[OpenSIPS-Users] OpenSIPS and TLS with wildcard certificates again
ag at ag-projects.com
Wed Apr 24 20:12:43 CEST 2013
The client must load same CA chain that signed the server cert.
On Sep 14, 2012, at 2:13 PM, Peter Lemenkov wrote:
> Hello All!
> First of all - I've read a bit about TLS and certificates in OpenSIPS
> but I still don't have a clue what's wrong with this.
> My problem is - although openssl can verify certificate as well as it
> can be loaded by opensips, client apps are refusing to connect.
> Namely, empathy and Jitsi.
> My setup is quite simple (well, I thought so). I've got a bunch of SIP
> domains, lets,say sip0[0-9].domain.com fully resolvable via DNS (w/o
> additional DNS SRV records - just domain names). I've got wildcard SSL
> certificate from Thawte (for "*.domain.com" without quotes) and a CA
> bundle from Thawte (
> ). I appended it to the end of the system-wide certificate bundle (and
> checked with openssl). And now here is my relevant config data (I
> added "192.168.0.1 sip01.domain.com" to /etc/hosts for the sake of
> disable_tls = 0
> listen = tls:192.168.0.1:5051
> tls_verify_server = 0
> tls_verify_client = 0
> tls_require_client_certificate = 0
> tls_method = TLSv1
> tls_certificate = "./wildcard.domain.com.crt"
> tls_private_key = "./wildcard.domain.com.key"
> tls_ca_list = "./ca-bundle.crt" # system-wide CA bundle + SSL_CA_Bundle.pem
> All I got so far is
> Sep 14 16:02:29  ERROR:core:tls_accept: New TLS connection from
> 192.168.0.2:59588 failed to accept: rejected by client
> Here is a confirmation from openssl:
> work ~/work/OpenSIPS (git::1.8.x-ipport): openssl verify -CAfile
> ./ca-bundle.crt ./wildcard.domain.com.crt
> ./wildcard.domain.com.crt: OK
> work ~/work/OpenSIPS (git::1.8.x-ipport):
> I'm using the same certificate for https and it works quite fine in
> Firefox. What did I miss so far?
> With best regards, Peter Lemenkov.
> Users mailing list
> Users at lists.opensips.org
More information about the Users