[英]Linphone Android: TLS Handshake Error with Self Signed Certificate
I'm trying to use a self-signed certificate to configure TLS in Linphone Android to be able to communicate with FreeSWITCH SIP server. 我正在尝试使用自签名证书在Linphone Android中配置TLS,以便能够与FreeSWITCH SIP服务器通信。 But the SSL handshake fails with the following errors: 但是SSL握手失败并出现以下错误:
Channel [0x9ec3c000]: SSL handshake failed : X509 - Certificate verification failed, eg CRL, CA or signature check failed Cannot connect to [TLS://52.3.207.224:5061] 通道[0x9ec3c000]:SSL握手失败:X509 - 证书验证失败,例如CRL,CA或签名检查失败无法连接到[TLS://52.3.207.224:5061]
Can anyone please suggest what's the way forward to debug this issue? 任何人都可以建议调试此问题的方法是什么? Or how can we configure self-signed certificate in Linphone Android. 或者我们如何在Linphone Android中配置自签名证书。
NOTE: I don't want to disable TLS server certificate verification as suggested below 注意:我不想禁用TLS服务器证书验证,如下所示
[sip] verify_server_certs=0 [sip] verify_server_certs = 0
It is because self-signed cert can not recognized by those third-party CAs that official linphone app pre-configured. 这是因为官方linphone应用程序预先配置的第三方CA无法识别自签名证书。
linphone uses it's own root CA store list where server-cert is going to be verified used by linphone when it received cert from your sip server. linphone使用它自己的根CA存储列表,当你从sip服务器收到证书时,linphone将验证server-cert的使用情况。
If you don't want to disable server cert verification (it's good to avoid Man-in-the-middle attack), and since there is no CA that linphone pre-configured can verify your cert, you must create your own CA and add it into linphone's CA list. 如果您不想禁用服务器证书验证(最好避免中间人攻击),并且由于没有CA预先配置的linphone可以验证您的证书, 您必须创建自己的CA并添加它进入了linphone的CA列表。
you can find the CA list in linphone android source: res/raw/rootca.pem
just add your CA into it and recompiled. 你可以在linphone android源码中找到CA列表: res/raw/rootca.pem
只需将你的CA添加到其中并重新编译。
I'm not familiar with linphone, but I think it is the way to go. 我不熟悉linphone,但我认为这是要走的路。
some useful links: 一些有用的链接:
Creating Your Own SSL Certificate Authority (and Dumping Self Signed Certs) 创建自己的SSL证书颁发机构(以及转储自签名证书)
Using Self-Signed Certs With Android Linphone 使用Android Linphone自签名证书
There are different solutions to this problem: 这个问题有不同的解决方案:
If you have shell access to your Linphone server, you can install a proper certificate, either buy one or (which I recommend) use a free one from Let's Encrypt 如果你有对Linphone服务器的shell访问权限,你可以安装一个合适的证书,购买一个或(我推荐)使用Let's Encrypt中的免费证书
If that is not possible, install the self-signed certificate into your Android keystore: Download the certificate (if Linphone offers a web gui, you can download it with Chrome in the PEM format, by clicking on the lock symbol in the addressbar) and put it on your SD-card. 如果无法做到这一点,请将自签名证书安装到Android密钥库中:下载证书(如果Linphone提供web gui,您可以通过点击地址栏中的锁定符号以PEM格式下载Chrome)把它放在你的SD卡上。 Then go to Android Settings / Security / Certificate Management / Install from storage and select your file. 然后转到Android设置/安全/证书管理/从存储安装并选择您的文件。 You will probably have a permanent notification however, that your network might be monitored. 但是,您可能会收到永久通知,表明您的网络可能受到监控。
If you don't want that notification and have root access, follow the previous step and move the newly added file from /data/misc/keychain/cacerts-added/
to /system/etc/security/cacerts/
. 如果您不想要该通知并具有root访问权限,请按照上一步操作将新添加的文件从/data/misc/keychain/cacerts-added/
移至/system/etc/security/cacerts/
。 Then reboot your device and the message should be gone. 然后重新启动您的设备,消息应该消失。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.