[OpenSIPS-Users] opensips 2.2.5 and TLS configuration

Jonathan Hunter hunterj91 at hotmail.com
Fri Sep 8 11:40:10 EDT 2017 

Hi Guys,

Sorry for the noise.

I am testing SIP over TLS and having some issues getting client devices to register having upgraded from opensips 1.11 to 2.2.5.

Please see my configuration below;


opensips 2.2.5


listen=tcp:<Public_IP>:5060
listen=tls:<Public_IP>:5061
loadmodule "proto_tcp.so"
loadmodule "proto_udp.so"
loadmodule "proto_tls.so"
loadmodule "tls_mgm.so"

#Global params
modparam("tls_mgm", "tls_method", "SSLv23")
modparam("tls_mgm", "certificate", "/etc/opensips/tls/rootCA/certs/ssl_certificate.pem")
modparam("tls_mgm", "private_key", "/etc/opensips/tls/rootCA/certs/sip.provider.net.pem")
modparam("tls_mgm", "ca_list", "/etc/opensips/tls/rootCA/certs/IntermediateCA.pem")
modparam("tls_mgm", "require_cert", "0")
modparam("tls_mgm", "verify_cert", "1")
#server domain
modparam("tls_mgm", "server_domain", "sv_dom=<Public_IP>:5061")
modparam("tls_mgm", "certificate", "sv_dom:/etc/opensips/tls/rootCA/certs/ssl_certificate.pem")
modparam("tls_mgm", "private_key", "sv_dom:/etc/opensips/tls/rootCA/certs/sip.provider.net.pem")
modparam("tls_mgm", "ca_list", "sv_dom:/etc/opensips/tls/rootCA/certs/IntermediateCA.pem")
modparam("tls_mgm", "tls_method", "sv_dom:SSLv23")
modparam("tls_mgm", "require_cert", "sv_dom:0")
modparam("tls_mgm", "verify_cert", "sv_dom:1")



I am trying to register both Bria client and Yealink and I cant register my device, opensips logs show no errors;

Sep  8 15:14:56 localhost VU-SIP-Proxy[14664]: INFO:core:probe_max_sock_buff: using snd buffer of 244 kb
Sep  8 15:14:56 localhost VU-SIP-Proxy[14664]: INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 37
Sep  8 15:14:56 localhost VU-SIP-Proxy[14649]: INFO:proto_tls:tls_accept: New TLS connection from 91.151.6.28:10405 accepted
Sep  8 15:14:56 localhost VU-SIP-Proxy[14649]: INFO:proto_tls:tls_accept: Client did not present a TLS certificate
Sep  8 15:14:56 localhost VU-SIP-Proxy[14649]: INFO:proto_tls:tls_dump_cert_info: tls_accept: local TLS server certificate subject: /CN=sip.provider.net, issuer: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

And in a wireshark trace when debugging I see using the private key, there is Client Hello,Server Hello, Certificate, Server Hello Done, then Client Key Exchange, Change Cipher Spec,Finished, then New Session Ticket, change Cipher Spec, then finished.

At which point I see Close Notify.

Do I need to specify a Ciphers list?

I appreciate debugging TLS can be complex but having had it working ok in the testing phase on 1.11 I presume I am just misconfiguring for 2.2?

Many Thanks!

Jon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170908/0b10ad2f/attachment.html>

More information about the Users mailing list