[OpenSIPS-Users] TLS call failed

doolin wu doolinwu at gmail.com
Tue Feb 2 08:09:04 CET 2010


Hello,

I'm trying use TLS feature of OpenSIPS-1.5-tls. TLS was
configured and server run successfully.
I tried to make 2 SIP UAs work with my OpenSIPS-1.5-tls, but all of them are
failed.
Here is my settings:
    >Server:
    tls_verify_server = 0
    tls_verify_client = 0
    tls_require_client_certificate = 0
    tls_method = TLSv1
    tls_certificate =
"/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-cert.pem"
    tls_private_key =
"/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-privkey.pem"
    tls_ca_list =
"/usr/local/opensips.1.5.tls//etc/opensips/tls/user/user-calist.pem"

    >Client:
    The self-signed rootCA (tls\rootCA\cacert.pem)  was imported in to
client successfully

First one UA is VoIP client on NOKIA N97. Client register to SIP server with
TLS successfully, but when make call from N97 to others I got error code 477
Send failed (477/TM).
I traced opensips, looks like opensips tried to forward the invite to
callee, but the tls socket failed to send the request.
Logs from opensips here:

Feb  2 07:19:32 [5779] ERROR:core:tcp_send: failed to send
Feb  2 07:19:32 [5779] ERROR:tm:msg_send: tcp_send failed
Feb  2 07:19:32 [5779] ERROR:tm:t_forward_nonack: sending request failed
Feb  2 07:19:32 [5779] DBG:tm:t_relay_to: t_forward_nonack returned error
Feb  2 07:19:32 [5779] DBG:core:parse_headers: flags=ffffffffffffffff
Feb  2 07:19:32 [5779] DBG:core:check_via_address: params 10.57.52.186,
10.57.52.186, 0
Feb  2 07:19:32 [5779] DBG:tm:cleanup_uac_timers: RETR/FR timers reset
Feb  2 07:19:32 [5779] DBG:tm:set_timer: relative timeout is 30
Feb  2 07:19:32 [5779] DBG:tm:insert_timer_unsafe: [0]: 0xb61a180c (92)
Feb  2 07:19:32 [5779] DBG:core:tcp_send: tcp connection found (0xb61d7908),
acquiring fd
Feb  2 07:19:32 [5779] DBG:core:tcp_send: c= 0xb61d7908, n=8
Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61f4b48,
2, fd 41 from 16 (5779)
Feb  2 07:19:32 [5787] DBG:core:tcpconn_add: hashes: 719, 4
Feb  2 07:19:32 [5787] DBG:core:io_watch_add: io_watch_add(0x817bbc0, 41, 2,
0xb61f4b48), fd_no=31
Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61f4b48,
-2, fd -1 from 16 (5779)
Feb  2 07:19:32 [5787] DBG:core:io_watch_del: io_watch_del (0x817bbc0, 41,
-1, 0x10) fd_no=32 called
Feb  2 07:19:32 [5787] DBG:core:tcpconn_destroy: destroying connection
0xb61f4b48, flags 0002
Feb  2 07:19:32 [5787] DBG:core:tls_close: closing SSL connection
Feb  2 07:19:32 [5787] DBG:core:tls_update_fd: New fd is 41
Feb  2 07:19:32 [5787] DBG:core:tls_shutdown: shutdown successful
Feb  2 07:19:32 [5787] DBG:core:tls_tcpconn_clean: entered
Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61d7908,
1, fd -1 from 16 (5779)
Feb  2 07:19:32 [5779] DBG:core:tcp_send: after receive_fd: c= 0xb61d7908
n=4 fd=34
Feb  2 07:19:32 [5779] DBG:core:tcp_send: sending...
Feb  2 07:19:32 [5779] DBG:core:tls_update_fd: New fd is 34
Feb  2 07:19:32 [5779] DBG:core:tls_write: write was successful (374 bytes)
Feb  2 07:19:32 [5779] DBG:core:tcp_send: after write: c= 0xb61d7908 n=374
fd=34
Feb  2 07:19:32 [5779] DBG:core:tcp_send: buf=


Could some one help to have a look the problem?



Meanwhile, I use eyebeam 1.5 as client. Things more bad as the register
failed.
I traced eyebeam and found the eyebeam failed when verify server's
certificate. Here I have something unclear about use the certificates
between client and server.
To configure run opensips with TLS(just talk about the self-signed case), we
should create two certififcates. one is self-signed rootCA
(tls\rootCA\cacert.pem), another one is a certificate signed by rootCA
(tls\user\user-cert.pem).  The server hold rootCA by config tls_ca_list and
send certificate (by config tls_certificate) to client when handshark with
client.
My question is how to config certificate in client side. In these two cases
(use N97 and eyebeam), I just imported the rootCA to my client.
Is it right for config certificate on client? N97 seems OK with the rootCA.
But eyebeam failed. The guidline of eyebeam says:

During the TLS handshke, *the TLS server has to send to the client the whole
chain of certificate excepting the root certificate*; the client must posses
the root certificate otherwise the authentication cannot happen.


Any idea to config opensips send 'the whole chain of certificate excepting
the root certificate' ?

Thanks for your kindly support.
-- 
Steven.W.Doolin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100202/04f69814/attachment-0001.htm 


More information about the Users mailing list