[OpenSIPS-Users] TLS call failed

Bogdan-Andrei Iancu bogdan at voice-system.ro
Thu Feb 4 10:34:37 CET 2010 

Hi Steven,

For the NOKIA N97, could you post the entire log (debug 4) for the 
INVITE part (covering the receiving of the INVITE also) ?

Regards,
Bogdan

doolin wu wrote:
> Hello,
>  
> I'm trying use TLS feature of OpenSIPS-1.5-tls. TLS was 
> configured and server run successfully.
> I tried to make 2 SIP UAs work with my OpenSIPS-1.5-tls, but all of 
> them are failed.
> Here is my settings:
>     >Server:
>     tls_verify_server = 0
>     tls_verify_client = 0
>     tls_require_client_certificate = 0
>     tls_method = TLSv1
>     tls_certificate = 
> "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-cert.pem"
>     tls_private_key = 
> "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-privkey.pem"
>     tls_ca_list = 
> "/usr/local/opensips.1.5.tls//etc/opensips/tls/user/user-calist.pem"
>  
>     >Client:
>     The self-signed rootCA (tls\rootCA\cacert.pem)  was imported in to 
> client successfully
>  
> First one UA is VoIP client on NOKIA N97. Client register to SIP 
> server with TLS successfully, but when make call from N97 to others I 
> got error code 477 Send failed (477/TM).
> I traced opensips, looks like opensips tried to forward the invite to 
> callee, but the tls socket failed to send the request.
> Logs from opensips here:
>
>     Feb  2 07:19:32 [5779] ERROR:core:tcp_send: failed to send
>     Feb  2 07:19:32 [5779] ERROR:tm:msg_send: tcp_send failed
>     Feb  2 07:19:32 [5779] ERROR:tm:t_forward_nonack: sending request
>     failed
>     Feb  2 07:19:32 [5779] DBG:tm:t_relay_to: t_forward_nonack
>     returned error
>     Feb  2 07:19:32 [5779] DBG:core:parse_headers: flags=ffffffffffffffff
>     Feb  2 07:19:32 [5779] DBG:core:check_via_address: params
>     10.57.52.186, 10.57.52.186, 0
>     Feb  2 07:19:32 [5779] DBG:tm:cleanup_uac_timers: RETR/FR timers reset
>     Feb  2 07:19:32 [5779] DBG:tm:set_timer: relative timeout is 30
>     Feb  2 07:19:32 [5779] DBG:tm:insert_timer_unsafe: [0]: 0xb61a180c
>     (92)
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: tcp connection found
>     (0xb61d7908), acquiring fd
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: c= 0xb61d7908, n=8
>     Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response=
>     b61f4b48, 2, fd 41 from 16 (5779)
>     Feb  2 07:19:32 [5787] DBG:core:tcpconn_add: hashes: 719, 4
>     Feb  2 07:19:32 [5787] DBG:core:io_watch_add:
>     io_watch_add(0x817bbc0, 41, 2, 0xb61f4b48), fd_no=31
>     Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response=
>     b61f4b48, -2, fd -1 from 16 (5779)
>     Feb  2 07:19:32 [5787] DBG:core:io_watch_del: io_watch_del
>     (0x817bbc0, 41, -1, 0x10) fd_no=32 called
>     Feb  2 07:19:32 [5787] DBG:core:tcpconn_destroy: destroying
>     connection 0xb61f4b48, flags 0002
>     Feb  2 07:19:32 [5787] DBG:core:tls_close: closing SSL connection
>     Feb  2 07:19:32 [5787] DBG:core:tls_update_fd: New fd is 41
>     Feb  2 07:19:32 [5787] DBG:core:tls_shutdown: shutdown successful
>     Feb  2 07:19:32 [5787] DBG:core:tls_tcpconn_clean: entered
>     Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response=
>     b61d7908, 1, fd -1 from 16 (5779)
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: after receive_fd: c=
>     0xb61d7908 n=4 fd=34
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: sending...
>     Feb  2 07:19:32 [5779] DBG:core:tls_update_fd: New fd is 34
>     Feb  2 07:19:32 [5779] DBG:core:tls_write: write was successful
>     (374 bytes)
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: after write: c=
>     0xb61d7908 n=374 fd=34
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: buf=
>      
>
> Could some one help to have a look the problem?
>
>      
>
> Meanwhile, I use eyebeam 1.5 as client. Things more bad as the 
> register failed.
> I traced eyebeam and found the eyebeam failed when verify server's 
> certificate. Here I have something unclear about use the certificates 
> between client and server.
> To configure run opensips with TLS(just talk about the self-signed 
> case), we should create two certififcates. one is self-signed rootCA 
> (tls\rootCA\cacert.pem), another one is a certificate signed by rootCA 
> (tls\user\user-cert.pem).  The server hold rootCA by config 
> tls_ca_list and send certificate (by config tls_certificate) to client 
> when handshark with client.
> My question is how to config certificate in client side. In these two 
> cases (use N97 and eyebeam), I just imported the rootCA to my client.
> Is it right for config certificate on client? N97 seems OK with the 
> rootCA. But eyebeam failed. The guidline of eyebeam says:
>
>     During the TLS handshke, *the TLS server has to send to the client
>     the whole chain of certificate excepting the root certificate*;
>     the client must posses the root certificate otherwise the
>     authentication cannot happen.
>      
>
> Any idea to config opensips send 'the whole chain of certificate 
> excepting the root certificate' ?
>  
> Thanks for your kindly support.
> -- 
> Steven.W.Doolin
>  
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


-- 
Bogdan-Andrei Iancu
www.voice-system.ro

More information about the Users mailing list