[OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5

[Ali Pey]

Hello Rodrigo,

Thank you for your response. I set verify_cert and require_cert to zero and
that fixes my problem. After that I was getting "Certificate Name Mismatch"
error on the eyeBeam and Zoiper phones and after some investigation, I
realized that it was due to wild cards in my certificate. Apparently,
eyeBeam and Zoiper cannot or do not handle wild cards (*) in a certificate.

Best regards,
Ali Pey


On Fri, Apr 8, 2016 at 10:48 AM, Rodrigo Pimenta Carvalho <pimenta at inatel.br
> wrote:

> Hi.
>
>
> I got the same problem in softphone ZOIPER.
>
> I just let my ZOIPER ignore the file received from OpenSIPS and then the
> problem was solved. Otherwise I should had to install the client party on
> the phone. It was possible for me because in my project I didn't have to
> use certificates, just cryptographic messages with TLS.
>
>
> See below the configuration in my OpenSIPS.cfg file (my proxy is version
> 2.2 from 2015):
>
>
> loadmodule
> "proto_tls.so"
>
>
>
>  modparam("proto_tls","verify_cert",
> "0")
>
>  modparam("proto_tls","require_cert", "0")  #0 means  *do not* force the
> client to present a certificate where as 1 means *do* ask the client to
> present a cert.
>  modparam("proto_tls","tls_method", "TLSv1")  #If you want RFC3261
> conformance and all your clients support TLSv1 (or you are planning to use
> encrypted "tunnels" only between differe
>
>
>
>
> modparam("proto_tls", "certificate",
> "/usr/local/etc/opensips/tls/rootCA/certs/cert.pem")
>
> modparam("proto_tls", "private_key",
> "/usr/local/etc/opensips/tls/rootCA/private/key.pem")
>
> modparam("proto_tls", "ca_list",
> "/usr/local/etc/opensips/tls/rootCA/cacert.pem")
>
> modparam("proto_tls", "ca_dir", "/usr/local/etc/opensips/tls/rootCA/")
>
>
> # Sets the TLS protocol. The first parameter, if set, represents the id of
> the domain. TLS method which can
> be:
> #
>
> #    TLSv1_2 - means OpenSIPS will accept only TLSv1.2 connections
> (rfc3261
> conformant).
>
> #
>
> #    TLSv1 - means OpenSIPS will accept only TLSv1 connections (rfc3261
> conformant).
>
> #
>
> #    SSLv3 - means OpenSIPS will accept only SSLv3
> connections
>
> #
>
> #    SSLv2 - means OpenSIPS will accept only SSLv2 connections (almost all
> old clients support
> this).
> #
>
> #    SSLv23 - means OpenSIPS will accept any of the above methods, but the
> initial SSL hello must be v2 (in the initial hello all the supported
> protocols are advertised enabling swit
> #
>
> #Default value is SSLv23.
>
>
> Tell me if I'm wrongly, please.
>
>
> Best regards.
>
>
>
> RODRIGO PIMENTA CARVALHO
> Inatel Competence Center
> Software
> Ph: +55 35 3471 9200 RAMAL 979
>
>
> ------------------------------
> *De:* users-bounces at lists.opensips.org <users-bounces at lists.opensips.org>
> em nome de Ali Pey <alipey at gmail.com>
> *Enviado:* sexta-feira, 8 de abril de 2016 10:25
> *Para:* OpenSIPS users mailling list
> *Assunto:* Re: [OpenSIPS-Users] TLS - Certificate Validation Failure
> error on SIP Phones - OpenSIPS version 1.11.5
>
> Hello Hamid,
>
> The parameters below don't have any effects. In my scenario, the sip
> phones are rejecting the tls connection by saying "Certificate Validation
> Failure".
>
> Neither of parameters below had any effects.
>
>
> Anyone else has any idea what I need to look for?
>
> Regards,
> Ali Pey
>
>
> On Fri, Apr 8, 2016 at 4:00 AM, Hamid Hashmi <hamid2kviii at hotmail.com>
> wrote:
>
>> Please define  following values
>>
>> tls_ca_list     = "/path/to/file"
>> tls_method      = tlsv1
>>
>> for details please consult
>> http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html
>> <https://contactmonkey.com/api/v1/tracker?cm_session=fe1ad39b-b209-487a-ae7d-5dc3874a3f4b&cm_type=link&cm_link=4c658b68-ff08-42fc-abc9-b28ade77429a&cm_destination=http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html>
>>
>> Regards
>> Hamid R. Hashmi
>>
>> ------------------------------
>> Date: Thu, 7 Apr 2016 13:14:28 -0400
>> From: alipey at gmail.com
>> To: users at lists.opensips.org
>> Subject: [OpenSIPS-Users] TLS - Certificate Validation Failure error on
>> SIP Phones - OpenSIPS version 1.11.5
>>
>>
>> Hello,
>>
>> My opensips server is just a registrar server and I have enabled tls with
>> the following settings:
>>
>> listen=tls:xx.xx.xx.xx:5061
>> disable_tls=no
>> tls_certificate="/etc/opensips/pbx-bundle.crt"
>> tls_private_key="/etc/opensips/pbx.key"
>>
>>
>> When my sip phones try to open tls connection, they reject the connection
>> saying "Certificate Validation Failure". My certificate is valid and works
>> fine on the https website.
>>
>> What am I missing? What should I look for?
>>
>> Regards,
>> Ali Pey
>>
>>
>> _______________________________________________ Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> <https://contactmonkey.com/api/v1/tracker?cm_session=fe1ad39b-b209-487a-ae7d-5dc3874a3f4b&cm_type=link&cm_link=00f9206d-5114-4ccd-8119-2069b0340470&cm_destination=http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> <https://contactmonkey.com/api/v1/tracker?cm_session=fe1ad39b-b209-487a-ae7d-5dc3874a3f4b&cm_type=link&cm_link=1103e740-0d3e-425d-950a-182c7bbe3a6e&cm_destination=http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> <https://contactmonkey.com/api/v1/tracker?cm_session=1c3415e8-3ff0-4383-91d7-b0cc42a6a240&cm_type=link&cm_link=dfc01ff2-46ff-48a4-841d-8960663fda50&cm_destination=http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20160410/abad8771/attachment.htm>