[OpenSIPS-Users] SIP Over TLS using OpenSIPS

Anca Vamanu anca at opensips.org
Tue Mar 29 12:12:24 CEST 2011


Hi David,

Have you configured OpenSIPS to check clients certificate (have you set 
tls_require_client_certificate = 1) ? Then you have to configure the 
accepted certificates:  
http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html#AEN264.

Regards,

-- 
Anca Vamanu
OpenSIPS Developer



On 03/29/2011 09:54 AM, David Chedid wrote:
> Dears,
>
> Any one can help on this?
>
> Thanks,
>
> BR,
>
>
> Dears,
>
> I am trying to use OpenSIPS with TLS but didn't work till now :(
>
> I am getting the following error:
>
> Mar 25 14:09:49 [16855] DBG:core:print_ip: tcpconn_new: new tcp connection
> to: 192.168.20.19
> Mar 25 14:09:49 [16855] DBG:core:tcpconn_new: on port 4034, type 3
> Mar 25 14:09:49 [16855] DBG:core:tls_tcpconn_init: entered: Creating a whole
> new ssl connection
> Mar 25 14:09:49 [16855] DBG:core:tls_tcpconn_init: looking up socket based
> TLS server domain [192.168.168.28:5061]
> Mar 25 14:09:49 [16855] DBG:core:tls_find_server_domain: virtual TLS server
> domain found
> Mar 25 14:09:49 [16855] DBG:core:tls_tcpconn_init: found socket based TLS
> server domain [192.168.168.28:5061]
> Mar 25 14:09:49 [16855] DBG:core:tls_tcpconn_init: Setting in ACCEPT mode
> (server)
> Mar 25 14:09:49 [16855] DBG:core:tcpconn_add: hashes: 770, 1
> Mar 25 14:09:49 [16855] DBG:core:handle_new_connect: new connection:
> 0xafc4f7c8 25 flags: 0002
> Mar 25 14:09:49 [16855] DBG:core:send2child: to tcp child 0 0(16847),
> 0xafc4f7c8
> Mar 25 14:09:49 [16847] DBG:core:handle_io: received n=4 con=0xafc4f7c8,
> fd=12
> Mar 25 14:09:49 [16847] DBG:core:io_watch_add: io_watch_add(0x81b6ec0, 12,
> 2, 0xafc4f7c8), fd_no=1
> Mar 25 14:09:49 [16847] DBG:core:tls_update_fd: New fd is 12
> Mar 25 14:09:49 [16847] DBG:core:tls_update_fd: New fd is 12
> Mar 25 14:09:49 [16847] ERROR:core:tls_accept: some error in SSL (ret=0,
> err=1, errno=0/Success):
> Mar 25 14:09:49 [16847] ERROR:core:tls_print_errstack: error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> Mar 25 14:09:49 [16847] DBG:core:io_watch_del: io_watch_del (0x81b6ec0, 12,
> -1, 0x10) fd_no=2 called
> Mar 25 14:09:49 [16847] DBG:core:release_tcpconn:  releasing con 0xafc4f7c8,
> state -2, fd=12, id=1
> Mar 25 14:09:49 [16847] DBG:core:release_tcpconn:  extra_data 0xafc5f8e4
> Mar 25 14:09:49 [16855] DBG:core:handle_tcp_child: reader response=
> afc4f7c8, -2 from 0
> Mar 25 14:09:49 [16855] DBG:core:tcpconn_destroy: destroying connection
> 0xafc4f7c8, flags 0002
> Mar 25 14:09:49 [16855] DBG:core:tls_close: closing SSL connection
> Mar 25 14:09:49 [16855] DBG:core:tls_update_fd: New fd is 25
> Mar 25 14:09:49 [16855] DBG:core:tls_shutdown: shutdown successful
> Mar 25 14:09:49 [16855] DBG:core:tls_tcpconn_clean: entered
>
>
> Below the configuration file for the debug and TLS Section:
>
> debug=4
> fork=yes
> log_stderror=yes
> check_via=no
> dns=no
> rev_dns=no
>
> tls_client_domain_avp=0
> disable_tls = no
> listen = tls:192.168.168.28:5061
> tls_verify_server = 1
> tls_verify_client = 1
> tls_require_client_certificate = 1
> tls_handshake_timeout=30
> tls_send_timeout=30
> tls_method = TLSv1
> tls_ciphers_list="NULL"
> tls_certificate = "/usr/local/etc/opensips//tls/user/user-cert.pem"
> tls_private_key = "/usr/local/etc/opensips//tls/user/user-privkey.pem"
> tls_ca_list = "/usr/local/etc/opensips//tls/user/user-calist.pem"
> tls_server_domain [192.168.168.28:5061]
> {
> tls_certificate = "/usr/local/etc/opensips//tls/user/user-cert.pem"
> tls_private_key = "/usr/local/etc/opensips//tls/user/user-privkey.pem"
> tls_ca_list = "/usr/local/etc/opensips/tls//user/user-calist.pem"
> tls_method = TLSv1
> }
>
> Below you can find also info regarding my OpenSIPS server
>
> version: opensips 1.6.4-2-tls (i386/linux)
> flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, DISABLE_NAGLE, USE_MCAST,
> SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
> MAX_URI_SIZE 1024, BUF_SIZE 65535
> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
> svnrevision: unknown
> @(#) $Id: main.c 7530 2010-12-13 19:07:53Z bogdan_iancu $
> main.c compiled on 13:57:04 Jan 31 2011 with gcc 4.2.4
>
> Linux 2.6.24-23-server #1 SMP Thu Nov 27 19:19:15 UTC 2008 i686 GNU/Linux
>
> Ubuntu 8.04.4 LTS \n \l
>
> Inform me if how can I fix this issue, and if you need more info don't
> hesitate to contact me.
>
> BR,



More information about the Users mailing list