[OpenSIPS-Users] OCS Opensisp certificate issues using TLS

gianluca moretti gianluca.moretti at hotmail.it
Tue Jan 20 16:34:11 CET 2009


We have reproduced the problem, the issue appears when the opensips as client send the certificate to the EDGE (server) we have to avoid this client certificate invoce.
 
Best regards
Gianluca> Date: Tue, 20 Jan 2009 17:21:43 +0200> From: bogdan at voice-system.ro> To: gianluca.moretti at hotmail.it> CC: users at lists.opensips.org; devel at lists.opensips.org> Subject: Re: [OpenSIPS-Users] OCS Opensisp certificate issues using TLS> > Probably we should try to get more info about the error at runtime . Let > me do some checks to see how we can squize more info about the error and > to print it.> > Regards,> Bogdan> > gianluca moretti wrote:> > Bogdan, the error is ok, how can i solve the problem.> > The update to this issue is if the client send the his certificate to > > the server and this cause the problem.> > > > Ciao > > > > Best regards> >> > > Date: Tue, 20 Jan 2009 15:04:48 +0200> > > From: bogdan at voice-system.ro> > > To: gianluca.moretti at hotmail.it> > > CC: users at lists.opensips.org; devel at lists.opensips.org> > > Subject: Re: [OpenSIPS-Users] OCS Opensisp certificate issues using TLS> > >> > > Hi Gianluca,> > >> > > You get this:> > >> > > Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in SSL: 5> > >> > > 5 is SSL_ERROR_SYSCALL . See:> > > http://openssl.org/docs/ssl/SSL_get_error.html> > >> > > Regards,> > > Bogdan> > >> > > gianluca moretti wrote:> > > > We try to integrate OCS 2007 and opensisps using TLS> > > >> > > > SCENARIO:> > > >> > > > [wesip] Sending register to OCS> > > > Seas ------------------------------------> EDGE --> OCS> > > > [Opensips]> > > >> > > >> > > > Issue: Opensisps cannot connect to EDGE server and in details> > > > opensisps send always a the certificate to the client> > > > any idea to avoid to opensisps to send the always certificate.> > > > EDGE: CertVerifyCertificateChainPolicy retuned a failure in> > > > CERT_CHAIN_POLICY_STATUS> > > > OPENSIPS:> > > > Jan 17 16:06:12 [30303] DBG:core:tls_dump_cert_info: tls_connect:> > > > local (client) certificate issuer: /CN=Your_NAME/ST=Your_ST> > > > ATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME> > > > Jan 17 16:06:12 [30303] DBG:core:tls_write: write was successful (791> > > > bytes)> > > > Jan 17 16:06:12 [30303] DBG:core:tcp_send: after write: c= 0xb612fcf8> > > > n=791 fd=23> > > > Jan 17 16:06:12 [30303] DBG:core:tcp_send: buf=> > > > REGISTER sip:hmcint.local:5060;transport=tcp SIP/2.0> > > > Via: SIP/2.0/TLS 192.168.5.59:5061;branch=z9hG4bKd863.89657825.0;i=2> > > > Via: SIP/2.0/TCP 192.168.5.59;branch=z9hG4bKd863.79657825.0> > > > To: sip:max.ambrogi at hmcint.local;transport=tcp> > > > From:> > > > > > sip:max.ambrogi at hmcint.local;transport=tcp;tag=BB479256370FF64C226AA6220F2364DD> > > > CSeq: 1 REGISTER> > > > Call-ID: 24D8315A8EBB948A4DD4F1A3518E4029 at 192.168.5.59> > > > <mailto:24D8315A8EBB948A4DD4F1A3518E4029 at 192.168.5.59>> > > > Content-Length: 0> > > > Max-Forwards: 70> > > > Contact:> > > > > > <sip:192.168.5.59:5060;transport=tcp;AppId=.sip2msipGW>;methods="INVITE,> > > > MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY> > > > , ACK,> > > > > > REFER";proxy=replace;+sip.instance="<urn:uuid:787C69C1-2A21-441f-B792-A908ABFF5010>"> > > > Supported: gruu-10,adhoclist,msrtc-event-categories,ms-forking> > > > ms-keep-alive: UAC;hop-hop=yes> > > > Event: registration> > > > X-WeSIP-SPIRAL: true> > > >> > > > Jan 17 16:06:12 [30303] DBG:tm:set_timer: relative timeout is 30> > > > Jan 17 16:06:12 [30303] DBG:tm:insert_timer_unsafe: [0]: > > 0xb610d020 (300)> > > > Jan 17 16:06:12 [30303] DBG:tm:t_relay_to: new transaction fwd'ed> > > > Jan 17 16:06:12 [30303] DBG:tm:t_unref: UNREF_UNSAFE: after is 0> > > > Jan 17 16:06:12 [30303] DBG:core:destroy_avp_list: destroying list > > (nil)> > > > Jan 17 16:06:12 [30303] DBG:core:receive_msg: cleaning up> > > > Jan 17 16:06:12 [30304] DBG:core:tls_update_fd: New fd is 23> > > > Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in > > SSL: 5> > > > Jan 17 16:06:12 [30304] ERROR:core:tcp_read_req: failed to read> > > > Jan 17 16:06:12 [30304] DBG:core:io_watch_del: io_watch_del> > > > (0x8164160, 23, -1, 0x10) fd_no=2 called> > > > Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: releasing con> > > > 0xb612fcf8, state -2, fd=23, id=9> > > > Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: extra_data > > 0xb613fe10> > > > Jan 17 16:06:12 [30311] DBG:core:handle_tcp_child: reader response=> > > > b612fcf8, -2 from 1> > > > Jan 17 16:06:12 [30311] DBG:core:tcpconn_destroy: destroying> > > > connection 0xb612fcf8, flags 0002> > > > Jan 17 16:06:12 [30311] DBG:core:tls_close: closing SSL connection> > > >> > > >> > > > The opensips.cfg is configured as following:> > > > disable_tls = no> > > > listen = tls:##OPENSIPSIP##:5061> > > > tls_verify_server = 0> > > > tls_verify_client = 0> > > > tls_require_client_certificate = 0> > > > tls_method = TLSv1> > > > tls_ca_list = > > "/product/opensips//etc/opensips/tls/dario/dario-calist.pem"> > > > tls_certificate = > > "/product/opensips//etc/opensips/tls/user/user-cert.pem"> > > > tls_private_key => > > > "/product/opensips//etc/opensips/tls/user/user-privkey.pem"> > > > tls_ciphers_list="RC4-MD5"> > > >> > > > route{> > > >> > > > if(is_present_hf("X-WeSIP-SPIRAL")){> > > > log("\nSPIRAL!!!\n");> > > > t_relay("tls:EDGEIP:5061");> > > > exit;}> > > > (on WESIP SPIRAL is equal TRUE)> > > >> > > > OPENSIPSIP is the CLIENT e EDGEIP is the SERVER> > > >> > > >> > > > Using Open SSL the connection is OK> > > > openssl s_client -connect EDGEIP:5061 -ssl2 -CAfile> > > > /product/opensips_dev/etc/opensips/tls/user/user-calist.pem -cipher> > > > RC4-MD5> > > >> > > > New, TLSv1/SSLv3, Cipher is RC4-MD5> > > > Server public key is 1024 bit> > > > SSL-Session:> > > > Protocol : TLSv1> > > > Cipher : RC4-MD5> > > > Session-ID:> > > > E708000007E4CC591AA8982939C17298FBEDF72E749C010EFFC39FBEB2D143A6> > > > Session-ID-ctx:> > > > Master-Key:> > > > > > 5835CA1877799D4B507AA31DB8DEA5F11D27DD077FE43F52DC9606ABF296AF6043402938E384FFF7B1485DC77D4D13D7> > > > Key-Arg : None> > > > Krb5 Principal: None> > > > Start Time: 1232205185> > > > Timeout : 7200 (sec)> > > > Verify return code: 0 (ok)> > > >> > > > Regards> > > >> > > >> > > >> > > > > > ------------------------------------------------------------------------> > > > Scoprilo insieme ai nuovi servizi Windows Live! Messenger 9: oltre le> > > > parole. <http://download.live.com/messenger/?mkt=it-it>> > > > > > ------------------------------------------------------------------------> > > >> > > > _______________________________________________> > > > Users mailing list> > > > Users at lists.opensips.org> > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > > >> > >> >> >> > ------------------------------------------------------------------------> > Scopri le novità! Più veloce, più tua, più Hotmail. > > <http://www.messenger.it/hotmail.aspx>> 
_________________________________________________________________
Quali sono le più cliccate della settimana?
http://livesearch.it.msn.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20090120/2095596d/attachment.htm 


More information about the Users mailing list