[OpenSIPS-Users] opensips 2.4.4: bug in tls_mgm

Vlad Patrascu vladp at opensips.org
Thu Mar 7 05:45:53 EST 2019


Hi Johan,

The issue is probably caused by the fact that OpenSIPS tries to 
initialize a 'default' client and server domain and the certificate file 
is inexistent at the default path 
('/usr/local/opensips//etc/opensips/tls/cert.pem'). So even if you 
define your "sv_dom" custom server domain, OpenSIPS still tries to 
create default domains for fallback purposes. When you omit the 
'[sv_dom]' prefix for the domain settings in your second test, you 
overwrite the default ones (with a valid path for the certificate this 
time).

In conclusion, either specify your custom domain _and_ default domains 
separately (set the modparams multiple times) or make sure the 
certificate is found at the default path. Also, note that it's not 
necessary to define a custom server domain if you only intend to use a 
single one, as the default will match any socket.

Regards,

Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com

On 02/17/2019 01:35 PM, johan de clercq wrote:
>
> Hi,
>
> I believe that I have found a bug in tls_mgm:
>
> Using opensips default certificates:
>
> /usr/local/opensips/etc/opensips/tls# ls -lu
>
> total 24
>
> -rw-r--r-- 1 root staff 2049 Feb 17 12:13 ca.conf
>
> -rw-r--r-- 1 root staff 1048 Feb 17 12:13 README
>
> -rw-r--r-- 1 root staff 1127 Feb 17 12:13 request.conf
>
> drwxr-sr-x 4 root staff 4096 Feb 17 12:16 rootCA
>
> drwxr-sr-x 2 root staff 4096 Feb 17 12:13 user
>
> -rw-r--r-- 1 root staff  591 Feb 17 12:13 user.conf
>
> /usr/local/opensips/etc/opensips/tls/rootCA# ls
>
> cacert.pem  certs  index.txt  private serial
>
> Tls params:
>
> loadmodule "tls_mgm.so"
>
> modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")
>
> modparam("tls_mgm", "require_cert", "[sv_dom]0")
>
> modparam("tls_mgm", "verify_cert", "[sv_dom]0")
>
> modparam("tls_mgm", "tls_method", "[sv_dom]SSLv23")
>
> modparam("tls_mgm", "certificate", 
> "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
> modparam("tls_mgm", "private_key", 
> "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")
>
> modparam("tls_mgm", "ca_list", 
> "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
> #### PROTO_TLS module
>
> loadmodule "proto_tls.so"
>
> modparam("proto_tls", "trace_destination", "hep_dest")
>
> modparam("proto_tls", "trace_on", 1)
>
> I removed the passphrase:
>
> mv etc/tls/rootCA/private/cakey.pem 
> etc/tls/rootCA/private/cakey.pem.protected
>
> openssl rsa -in etc/tls/rootCA/private/cakey.pem.protected -out 
> etc/tls/rootCA/private/cakey.pem
>
> and then tried to run opensips from cmdline : ./opensips -f 
> /usr/local/opensips/etc/opensips/opensips.cfg
>
> syslog output:
>
> Feb 17 12:22:01 ns3012072 ./opensips[28673]: 
> ERROR:tls_mgm:load_certificate: unable to load certificate file 
> '/usr/local/opensips//etc/opensips/tls/cert.pem'
>
> Feb 17 12:22:01 ns3012072 ./opensips[28673]: 
> ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'
>
> Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:init_mod: 
> failed to initialize module tls_mgm
>
> Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:main: error 
> while initializing modules
>
> Feb 17 12:22:01 ns3012072 ./opensips[28673]: CRITICAL:core:sig_usr: 
> segfault in attendant (starter) process!
>
> Feb 17 12:22:01 ns3012072 kernel: [ 4024.678398] opensips[28673]: 
> segfault at 7fcb76dbf850 ip 00007fcb76546f69 sp 00007ffe803ac150 error 
> 4 in libcrypto.so.1.1[7fcb763df000+265000]
>
> Next I tried with:
>
> loadmodule "tls_mgm.so"
>
> #modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")
>
> modparam("tls_mgm", "require_cert", "0")
>
> modparam("tls_mgm", "verify_cert", "0")
>
> modparam("tls_mgm", "tls_method", "SSLv23")
>
> modparam("tls_mgm", "certificate", 
> "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
> modparam("tls_mgm", "private_key", 
> "/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")
>
> modparam("tls_mgm", "ca_list", 
> "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
> #### PROTO_TLS module
>
> loadmodule "proto_tls.so"
>
> modparam("proto_tls", "trace_destination", "hep_dest")
>
> modparam("proto_tls", "trace_on", 1)
>
> and then opensips starts…
>
> Can you please explain what I am doing wrong ?
>
> cid:F3100D46-F00D-4610-87ED-3E91DA790A82
>
> Johan De Clercq, Managing Director
> Democon bvba - Ooigemstraat 41 - 8780 Oostrozebeke
>
> Tel +3256980990– GSM +32478720104
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190307/fd10b303/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 15602 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20190307/fd10b303/attachment-0001.png>


More information about the Users mailing list