[OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

Callum Guy callum.guy at x-on.co.uk
Tue Jul 25 08:26:44 EDT 2017 

Hi All,

*Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7

I have been working with new TLS connection and have been having problems
validating their client certificate. My OpenSIPs configuration works fine
for other providers (i.e. Twilio) however I am seeing the following error
messages reported while verify_cert is enabled:

Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: depth = 0
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: subject =
/serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture
Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain SSL/CN=simwood.com
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local
issuer certificate
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error
code is 20 (check x509_vfy.h)
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: verify return:0
Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_accept:
New TLS connection from 178.22.140.34:34281 failed to accept
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_read_req:
failed to do pre-tls reading

Part of my reason for resorting to the mailing list are old mailing list
emails discussing that multi-domain certificates are not supported by
OpenSIPs - is anyone able to confirm if this remains a problem?

The openssl error code 20 is translated as
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

I have seen other reports that this issue may be related to an improperly
chained certificate - does this sound at all likely?

Any tips on debugging would be greatly appreciated, thanks.

Callum
-- 
Callum Guy
Head of Information Security
X-on

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170725/49a5caf7/attachment-0001.html>

More information about the Users mailing list