Howto:Debugging SRTP/SIPS connections: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
What to do if no connection via SIP / TLS come about? | What to do if no connection via SIP/TLS come about? | ||
Error message in the trace: | Error message in the trace: | ||
| Line 5: | Line 5: | ||
Remote server certificate mismatch: IP0010-2b-00-a3 (194.204.29.9) | Remote server certificate mismatch: IP0010-2b-00-a3 (194.204.29.9) | ||
If the above error message can be found in the trace, the TLS | If the above error message can be found in the trace, the TLS layer of the client has already accepted the Server-Zertifikat. | ||
Here it is the SIP | Here it is the SIP stack that does not agree with the server certificate. | ||
The SIP stack opens a connection towards "194.204.29.9" and received certificate "IP0010-2b-00-a3" from the server. | The SIP stack opens a connection towards "194.204.29.9" and received certificate "IP0010-2b-00-a3" from the server. | ||
The mismatch irritates the SIP stack. | The mismatch irritates the SIP stack. | ||
It would also irritate a web browser | It would also irritate a web browser, if you're trying to connect with "banking.postbank.de" and the connected server presents a certificate for "blabla.nonsense.de". | ||
Even if the TLS layer has accepted certificate "blabla.nonsense.de" since it is an officially signed certificate. | Even if the TLS layer has accepted certificate "blabla.nonsense.de" since it is an officially signed certificate. | ||
The web browser won't accept. | The web browser won't accept. | ||
Certificate and connection destination must match | Certificate and connection destination must match! | ||
Either you update the server certificate and add "194.204.29.9" as alternative name or | Either you update the server certificate and add "194.204.29.9" as alternative name or | ||
Revision as of 12:30, 19 November 2012
What to do if no connection via SIP/TLS come about?
Error message in the trace:
Remote server certificate mismatch: IP0010-2b-00-a3 (194.204.29.9)
If the above error message can be found in the trace, the TLS layer of the client has already accepted the Server-Zertifikat. Here it is the SIP stack that does not agree with the server certificate. The SIP stack opens a connection towards "194.204.29.9" and received certificate "IP0010-2b-00-a3" from the server. The mismatch irritates the SIP stack.
It would also irritate a web browser, if you're trying to connect with "banking.postbank.de" and the connected server presents a certificate for "blabla.nonsense.de". Even if the TLS layer has accepted certificate "blabla.nonsense.de" since it is an officially signed certificate. The web browser won't accept.
Certificate and connection destination must match!
Either you update the server certificate and add "194.204.29.9" as alternative name or you make the client open the connection towards "IP0010-2b-00-a3". In the seconds case you must make the client resolve "IP0010-2b-00-a3" into an ip address. You can add a local DNS entry for "IP0010-2b-00-a3" on the client box (Services/DNS/Hosts).