[OpenSIPS-Users] help setting up TLS

Callum Guy callum.guy at x-on.co.uk
Wed Sep 5 05:55:34 EDT 2018 

Can you confirm the contents of  'something.com:/usr/src/
opensips-2.4.1/tls_cnf/tls/rootCA/cacert.pem' and that opensips daemon user
has access to the path?

You don't need to setup client and server domains if you are just testing, *but
you do need to be using tls_mgm* (
http://www.opensips.org/html/docs/modules/devel/tls_mgm.html):

Here is an example strong configuration which might get you started - put
the certs where you have them, ensure they are accessible and perhaps
comment out the strong ciphers etc while testing, as per the example:

listen=tls:your_serv_IP:5061
loadmodule "proto_tls.so"
loadmodule "proto_udp.so"
loadmodule "tls_mgm.so"

# TLS: Default configuration
modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/this-domain.sip.crt")
modparam("tls_mgm", "private_key",
"/etc/pki/tls/private/this-domain.sip.key")
modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt")
modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/")
# Define standards:
#modparam("tls_mgm", "ciphers_list",
"EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")
#modparam("tls_mgm", "verify_cert", "1")
#modparam("tls_mgm", "require_cert", "1")
#modparam("tls_mgm", "tls_method", "TLSv1_2")
#modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem")
#modparam("tls_mgm", "ec_curve", "secp384r1")



On Tue, Sep 4, 2018 at 6:57 PM Dominic <wallnut.monkeys at gmail.com> wrote:

> Hi all, I'm currently trying to setup OpenSIPS to use tls. For this I am
> following the steps described here:
> http://www.opensips.org/Documentation/Tutorials-TLS-2-2
>
> This is a dev box, so for now I just want to get things working, my setup
> is as follows:
> UACs are registering to Opensips, which is setup as a mid-registrar in
> front of asterisk. Rtpproxy is used on a different box to relay the rtp
> between the UACs and Asterisk.
>
> I followed the steps described in the tutorial mentioned above but I
> cannot get opensips to startup. So I have a few questions regarding the
> tutorial:
>
> question 1:
> If my opensips is only accepting connections (phones registering to it
> from the internet), then I presume I only need the server domain part in
> the following part of the tutorial?:
>
> #server domain
>  modparam("proto_tls", "server_domain", "sv_dom=<your-ip-address>:<port>")
>  modparam("proto_tls", "certificate", "sv_dom:$CERT_DIR/rootCA/cacert.pem")
>  modparam("proto_tls", "private_key", "sv_dom:$CERT_DIR/rootCA/private/cakey.pem")
>  modparam("proto_tls", "ca_list", "sv_dom:$CERT_DR/rootCA/cacert.pem")
>
>  #client domain
>  modparam("proto_tls", "client_domain", "cl_dom=<UAS-ip-address>:<port>")
>  modparam("proto_tls", "certificate", "cl_dom:$CERT_DIR/user/user-cert.pem")
>  modparam("proto_tls", "private_key", "cl_dom:$CERT_DIR/user/user-privkey.pem")
>  modparam("proto_tls", "ca_list", "cl_dom:$CERT_DR/user/user-calist.pem")
>
>
> question 2:
> in the above code, I need to replace sv_dom with what exactly something
> like blablabla.com?
>
> question 3:
> Do I need to edit the certificates conf files (ca.conf, request.conf,
> user.conf), because I just copied the existing files as is, which may be
> why I'm having issues.
>
> So far I tried using the ones generated by the opensipctl tls  command and
> I am always getting the errors below upon startup. I also tried the builtin
> certificaties and I get the same result:
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> INFO:tls_mgm:mod_init: initializing TLS management
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> INFO:tls_mgm:mod_init: openssl version: OpenSSL 1.0.2g  1 Mar 2016
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> INFO:tls_mgm:mod_init: disabling compression due ZLIB problems
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default'
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> DBG:tls_mgm:init_ssl_ctx_behavior: no DH params file for tls domain
> 'default' defined, using default '(null)'
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> NOTICE:tls_mgm:init_ssl_ctx_behavior: No EC curve defined
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> NOTICE:tls_mgm:init_ssl_ctx_behavior: cipher list set to NULL
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> INFO:tls_mgm:init_ssl_ctx_behavior: client verification NOT activated.
> Weaker security.
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> ERROR:tls_mgm:load_certificate: unable to load certificate file
> 'something.com:/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/cacert.pem'
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> ERROR:core:init_mod: failed to initialize module tls_mgm
> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
> ERROR:core:main: error while initializing modules
>
> If anyone sees something I don't feel free to let me know
> Thanks
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-- 
Callum Guy
Head of Information Security
X-on

-- 





*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> *


























X-on
is a trading 
name of Storacall Technology Ltd a limited company registered in
England 
and Wales.

Registered Office : Avaland House, 110 London Road, Apsley, 
Hemel Hempstead,
Herts, HP3 9SD. Company Registration No. 2578478.

The 
information in this e-mail is confidential and for use by the addressee(s)

only. If you are not the intended recipient, please notify X-on immediately 
on +44(0)333 332 0000 and delete the
message from your computer. If you are 
not a named addressee you must not use,
disclose, disseminate, distribute, 
copy, print or reply to this email. Views
or opinions expressed by an 
individual
within this email may not necessarily
reflect the views of X-on 
or its associated companies. Although X-on routinely
screens for viruses, 
addressees should scan this email and any attachments
for
viruses. X-on 
makes no representation or warranty as to the absence of viruses
in this 
email or any attachments.







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20180905/00b0ee67/attachment-0001.html>

More information about the Users mailing list