "pjsip at lists.pjsip.org" <pjsip at lists.pjsip.org> Cc: Sent: Thursday, May 30, 2013 1:14 PM Subject: TLS/SSL Hello All, I have PJSIP built with the OPENSSL library and?everything seems to be fine, but I am having trouble figuring out the certificate portion. I am testing out the server verify portion flag on. Everything below was done programmatically. 1. I generated a self-signed certificate (CA.pem) using an RSA key (CAkey.pem) 2. I generated a Certificate Signing Request (CSR) with another RSA key (VoipPrivKey.pem) and signed it with the CAkey.pem to become my certificate (cert.pem) 3. I repeated step two twice so App#1 and App#2 both had the same CA.pem file but their respective VoipPrivkey.pem and cert.pem When generating the CSR, ?I call X509_REQ_verify(req, privatekey) and it passes. When I sign the CSR, I call X509_verify(cert, CAkey) and it passes. ? When I make a VOIP call and it tries to verify the server certificate I created. I believe it call X509_verify() from inside internal_verify() and it returns to PJSIP?(X509_V_ERR_CERT_SIGNATURE_FAILURE). Does anyone have experience with this that could help me see what I may be doing wrong? When?verify_server is PJ_FALSE, everything is all dandy. ///////////////////////////////////////////////////////////// //Certificate of Authority Private Key ///////////////////////////////////////////////////////////// #defineCAKEY_FILE "CAkey.pem" ///////////////////////////////////////////////////////////// //Certificate of Authority ///////////////////////////////////////////////////////////// #define CA_FILE CA.pem ///////////////////////////////////////////////////////////// //Certificate ///////////////////////////////////////////////////////////// #define CERTIFICATE_FILE cert.pem ///////////////////////////////////////////////////////////// //Private Key ///////////////////////////////////////////////////////////// #define PRIVKEY_FILE VoipPrivKey.pem udp_cfg.tls_setting.ca_list_file = pj_str(CA_FILE); udp_cfg.tls_setting.cert_file = pj_str(CERTIFICATE_FILE); udp_cfg.tls_setting.privkey_file = pj_str(PRIVKEY_FILE); udp_cfg.tls_setting.verify_client = PJ_FALSE; udp_cfg.tls_setting.verify_server = PJ_TRUE;????????????? _______________________________________________ Visit our blog: http://blog.pjsip.org/ pjsip mailing list pjsip at lists.pjsip.org http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
