[OpenSIPS-Users] TLS - How exactly decide to use require_cert equals to 1 or 0 ? The SIP client must trust the SIP server, not vice-versa.

Podrigal, Aron aronp at guaranteedplus.com
Wed Jul 29 16:25:42 CEST 2015 

0 means  *do not* force the client to present a certificate where as 1
means *do* ask the client to present a cert.

rejected by client interprets as so, Opensips asks the client I need you to
present a certificate and the client rejects that request.

Cheers.

On Wed, Jul 29, 2015 at 9:51 AM, Rodrigo Pimenta Carvalho <pimenta at inatel.br
> wrote:

>  Dear OpenSIPS-users,
>
>
>  I am configuring my OpenSIPS 2.2 to communicate to SIP clients using
> TLS.  The SIP client must trust the SIP server, but the inverse is not
> needed. I want to avoid a fake SIP server collecting data from the SIP
> clients, for example collecting login/ID and passwords.
>
>
>  For that, I suspect that I must to use the configuration:
> modparam("proto_tls","require_cert", "X"). But, what does exactly mean 1 or
> 0 for X?
>
>
>  When I use X equals to 0 and run the test "openssl s_client -showcerts
> -debug -connect <OpenSIPS_IP>:5061  -no_ssl2 -bugs -CAfile ./cacert.pem", I
> can see the following OpenSIPS log:
>
>
>
> --------------------------------------------------------------------------------------------------------------
>
> Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: entered: Creating a
> whole new ssl connection
> Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: looking up socket
> based TLS server domain [<OpenSIPS_IP>:5061]
> Jul 29 10:02:27 [11929] DBG:proto_tls:tls_find_server_domain: virtual TLS
> server domain not found, Using default TLS server domain settings
> Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: found socket based
> TLS server domain [0.0.0.0:0]
>
> ...
>
> ...
>
> Jul 29 10:02:27 [11921] INFO:proto_tls:tls_accept: New TLS connection from
> <OpenSIPS_IP>:45457 accepted
> Jul 29 10:02:27 [11921] DBG:proto_tls:tls_accept: new TLS connection from
> <OpenSIPS_IP>:45457 using TLSv1/SSLv3 AES256-SHA 256
> Jul 29 10:02:27 [11921] DBG:proto_tls:tls_accept: local socket:
> <OpenSIPS_IP>:5061
> Jul 29 10:02:27 [11921] INFO:proto_tls:tls_accept: Client did not present
> a TLS certificate
>
> ...
>
> ...
>
> Jul 29 10:02:31 [11929] DBG:proto_tls:tls_conn_shutdown: first phase of
> 2-way handshake completed succesfuly
>
>
> -----------------------------------------------------------------------------------------------------------------------
>
>
>
>
>  However, when I use X equals to 1, I get:
>
>
>
> --------------------------------------------------------------------------------------------------------------------------
>
> Jul 29 10:05:36 [11978] ERROR:proto_tls:tls_accept: New TLS connection
> from <OpenSIPS_IP>:45460 failed to accept: rejected by client
> Jul 29 10:05:36 [11978] ERROR:proto_tls:tls_read_req: failed to do pre-tls
> reading
>
>
> --------------------------------------------------------------------------------------------------------------------------
>
>
>  So, It seems that the client refuses the connection from the server.
> What is happening here? Is the client refusing some cert presented by the
> server?
>
> I'm a bit confused because the TLS Module documentation says that
> 'require_cert' parameter is used for incoming TLS connections, where
> OpenSIPS acts as server. So, how could it affect the client side?
>
>
>  P.S.: the result of "openssl s_client ..." command is "Verify return
> code: 0 (ok)".
>
>
>  Any hint will be very helpful!
>
>
>  Best regards.
>
>
>
>   RODRIGO PIMENTA CARVALHO
> Inatel Competence CenterVerify return code: 0 (ok)
> Software
> Ph: +55 35 3471 9200 RAMAL 979
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>


-- 
Aron Podrigal
-
'1000001', '1110010', '1101111', '1101110'   '1010000', '1101111',
'1100100', '1110010', '1101001', '1100111', '1100001', '1101100'

P: '2b', '31', '33', '34', '37', '34', '35', '38', '36', '30', '39', '39'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150729/0d420ce4/attachment.htm>

More information about the Users mailing list