[OpenSIPS-Users] Teams TLS Error

Mark Farmer farmorg at gmail.com
Tue Nov 17 16:18:28 EST 2020 

Hi Vlad/all

Sure (sanitized)

Nov 13 15:35:04 [175814] DBG:core:load_module: loading module
/usr/local/lib64/opensips/modules/tls_mgm.so
Nov 13 15:35:04 [175814] INFO:tls_mgm:mod_load: openssl version: OpenSSL
1.1.1f  31 Mar 2020
Nov 13 15:35:04 [175814] DBG:core:register_module: register_pv: tls_mgm
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches
module tls_mgm
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <certificate>
in module tls_mgm [/usr/local/lib64/opensips/modules/]
Nov 13 15:35:04 [175814] ERROR:tls_mgm:tlsp_set_certificate: TLS domain [
my.domain.com] not defined in '[my.domain.com
]/usr/local/etc/opensips/tls/my_domain_com.pem'
Nov 13 15:35:04 [175814] Traceback (last included file at the bottom):
Nov 13 15:35:04 [175814]  0. /usr/local//etc/opensips/opensips.cfg
Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in
/usr/local//etc/opensips/opensips.cfg:191:19-20: Parameter <certificate>
not found in module <tls_mgm> - can't set
Nov 13 15:35:04 [175814] #modparam("tls_mgm", "require_cert", "[dom4]1")
Nov 13 15:35:04 [175814]
Nov 13 15:35:04 [175814] modparam("tls_mgm","certificate", "[my.domain.com
]/usr/local/etc/opensips/tls/my_domain_com.pem")
Nov 13 15:35:04 [175814] ^~
Nov 13 15:35:04 [175814] modparam("tls_mgm","private_key", "[my.domain.com
]/usr/local/etc/opensips/tls/my_domain_com.key")
Nov 13 15:35:04 [175814] modparam("tls_mgm","ca_dir", "/etc/ssl/certs")
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches
module tls_mgm
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <private_key>
in module tls_mgm [/usr/local/lib64/opensips/modules/]
Nov 13 15:35:04 [175814] ERROR:tls_mgm:tlsp_set_pk: TLS domain [
my.domain.com] not defined in '[my.domain.com
]/usr/local/etc/opensips/tls/my_domain_com.key'
Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in
/usr/local//etc/opensips/opensips.cfg:192:19-20: Parameter <private_key>
not found in module <tls_mgm> - can't set
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches
module tls_mgm
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <ca_dir> in
module tls_mgm [/usr/local/lib64/opensips/modules/]
Nov 13 15:35:04 [175814] ERROR:tls_mgm:split_param_val: No TLS domain name
Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in
/usr/local//etc/opensips/opensips.cfg:193:19-20: Parameter <ca_dir> not
found in module <tls_mgm> - can't set
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches
module tls_mgm
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <verify_cert>
in module tls_mgm [/usr/local/lib64/opensips/modules/]
Nov 13 15:35:04 [175814] ERROR:tls_mgm:tlsp_set_verify: TLS domain [
my.domain.com] not defined in '[my.domain.com]1'
Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in
/usr/local//etc/opensips/opensips.cfg:194:19-20: Parameter <verify_cert>
not found in module <tls_mgm> - can't set
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches
module tls_mgm
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <require_cert>
in module tls_mgm [/usr/local/lib64/opensips/modules/]
Nov 13 15:35:04 [175814] ERROR:tls_mgm:tlsp_set_require: TLS domain [
my.domain.com] not defined in '[my.domain.com]1'
Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in
/usr/local//etc/opensips/opensips.cfg:195:19-20: Parameter <require_cert>
not found in module <tls_mgm> - can't set
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches
module tls_mgm
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <tls_method>
in module tls_mgm [/usr/local/lib64/opensips/modules/]
Nov 13 15:35:04 [175814] ERROR:tls_mgm:tlsp_set_method: TLS domain [
my.domain.com] not defined in '[my.domain.com]TLSv1_2'
Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in
/usr/local//etc/opensips/opensips.cfg:196:19-20: Parameter <tls_method> not
found in module <tls_mgm> - can't set
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches
module tls_mgm
Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found
<match_sip_domain> in module tls_mgm [/usr/local/lib64/opensips/modules/]
Nov 13 15:35:04 [175814] ERROR:tls_mgm:split_param_val: No TLS domain name
Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in
/usr/local//etc/opensips/opensips.cfg:198:20-21: Parameter
<match_sip_domain> not found in module <tls_mgm> - can't set



On Mon, 16 Nov 2020 at 20:44, Vlad Patrascu <vladp at opensips.org> wrote:

> Hi Mark,
>
> Can you post the actual errors that you get in the OpenSIPS logs, if that
> is the case?
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Developerhttp://www.opensips-solutions.com
>
> On 16.11.2020 11:04, Mark Farmer wrote:
>
> Good morning all
>
> Can anyone clarify whether the TLS domain in SAN is supported or not
> please?
>
> Many thanks
> Mark.
>
>
> On Fri, 13 Nov 2020 at 15:59, Kevin Vines <kevin.vines at gmail.com> wrote:
>
>> You got me there... the doc states
>>
>> OpenSIPS offers SIP service for multiple  219    domains, e.g. atlanta.com and biloxi.com. Altough both domains  220    will be hosted on a single SIP proxy, the SIP proxy needs 2  221    certificates: One for atlanta.com and one for biloxi.com. For  222    incoming TLS connections
>>
>> If you need one cert per domain, maybe it implies that you need to have the domain as the CN instead of a SAN?
>>
>>  Kevin
>>
>> *From:* farmorg at gmail.com
>> *Sent:* November 13, 2020 10:43 a.m.
>> *To:* users at lists.opensips.org
>> *Reply to:* users at lists.opensips.org
>> *Subject:* Re: [OpenSIPS-Users] Teams TLS Error
>>
>> OK so now I have this:
>>
>> modparam("tls_mgm","certificate", "[my.domain.name
>> ]/usr/local/etc/opensips/tls/myCert.pem")
>> modparam("tls_mgm","private_key", "[my.domain.name
>> ]/usr/local/etc/opensips/tls/myKey.key")
>> modparam("tls_mgm","ca_dir", "/etc/ssl/certs")
>> modparam("tls_mgm","verify_cert", "[my.domain.name]1")
>> modparam("tls_mgm","require_cert", "[my.domain.name]1")
>> modparam("tls_mgm","tls_method", "[my.domain.name]TLSv1_2")
>> modparam("tls_mgm", "match_sip_domain", "my.domain.name")
>>
>> But now it claims that my.domain.name is not defined in myCert.pem
>> I know it is - it is in a SAN within the certificate.
>>
>> Any suggestions?
>> Many thanks
>> Mark.
>>
>>
>> On Fri, 13 Nov 2020 at 15:12, Kevin Vines <kevin.vines at gmail.com> wrote:
>>
>>> Hi Mark,
>>>
>>> Based on some googling it looks like you need to specify the domain eg:
>>>
>>> modparam("tls_mgm","verify_cert", "[domain.com]1")
>>>
>>> https://fossies.org/linux/opensips/modules/tls_mgm/README
>>>
>>> Kevin
>>> *From:* farmorg at gmail.com
>>> *Sent:* November 13, 2020 9:49 a.m.
>>> *To:* users at lists.opensips.org
>>> *Reply to:* users at lists.opensips.org
>>> *Subject:* [OpenSIPS-Users] Teams TLS Error
>>>
>>> Hi everyone
>>>
>>> OpenSIPS 3.1.0
>>>
>>> I am following the OpenSIPS as Teams SBC guide and have added the TLS
>>> config:
>>>
>>> modparam("tls_mgm","verify_cert", "1")
>>> modparam("tls_mgm","require_cert", "1")
>>> modparam("tls_mgm","tls_method", "TLSv1_2")
>>> modparam("tls_mgm","certificate", "/usr/local/etc/opensips/tls/
>>> myCert.pem")
>>> modparam("tls_mgm","private_key", "/usr/local/etc/opensips/tls/myKey.key
>>> ")
>>> modparam("tls_mgm", "ca_dir", "/etc/ssl/certs")
>>>
>>> But I am seeing a TLS domain error:
>>>
>>> Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS domain
>>> name
>>> Nov 13 14:36:50 [175314] Traceback (last included file at the bottom):
>>> Nov 13 14:36:50 [175314]  0. /usr/local//etc/opensips/opensips.cfg
>>> Nov 13 14:36:50 [175314] CRITICAL:core:yyerror: parse error in
>>> /usr/local//etc/opensips/opensips.cfg:191:19-20: Parameter
>>> <verify_cert> not found in module <tls_mgm> - can't set
>>> Nov 13 14:36:50 [175314] #modparam("tls_mgm", "require_cert", "[dom4]1")
>>> Nov 13 14:36:50 [175314]
>>> Nov 13 14:36:50 [175314] modparam("tls_mgm","verify_cert", "1")
>>> Nov 13 14:36:50 [175314] ^~
>>> Nov 13 14:36:50 [175314] modparam("tls_mgm","require_cert", "1")
>>> Nov 13 14:36:50 [175314] modparam("tls_mgm","tls_method", "TLSv1_2")
>>> Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: tls_mgm matches
>>> module tls_mgm
>>> Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: found
>>> <require_cert> in module tls_mgm [/usr/local/lib64/opensips/modules/]
>>> Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS domain
>>> name
>>>
>>> Can anyone tell me what I might be missing please?
>>>
>>> Many thanks
>>> Mark.
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>
>>
>> --
>> Mark Farmer
>> farmorg at gmail.com
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
>
> --
> Mark Farmer
> farmorg at gmail.com
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>


-- 
Mark Farmer
farmorg at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20201117/748969cc/attachment-0001.html>

More information about the Users mailing list