[OpenSIPS-Users] How to TLS ?

Bogdan-Andrei Iancu bogdan at opensips.org
Wed Feb 24 23:38:57 CET 2016 

Hi Hamid,

As the ERROR says, the SIP packet came into OpenSIPS in more than 4 
chunks, making opensips to close the TCP connection (this is an action 
against potential TCP connect based attacks). For more see :
http://www.opensips.org/Documentation/Script-CoreParameters-1-11#toc96

(tcp_max_msg_chunks global param)

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 16.02.2016 15:28, Hamid Hashmi wrote:
> Now I am facing following ERROR. What can be the reason ?
>
> |Feb 16 13:11:43 ec2-siplb SIPLB[30844]: 
> NOTICE:proto_tls:verify_callback: depth = 2 Feb 16 13:11:43 ec2-siplb 
> SIPLB[30844]: NOTICE:proto_tls:verify_callback: preverify is good: 
> verify return: 1 Feb 16 13:11:43 ec2-siplb SIPLB[30844]: 
> NOTICE:proto_tls:verify_callback: depth = 1 Feb 16 13:11:43 ec2-siplb 
> SIPLB[30844]: NOTICE:proto_tls:verify_callback: preverify is good: 
> verify return: 1 Feb 16 13:11:43 ec2-siplb SIPLB[30844]: 
> NOTICE:proto_tls:verify_callback: depth = 0 Feb 16 13:11:43 ec2-siplb 
> SIPLB[30844]: NOTICE:proto_tls:verify_callback: preverify is good: 
> verify return: 1 Feb 16 13:11:43 ec2-siplb SIPLB[30844]: 
> INFO:proto_tls:tls_accept: New TLS connection from 103.255.5.39:64219 
> accepted Feb 16 13:11:43 ec2-siplb SIPLB[30844]: 
> INFO:proto_tls:tls_dump_cert_info: tls_accept: client TLS certificate 
> subject: ******* Feb 16 13:11:43 ec2-siplb SIPLB[30844]: 
> INFO:proto_tls:tls_dump_cert_info: tls_accept: local TLS server 
> certificate subject: ******* Feb 16 13:11:43 ec2-siplb SIPLB[30844]: 
> ERROR:proto_tls:tcp_handle_req: Made 4 read attempts but message is 
> not complete yet - closing connection |
>
> */Hamid R. Hashmi/*
> Software Engineer - VoIP
> Vopium A/S
>
>
> ------------------------------------------------------------------------
> Date: Fri, 12 Feb 2016 08:03:44 +0000
> Subject: Re: [OpenSIPS-Users] How to TLS ?
> From: nabeelshikder at gmail.com
> To: users at lists.opensips.org; hamid2kviii at hotmail.com
>
> Hi,
>
> That option is only required if you want to enable "Mutual (two-way) 
> client authentication' and is not normally necessary when using TLS. 
> Most of these clients don't seem to support two way authentication. 
> You can have this option disabled:
> modparam("proto_tls","require_cert", "0").
>
> 477 error in my experience is usually a temporary connection error 
> related to  TLS, but not directly related to configuration.
>
> Nabeel
>
> On 12 Feb 2016 6:45 am, "Hamid Hashmi" <hamid2kviii at hotmail.com 
> <mailto:hamid2kviii at hotmail.com>> wrote:
>
>     Nabeel
>
>     I dont know how to present a certificate from client. I have tried
>     using Xoiper (Android - Free), SFLphone (Ubuntu) and CsipSimple
>     (Android) but there was no options set a public key.
>
>     Now I am using CA signed certificates in opensips with disabled
>     flags of verify_cert and require_cert, having an error of *477
>     Send failed (477/TM). *
>
>     */Hamid R. Hashmi/*
>     Software Engineer - VoIP
>     Vopium A/S
>
>
>     ------------------------------------------------------------------------
>     Date: Tue, 9 Feb 2016 08:48:41 +0000
>     From: nabeelshikder at gmail.com <mailto:nabeelshikder at gmail.com>
>     To: users at lists.opensips.org <mailto:users at lists.opensips.org>
>     Subject: Re: [OpenSIPS-Users] How to TLS ?
>
>     Hi,
>
>     Does the client present a client certificate? If not, then with
>     modparam("proto_tls","require_cert", "1"), OpenSIPS misleadingly logs:
>     'failed to accept: rejected by client'.  What it actually means is
>     that the client failed to present a certificate.
>
>     On 9 Feb 2016 6:06 am, "Hamid Hashmi" <hamid2kviii at hotmail.com
>     <mailto:hamid2kviii at hotmail.com>> wrote:
>
>         It will be a great help if you please help me in configuring
>         TLS. I have followed this
>         <http://www.opensips.org/Documentation/Tutorials-TLS-2-1> to
>         configure TLS but could not able to verify certificates.
>
>         its working if disable following flags
>
>         modparam("proto_tls","verify_cert", "0")
>         modparam("proto_tls","require_cert", "0")
>
>         BUT not verifying certificates. Please see logs
>         <http://pastebin.com/qmXZjSy2> if enabled
>
>         modparam("proto_tls","verify_cert", "1")
>         modparam("proto_tls","require_cert", "1")
>
>         then have following ERROR
>
>         |Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29867]:
>         [udp:keepalive at 192.168.26.181:8000
>         <http://192.168.26.181:8000>]: Receive request OPTIONS from
>         local server [192.168.26.181] Feb 9 05:57:14
>         comoyo-dev-ec2-siplb SIPLB[29868]: ERROR:proto_tls:tls_accept:
>         New TLS connection from 115.186.93.1:47015
>         <http://115.186.93.1:47015> failed to accept: rejected by
>         client Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]:
>         ERROR:proto_tls:tls_read_req: failed to do pre-tls reading Feb
>         9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
>         [tcp:siplb at 192.168.26.180:6080 <http://192.168.26.180:6080>]:
>         In LOCAL Route sending OPTIONS to 192.168.26.181 Feb 9
>         05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
>         INFO:core:probe_max_sock_buff: using snd buffer of 244 kb Feb
>         9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
>         INFO:core:init_sock_keepalive: TCP keepalive enabled on socket
>         17 |
>
>         Regards
>         */Hamid R. Hashmi/*
>
>
>         _______________________________________________
>         Users mailing list
>         Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>         http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>     _______________________________________________ Users mailing list
>     Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20160225/38d53b8b/attachment.htm>

More information about the Users mailing list