[OpenSIPS-Users] Teams TLS Error

Vlad Patrascu vladp at opensips.org
Mon Nov 16 20:41:58 EST 2020


Hi Mark,

Can you post the actual errors that you get in the OpenSIPS logs, if 
that is the case?

Regards,

-- 
Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com

On 16.11.2020 11:04, Mark Farmer wrote:
> Good morning all
>
> Can anyone clarify whether the TLS domain in SAN is supported or not 
> please?
>
> Many thanks
> Mark.
>
>
> On Fri, 13 Nov 2020 at 15:59, Kevin Vines <kevin.vines at gmail.com 
> <mailto:kevin.vines at gmail.com>> wrote:
>
>     You got me there... the doc states
>
>     OpenSIPS offers SIP service for multiple
>     219     domains, e.g.atlanta.com  <http://atlanta.com>  andbiloxi.com  <http://biloxi.com>. Altough both domains
>     220     will be hosted on a single SIP proxy, the SIP proxy needs 2
>     221     certificates: One foratlanta.com  <http://atlanta.com>  and one forbiloxi.com  <http://biloxi.com>. For
>     222     incoming TLS connections
>
>     If you need one cert per domain, maybe it implies that you need to
>     have the domain as the CN instead of a SAN?
>
>     Kevin
>
>     *From:* farmorg at gmail.com <mailto:farmorg at gmail.com>
>     *Sent:* November 13, 2020 10:43 a.m.
>     *To:* users at lists.opensips.org <mailto:users at lists.opensips.org>
>     *Reply to:* users at lists.opensips.org <mailto:users at lists.opensips.org>
>     *Subject:* Re: [OpenSIPS-Users] Teams TLS Error
>
>
>     OK so now I have this:
>
>     modparam("tls_mgm","certificate", "[my.domain.name
>     <http://my.domain.name>]/usr/local/etc/opensips/tls/myCert.pem
>     <http://myCert.pem>")
>     modparam("tls_mgm","private_key", "[my.domain.name
>     <http://my.domain.name>]/usr/local/etc/opensips/tls/myKey.key
>     <http://myKey.key>")
>     modparam("tls_mgm","ca_dir", "/etc/ssl/certs")
>     modparam("tls_mgm","verify_cert", "[my.domain.name
>     <http://my.domain.name>]1")
>     modparam("tls_mgm","require_cert", "[my.domain.name
>     <http://my.domain.name>]1")
>     modparam("tls_mgm","tls_method", "[my.domain.name
>     <http://my.domain.name>]TLSv1_2")
>     modparam("tls_mgm", "match_sip_domain", "my.domain.name
>     <http://my.domain.name>")
>
>     But now it claims that my.domain.name <http://my.domain.name> is
>     not defined in myCert.pem <http://myCert.pem>
>     I know it is - it is in a SAN within the certificate.
>
>     Any suggestions?
>     Many thanks
>     Mark.
>
>
>     On Fri, 13 Nov 2020 at 15:12, Kevin Vines <kevin.vines at gmail.com
>     <mailto:kevin.vines at gmail.com>> wrote:
>
>         Hi Mark,
>
>         Based on some googling it looks like you need to specify the
>         domain eg:
>
>         modparam("tls_mgm","verify_cert", "[domain.com
>         <http://domain.com>]1")
>
>         https://fossies.org/linux/opensips/modules/tls_mgm/README
>
>         Kevin
>
>         *From:* farmorg at gmail.com <mailto:farmorg at gmail.com>
>         *Sent:* November 13, 2020 9:49 a.m.
>         *To:* users at lists.opensips.org <mailto:users at lists.opensips.org>
>         *Reply to:* users at lists.opensips.org
>         <mailto:users at lists.opensips.org>
>         *Subject:* [OpenSIPS-Users] Teams TLS Error
>
>
>         Hi everyone
>
>         OpenSIPS 3.1.0
>
>         I am following the OpenSIPS as Teams SBC guide and have added
>         the TLS config:
>
>         modparam("tls_mgm","verify_cert", "1")
>         modparam("tls_mgm","require_cert", "1")
>         modparam("tls_mgm","tls_method", "TLSv1_2")
>         modparam("tls_mgm","certificate",
>         "/usr/local/etc/opensips/tls/myCert.pem <http://myCert.pem>")
>         modparam("tls_mgm","private_key",
>         "/usr/local/etc/opensips/tls/myKey.key <http://myKey.key>")
>         modparam("tls_mgm", "ca_dir", "/etc/ssl/certs")
>
>         But I am seeing a TLS domain error:
>
>         Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS
>         domain name
>         Nov 13 14:36:50 [175314] Traceback (last included file at the
>         bottom):
>         Nov 13 14:36:50 [175314]  0.
>         /usr/local//etc/opensips/opensips.cfg <http://opensips.cfg>
>         Nov 13 14:36:50 [175314] CRITICAL:core:yyerror: parse error in
>         /usr/local//etc/opensips/opensips.cfg:191
>         <http://opensips.cfg:191>:19-20: Parameter <verify_cert> not
>         found in module <tls_mgm> - can't set
>         Nov 13 14:36:50 [175314] #modparam("tls_mgm", "require_cert",
>         "[dom4]1")
>         Nov 13 14:36:50 [175314]
>         Nov 13 14:36:50 [175314] modparam("tls_mgm","verify_cert", "1")
>         Nov 13 14:36:50 [175314] ^~
>         Nov 13 14:36:50 [175314] modparam("tls_mgm","require_cert", "1")
>         Nov 13 14:36:50 [175314] modparam("tls_mgm","tls_method",
>         "TLSv1_2")
>         Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: tls_mgm
>         matches module tls_mgm
>         Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: found
>         <require_cert> in module tls_mgm
>         [/usr/local/lib64/opensips/modules/]
>         Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS
>         domain name
>
>         Can anyone tell me what I might be missing please?
>
>         Many thanks
>         Mark.
>
>         _______________________________________________
>         Users mailing list
>         Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>         http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
>     -- 
>     Mark Farmer
>     farmorg at gmail.com <mailto:farmorg at gmail.com>
>     _______________________________________________
>     Users mailing list
>     Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> -- 
> Mark Farmer
> farmorg at gmail.com <mailto:farmorg at gmail.com>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20201116/34ad547b/attachment-0001.html>


More information about the Users mailing list