[OpenSIPS-Users] How to TLS ?

Nabeel nabeelshikder at gmail.com
Fri Feb 12 09:03:44 CET 2016 

Hi,

That option is only required if you want to enable "Mutual (two-way) client
authentication' and is not normally necessary when using TLS. Most of these
clients don't seem to support two way authentication. You can have this
option disabled:
modparam("proto_tls","require_cert", "0").

477 error in my experience is usually a temporary connection error related
to  TLS, but not directly related to configuration.

Nabeel
On 12 Feb 2016 6:45 am, "Hamid Hashmi" <hamid2kviii at hotmail.com> wrote:

> Nabeel
>
> I dont know how to present a certificate from client. I have tried using
> Xoiper (Android - Free), SFLphone (Ubuntu) and CsipSimple (Android) but
> there was no options set a public key.
>
> Now I am using CA signed certificates in opensips with disabled flags of
> verify_cert and require_cert, having an error of *477 Send failed
> (477/TM). *
>
> *Hamid R. Hashmi*
> Software Engineer - VoIP
> Vopium A/S
>
>
> ------------------------------
> Date: Tue, 9 Feb 2016 08:48:41 +0000
> From: nabeelshikder at gmail.com
> To: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] How to TLS ?
>
> Hi,
>
> Does the client present a client certificate? If not, then with
> modparam("proto_tls","require_cert", "1"), OpenSIPS misleadingly logs:
> 'failed to accept: rejected by client'.  What it actually means is that
> the client failed to present a certificate.
> On 9 Feb 2016 6:06 am, "Hamid Hashmi" <hamid2kviii at hotmail.com> wrote:
>
> It will be a great help if you please help me in configuring TLS. I have
> followed this <http://www.opensips.org/Documentation/Tutorials-TLS-2-1>
> to configure TLS but could not able to verify certificates.
>
> its working if disable following flags
>
> modparam("proto_tls","verify_cert", "0")
> modparam("proto_tls","require_cert", "0")
>
> BUT not verifying certificates. Please see logs
> <http://pastebin.com/qmXZjSy2> if enabled
>
> modparam("proto_tls","verify_cert", "1")
> modparam("proto_tls","require_cert", "1")
>
> then have following ERROR
>
> Feb  9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29867]: [udp:keepalive at 192.168.26.181:8000 <http://192.168.26.181:8000>]: Receive request OPTIONS from local server [192.168.26.181]
> Feb  9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]: ERROR:proto_tls:tls_accept: New TLS connection from 115.186.93.1:47015 failed to accept: rejected by client
> Feb  9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]: ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
> Feb  9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]: [tcp:siplb at 192.168.26.180:6080 <http://192.168.26.180:6080>]: In LOCAL Route sending OPTIONS to 192.168.26.181
> Feb  9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]: INFO:core:probe_max_sock_buff: using snd buffer of 244 kb
> Feb  9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]: INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 17
>
> Regards
> *Hamid R. Hashmi*
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________ Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20160212/2f2804b7/attachment.htm>

More information about the Users mailing list