[OpenSIPS-Users] opensips tls issue

Pasan Meemaduma pasan_5 at yahoo.com
Mon Mar 23 09:51:43 EST 2020


Hi Guys,
I'm trying to setup ms teams integration as per https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/
I got everything setup and when start opensips. I get below error message.
I'm out of ideas as I could connect to microsoft servers using the openssl command manually. Can anyone give a clue as to whats wrong?

Software versions
opensips -V
version: opensips 2.4.4 (x86_64/linux)
openssl                       1.1.0l-1~deb9u1
 


config file

modparam("tls_mgm", "server_domain", "dom1=172.31.36.39:5061")
#modparam("tls_mgm", "match_ip_address", "[dom1]172.31.36.39:5061")
#modparam("tls_mgm", "match_sip_domain", "[dom1]msteams-sbc.x.com")
modparam("tls_mgm","verify_cert", "[dom1]1")
modparam("tls_mgm","require_cert", "[dom1]1")
modparam("tls_mgm","tls_method", "[dom1]TLSv1_2")
modparam("tls_mgm","certificate", "[dom1]/etc/tls/x.com/x.com.crt")
modparam("tls_mgm","private_key", "[dom1]/etc/tls/x.com/x.com.au.key")
modparam("tls_mgm", "ca_list", "[dom1]/etc/tls/x.com/x.com.-ca.crt")
modparam("tls_mgm", "ca_dir", "[dom1]/etc/ssl/certs/")
modparam("tls_mgm", "tls_handshake_timeout", 300)
modparam("proto_tls", "tls_max_msg_chunks", 8)





Error in syslogMar 23 09:39:33 ip-172-31-36-39 /usr/sbin/opensips[12859]: INFO:core:probe_max_sock_buff: using snd buffer of 416 kb
Mar 23 09:39:33 ip-172-31-36-39 /usr/sbin/opensips[12859]: INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 6
Mar 23 09:39:34 ip-172-31-36-39 /usr/sbin/opensips[12859]: NOTICE:tls_mgm:verify_callback: depth = 1
Mar 23 09:39:34 ip-172-31-36-39 /usr/sbin/opensips[12859]: NOTICE:tls_mgm:verify_callback: subject = /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 4
Mar 23 09:39:34 ip-172-31-36-39 /usr/sbin/opensips[12859]: NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local issuer certificate
Mar 23 09:39:34 ip-172-31-36-39 /usr/sbin/opensips[12859]: NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error code is 20 (check x509_vfy.h)
Mar 23 09:39:34 ip-172-31-36-39 /usr/sbin/opensips[12859]: NOTICE:tls_mgm:verify_callback: verify return:0
Mar 23 09:39:34 ip-172-31-36-39 /usr/sbin/opensips[12859]: INFO:proto_tls:tls_connect: New TLS connection to 52.114.148.0:5061 established
Mar 23 09:39:34 ip-172-31-36-39 /usr/sbin/opensips[12859]: INFO:proto_tls:tls_dump_cert_info: tls_connect: server TLS certificate subject: /CN=sip.pstnhub.microsoft.com, issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 4
Mar 23 09:39:34 ip-172-31-36-39 /usr/sbin/opensips[12859]: WARNING:proto_tls:tls_connect: TLS server certificate verification failed
Mar 23 09:39:34 ip-172-31-36-39 /usr/sbin/opensips[12859]: ERROR:proto_tls:tls_dump_verification_failure: unable to get local issuer certificate
Mar 23 09:39:34 ip-172-31-36-39 /usr/sbin/opensips[12859]: INFO:proto_tls:tls_dump_cert_info: tls_connect: local TLS client certificate subject: /C=AU/ST=Victoria/L=x x/O=x x Pty. Ltd./CN=*.x.com, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018



  I can successfully connect to ms servers using openssl command as below,
    openssl s_client -cert /etc/tls/x.com/x.com.crt -key /etc/tls/x.com/x.com.key -CApath /etc/ssl/certs/ -connect sip.pstnhub.microsoft.com:5061 output
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: DD3600000099EA880BECA036929C403E2F6431288A6F4E5B56199CEB8A2E2811
    Session-ID-ctx: 
    Master-Key: DFD1ED75E7D5637BC57C78E0FA17D55B565527BB8DB4789D19F696A034DC1FAB1C0B3AB5C373CCA83286BE5C8BF4817A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1584957003
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)


  Regards,Pasan
  Distinguishing What && How !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200323/ccdcde5f/attachment.html>


More information about the Users mailing list