[OpenSIPS-Users] opensips 2.2.5 and TLS configuration

Callum Guy callum.guy at x-on.co.uk
Mon Sep 11 03:58:50 EDT 2017


Try turning off certificate verification while you work through the issue.


I have also found that there is a need on opensips 2.2.x to re-specify the
global params under your server/client domains - i have certainly had
issues with that in the past. try issuing all of your global directives a
second time, prefixed with your server domain.


Personally I specify the ciphers list and aim for a higher standard of
security - here's an excerpt:


modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem")

modparam("tls_mgm", "ec_curve", "secp384r1")

modparam("tls_mgm", "ciphers_list",
"EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")

modparam("tls_mgm", "verify_cert", "1") # Switch off during initial testing
to rule this out

modparam("tls_mgm", "require_cert", "1") # Switch off during initial
testing to rule this out

modparam("tls_mgm", "tls_method", "TLSv1_2")

modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/dom.sip.crt")

modparam("tls_mgm", "private_key", "/etc/pki/tls/private/dom.sip.key")

modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt")

modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/")


Note the inclusion of ca_dir and ciphers_list. Looking forward to hearing
how you get on.

On Fri, Sep 8, 2017 at 4:42 PM Jonathan Hunter <hunterj91 at hotmail.com>
wrote:

> Hi Guys,
>
> Sorry for the noise.
>
> I am testing SIP over TLS and having some issues getting client devices to
> register having upgraded from opensips 1.11 to 2.2.5.
>
> Please see my configuration below;
>
>
> opensips 2.2.5
>
>
> listen=tcp:<Public_IP>:5060
> listen=tls:<Public_IP>:5061
> loadmodule "proto_tcp.so"
> loadmodule "proto_udp.so"
> loadmodule "proto_tls.so"
> loadmodule "tls_mgm.so"
>
> #Global params
> modparam("tls_mgm", "tls_method", "SSLv23")
> modparam("tls_mgm", "certificate",
> "/etc/opensips/tls/rootCA/certs/ssl_certificate.pem")
> modparam("tls_mgm", "private_key",
> "/etc/opensips/tls/rootCA/certs/sip.provider.net.pem")
> modparam("tls_mgm", "ca_list",
> "/etc/opensips/tls/rootCA/certs/IntermediateCA.pem")
> modparam("tls_mgm", "require_cert", "0")
> modparam("tls_mgm", "verify_cert", "1")
> #server domain
> modparam("tls_mgm", "server_domain", "sv_dom=<Public_IP>:5061")
> modparam("tls_mgm", "certificate",
> "sv_dom:/etc/opensips/tls/rootCA/certs/ssl_certificate.pem")
> modparam("tls_mgm", "private_key",
> "sv_dom:/etc/opensips/tls/rootCA/certs/sip.provider.net.pem")
> modparam("tls_mgm", "ca_list",
> "sv_dom:/etc/opensips/tls/rootCA/certs/IntermediateCA.pem")
> modparam("tls_mgm", "tls_method", "sv_dom:SSLv23")
> modparam("tls_mgm", "require_cert", "sv_dom:0")
> modparam("tls_mgm", "verify_cert", "sv_dom:1")
>
>
>
> I am trying to register both Bria client and Yealink and I cant register
> my device, opensips logs show no errors;
>
> Sep  8 15:14:56 localhost VU-SIP-Proxy[14664]:
> INFO:core:probe_max_sock_buff: using snd buffer of 244 kb
> Sep  8 15:14:56 localhost VU-SIP-Proxy[14664]:
> INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 37
> Sep  8 15:14:56 localhost VU-SIP-Proxy[14649]: INFO:proto_tls:tls_accept:
> New TLS connection from 91.151.6.28:10405 accepted
> Sep  8 15:14:56 localhost VU-SIP-Proxy[14649]: INFO:proto_tls:tls_accept:
> Client did not present a TLS certificate
> Sep  8 15:14:56 localhost VU-SIP-Proxy[14649]:
> INFO:proto_tls:tls_dump_cert_info: tls_accept: local TLS server certificate
> subject: /CN=sip.provider.net, issuer: /C=US/O=GeoTrust Inc./CN=RapidSSL
> SHA256 CA
>
> And in a wireshark trace when debugging I see using the private key, there
> is Client Hello,Server Hello, Certificate, Server Hello Done, then Client
> Key Exchange, Change Cipher Spec,Finished, then New Session Ticket, change
> Cipher Spec, then finished.
>
> At which point I see Close Notify.
>
> Do I need to specify a Ciphers list?
>
> I appreciate debugging TLS can be complex but having had it working ok in
> the testing phase on 1.11 I presume I am just misconfiguring for 2.2?
>
> Many Thanks!
>
> Jon
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-- 
Callum Guy
Head of Information Security
X-on

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170911/6efa4af0/attachment.html>


More information about the Users mailing list