[OpenSIPS-Users] OpenSIPS and TLS with wildcard certificates again

Peter Lemenkov lemenkov at gmail.com
Fri Sep 14 14:13:42 CEST 2012

Hello All!

First of all - I've read a bit about TLS and certificates in OpenSIPS
but I still don't have a clue what's wrong with this.

My problem is - although openssl can verify certificate as well as it
can be loaded by opensips, client apps are refusing to connect.
Namely, empathy and Jitsi.

My setup is quite simple (well, I thought so). I've got a bunch of SIP
domains, lets,say sip0[0-9].domain.com fully resolvable via DNS (w/o
additional DNS SRV records - just domain names). I've got wildcard SSL
certificate from Thawte (for "*.domain.com" without quotes) and a CA
bundle from Thawte (
). I appended it to the end of the system-wide certificate bundle (and
checked with openssl). And now here is my relevant config data (I
added " sip01.domain.com" to /etc/hosts for the sake of

disable_tls = 0
listen = tls:
tls_verify_server = 0
tls_verify_client = 0
tls_require_client_certificate = 0
tls_method = TLSv1


tls_certificate = "./wildcard.domain.com.crt"
tls_private_key = "./wildcard.domain.com.key"
tls_ca_list = "./ca-bundle.crt" # system-wide CA bundle + SSL_CA_Bundle.pem

All I got so far is

Sep 14 16:02:29 [14877] ERROR:core:tls_accept: New TLS connection from failed to accept: rejected by client

Here is a confirmation from openssl:

work ~/work/OpenSIPS (git::1.8.x-ipport): openssl verify -CAfile
./ca-bundle.crt ./wildcard.domain.com.crt
./wildcard.domain.com.crt: OK
work ~/work/OpenSIPS (git::1.8.x-ipport):

I'm using the same certificate for https and it works quite fine in
Firefox. What did I miss so far?

With best regards, Peter Lemenkov.

More information about the Users mailing list