[OpenSIPS-Users] Can't get TLS working

Duane Larson duane.larson at gmail.com
Wed May 2 02:49:17 CEST 2012


Since there seems to be many variables that could be wrong in my setup let
me explain what I am hoping to accomplish.

I have two OpenSIPS Proxies running in a redundant fashion with HA.
Proxy 1 = SIPProxy01   <--- Hostname
Proxy 2 = SIPProxy02   <--- Hostname

Both servers share an IP address of AAA.BBB.CCC.DDD

I am hosting multiple domains with this setup.  The clients log in by using
their domain credentials (example - 9012XX2XX9 at abc.com), but all clients
are configured to point to sip.ae.com:5060 as their outbound proxy in order
to register and call out.  I have a DNS record that points sip.ae.com to
the IP address AAA.BBB.CCC.DDD which is the SIPProxy HA IP address.

So from reading the TLS support page (
http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html#AEN345) it
sounds like I need to do a "Virtual hosting scenario".  It says to do

"As the SIP proxy does not have received a SIP message yet (this is done
after the TLS handshake), the SIP proxy can not retrieve the target domain
(which will be usually retrieved from the domain in the request URI). Thus,
distinction for these domains must be done by using multiple sockets. The
socket on which the TLS connection is received, identifies the respective
domain. Thus the SIP proxy is able to present the proper certificate."

So I think I need to do the following

disable_tls = no
listen=tls:50.XX.YY.45:5061
listen=tls:50.XX.YY.45:5063  ### For Domain abc.com
listen=tls:50.XX.YY.45:5064  ### For Domain xyz.com
tls_method=tlsv1
tls_verify_client = 1
tls_require_client_certificate = 1
tls_ca_list = "/usr/local/etc/opensips/certs/CA/cert.pem"

tls_server_domain[50.XX.YY.45:5063] {
    tls_certificate = "/usr/local/etc/opensips/certs/abc.com/cert.pem"
    tls_private_key = "/usr/local/etc/opensips/certs/abc.com/privkey.pem"
    tls_ca_list     = "/usr/local/etc/opensips/certs/CA/cert.pem"
}
tls_server_domain[50.XX.YY.45:5064] {
    tls_certificate = "/usr/local/etc/opensips/certs/xyz.com/cert.pem"
    tls_private_key = "/usr/local/etc/opensips/certs/xyz.com/privkey.pem"
    tls_ca_list     = "/usr/local/etc/opensips/certs/CA/cert.pem"

}

Does this sound right?  So for my clients at abc.com would I need to
configure them to point to the outbound proxy of sip.ae.com:5063?

If abc.com calls xyz.com and both are on the same sipproxy will there be a
cert issue or does OpenSIPS know how to handle this?  The TLS doc says to do
tls_client_domain_avp=400
# calls to other SIP domains
# set the proper SSL context (certificate) for local hosted domains
avp_write("$fd","$avp(400)");
t_relay(); # uses NAPTR and SRV lookups
exit;


I thought with some certificates the name of the server mattered.  I know
when working with wireless certs this is an issue.  Does the name of the
server when creating the CA cert and individual domain certs matter?

I can't seem to get this to work.  I just see the following on the server
and no reply

New TCP connection #51: 99-67-237-217.lightspeed.austtx.sbcglobal.net(58638)
<-> 50-XX-XX-156.static.cloud-ips.com(5063)
51 1  0.0547 (0.0547)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        Unknown value 0xc014
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        Unknown value 0xc013
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        Unknown value 0xc012
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        Unknown value 0xff
        compression methods
                  NULL


Sorry for all the questions but TLS is new for me.



On Mon, Apr 30, 2012 at 12:48 AM, Duane Larson <duane.larson at gmail.com>wrote:

> I've read the TLS tutorial
> http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html
>
>
> I can't get a snom or counterpath phone to register at all over TLS.  I'm
> not sure what is wrong.  The only errors I see when I start OpenSIPS are
> Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_tls: disabling
> compression due ZLIB problems
> Apr 30 00:08:27 SIPProxy01 opensips: INFO:core:init_tls_domains:
> Processing TLS domain [0.0.0.0:0]
> Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_ssl_ctx_behavior:
> client verification NOT activated. Weaker security.
> Apr 30 00:08:27 SIPProxy01 opensips: INFO:core:init_tls_domains:
> Processing TLS domain [0.0.0.0:0]
> Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_ssl_ctx_behavior:
> server verification NOT activated. Weaker security.
> Apr 30 00:08:27 SIPProxy01 /usr/local/sbin/opensips[11060]:
> NOTICE:core:main: version: opensips 1.8.0-dev0-tls (x86_64/linux)
>
>
> To get the client cert to work with Snom I had to change the cacert.pem to
> a .der file.  So I did
> sudo openssl x509 -in cacert.pem -out cacert.der -outform DER
>
>
> For my config I have the following.
>
> disable_tls = no
> listen = tls:50.XX.XX.156:5061
> tls_verify_server = 0
> tls_verify_client = 0
> tls_require_client_certificate = 0
> tls_method = TLSv1
> #tls_method = SSLv23
> tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
> tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
> tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
>
>
>
> From the Snom phone I can see the Register sent to the server
>
> Sent to tls:50.XX.XX.156:5061 at 30/4/2012 00:09:11:335 (683 bytes):
> REGISTER sip:i.com SIP/2.0
> Via: SIP/2.0/TLS 192.168.1.70:3636;branch=z9hG4bK-brbd3nfa0aao;rport
> From: "1000 - 6XX-6XX4" <sip:9016XX6XX4 at i.com>;tag=luco4y7th3
> To: "1000 - 6XX-6XX4" <sip:9016XX6XX4 at i.com>
> Call-ID: 3070263c3b8a-l2a7wl7yrrox
> CSeq: 44 REGISTER
> Max-Forwards: 70
> Contact: <sip:9016XX6XX4 at 192.168.1.70:3636
> ;transport=tls;line=2c34lho2>;reg-id=1;q=1.0;audio;mobility="fixed";duplex="full";description="snom821";actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
> User-Agent: snom821/8.4.35
> Allow-Events: dialog
> X-Real-IP: 192.168.1.70
> Supported: path
> Expires: 3600
> Content-Length: 0
>
> I don't see anything at all in the syslog.  I did a debug 4 too.  If I do
> a ssldump I only see the following
>
>
>
> New TCP connection #101: 99-67-237-217.lightspeed.austtx.sbcglobal.net(4801)
> <-> 50-XX-XX-156.static.cloud-ips.com(5061)
> 101 1  0.0562 (0.0562)  C>S  Handshake
>       ClientHello
>         Version 3.1
>         cipher suites
>         TLS_RSA_WITH_RC4_128_MD5
>         TLS_RSA_WITH_RC4_128_SHA
>         TLS_RSA_WITH_NULL_MD5
>         TLS_RSA_WITH_NULL_SHA
>         TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
>         TLS_DH_anon_WITH_RC4_128_MD5
>         TLS_RSA_WITH_DES_CBC_SHA
>         TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>         TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>         TLS_DH_anon_WITH_DES_CBC_SHA
>         compression methods
>                   NULL
>
> So it looks like there is no S>C
>
>
> Any ideas?
>



-- 
--
*--*--*--*--*--*
Duane
*--*--*--*--*--*
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120501/8010b1f2/attachment.htm>


More information about the Users mailing list