[OpenSIPS-Users] Bug on TLS Management Interface
Bogdan-Andrei Iancu
bogdan at opensips.org
Wed Aug 17 16:17:02 UTC 2022
You can add extra methods in the combo, not a problem - the question is
if opensips will understand it when loading from DB - do you see any
errors on reload ?
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 8/17/22 5:52 PM, Francisco Neto wrote:
> Hi Bogdan-Andrei!!
>
> I’ve made the changes on the code as you requested. On CP I could fill
> the match_sip_domain With * and update the item, after that the errors
> on log file have changed a lot now.
> Below are the errors that are appearing to me now
>
> By the way, directly on the config file the SSL Method that works
> better for me was “TLSv1-“. This option didn’t exist on
> tviewer.inc.php, but I have created this option on the file. Does it
> have any problem to add a new valid combo option??
>
> Thanks!
>
> ERROR:proto_tls:proto_tls_send: failed to send
> Aug 17 11:49:15 bowser /usr/sbin/opensips[1958]: ERROR:tm:msg_send:
> send() to 52.114.76.76:5061 for proto tls/3 failed
> Aug 17 11:49:15 bowser /usr/sbin/opensips[1958]: ERROR:tm:t_uac:
> attempt to send to 'sip:sip2.pstnhub.microsoft.com:5061' failed
> Aug 17 11:49:15 bowser /usr/sbin/opensips[1948]:
> ERROR:tls_openssl:openssl_tls_connect: SSL_ERROR_SYSCALL err=Resource
> temporarily unavailable(11)
> Aug 17 11:49:15 bowser /usr/sbin/opensips[1948]:
> ERROR:tls_openssl:openssl_tls_connect: New TLS connection to
> 52.114.76.76:5061 failed
> Aug 17 11:49:15 bowser /usr/sbin/opensips[1948]:
> ERROR:tls_openssl:openssl_tls_connect: TLS error: 5 (ret=-1)
> err=Resource temporarily unavailable(11)
> Aug 17 11:49:15 bowser /usr/sbin/opensips[1948]:
> ERROR:proto_tls:tls_read_req: failed to do pre-tls handshake!
> Aug 17 11:49:15 bowser /usr/sbin/opensips[1958]:
> ERROR:tls_openssl:openssl_tls_connect: New TLS connection to
> 52.114.14.70:5061 failed
> Aug 17 11:49:15 bowser /usr/sbin/opensips[1958]:
> ERROR:tls_openssl:openssl_tls_connect: TLS error: 1 (ret=-1)
> err=Success(0)
> Aug 17 11:49:15 bowser /usr/sbin/opensips[1958]:
> ERROR:tls_openssl:tls_print_errstack: TLS errstack: error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
>
>
> Em 17 de ago. de 2022 04:29 -0300, Bogdan-Andrei Iancu
> <bogdan at opensips.org>, escreveu:
>> Hi Francisco,
>>
>> Please check
>> https://github.com/OpenSIPS/opensips-cp/commit/1e738fd948fcc83004b0b99edb4f361c0a8b784c
>> - update again and give it a try by adding "*" for the match_domain
>>
>> Regards,
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>> https://www.opensips-solutions.com
>> OpenSIPS Summit 27-30 Sept 2022, Athens
>> https://www.opensips.org/events/Summit-2022Athens/
>> On 8/16/22 11:32 PM, Francisco Neto wrote:
>>> Hi Bogdan-Andrei!
>>>
>>> Actually I’ve tried with using sip domain as blank, with * it didn’t
>>> let me press update on CP, and with the client certificate (fqdn and
>>> domain part only) and in all scenarios the error is the same as
>>> described below:
>>>
>>> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
>>> Aug 16 17:29:30 bowser /usr/sbin/opensips[1128]:
>>> ERROR:core:tcp_conn_create: failed to do proto 3 specific init for
>>> conn 0x7efe29a648a8
>>> Aug 16 17:29:30 bowser /usr/sbin/opensips[1128]:
>>> ERROR:core:tcp_sync_connect: tcp_conn_create failed, closing the socket
>>> Aug 16 17:29:30 bowser /usr/sbin/opensips[1128]:
>>> ERROR:proto_tls:proto_tls_send: connect failed
>>> Aug 16 17:29:30 bowser /usr/sbin/opensips[1128]: ERROR:tm:msg_send:
>>> send() to 52.114.132.46:5061 for proto tls/3 failed
>>> Aug 16 17:29:30 bowser /usr/sbin/opensips[1128]: ERROR:tm:t_uac:
>>> attempt to send to 'sip:sip.pstnhub.microsoft.com:5061' failed
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]:
>>> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]:
>>> ERROR:core:tcp_conn_create: failed to do proto 3 specific init for
>>> conn 0x7efe29b341a8
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]:
>>> ERROR:core:tcp_sync_connect: tcp_conn_create failed, closing the socket
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]:
>>> ERROR:proto_tls:proto_tls_send: connect failed
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]: ERROR:tm:msg_send:
>>> send() to 52.114.76.76:5061 for proto tls/3 failed
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]: ERROR:tm:t_uac:
>>> attempt to send to 'sip:sip2.pstnhub.microsoft.com:5061' failed
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]:
>>> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]:
>>> ERROR:core:tcp_conn_create: failed to do proto 3 specific init for
>>> conn 0x7efe29a17ec8
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]:
>>> ERROR:core:tcp_sync_connect: tcp_conn_create failed, closing the socket
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]:
>>> ERROR:proto_tls:proto_tls_send: connect failed
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]: ERROR:tm:msg_send:
>>> send() to 52.114.14.70:5061 for proto tls/3 failed
>>> Aug 16 17:29:31 bowser /usr/sbin/opensips[1128]: ERROR:tm:t_uac:
>>> attempt to send to 'sip:sip3.pstnhub.microsoft.com:5061' failed
>>>
>>> Below is my actual config section about TLS
>>>
>>> loadmodule "proto_tls.so"
>>> modparam("proto_tls","tls_max_msg_chunks", 8)
>>> modparam("proto_tls","tls_handshake_timeout", 600)
>>> modparam("proto_tls", "tls_send_timeout", 2000)
>>>
>>>
>>> loadmodule "tls_openssl.so"
>>> loadmodule "tls_mgm.so"
>>> modparam("tls_mgm",
>>> "db_url","mysql://opensips:XXXXXXXXXX@localhost/opensips")
>>> modparam("tls_mgm", "db_table", "tls_mgm")
>>> modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")
>>>
>>>
>>> Em 11 de ago. de 2022 12:59 -0300, Bogdan-Andrei Iancu
>>> <bogdan at opensips.org>, escreveu:
>>>> Hi Francisco,
>>>>
>>>> So, if you use wildcard for match_sip_domain in the client TLS
>>>> domain, doesn't work for you ?
>>>>
>>>> Regards.
>>>> Bogdan-Andrei Iancu
>>>>
>>>> OpenSIPS Founder and Developer
>>>> https://www.opensips-solutions.com
>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>> https://www.opensips.org/events/Summit-2022Athens/
>>>> On 8/10/22 5:03 PM, Francisco Neto wrote:
>>>>> Hi Bogdan-Andrei!
>>>>>
>>>>> I’ve made the changes and now I can edit the TLS certificates
>>>>> normally by control panel but I continue having a problem.
>>>>>
>>>>> If I configure the certificate directly on the configuration file
>>>>> the connection with Microsoft Teams is correctly established, if I
>>>>> configure through control panel, I receive on log the following
>>>>> messages:
>>>>>
>>>>> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:core:tcp_conn_create: failed to do proto 3 specific init for
>>>>> conn 0x7f22a5f993d0
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:core:tcp_sync_connect: tcp_conn_create failed, closing the
>>>>> socket
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:proto_tls:proto_tls_send: connect failed
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:tm:msg_send: send() to 52.114.132.46:5061 for proto tls/3 failed
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]: ERROR:tm:t_uac:
>>>>> attempt to send to 'sip:sip.pstnhub.microsoft.com' failed
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:core:tcp_conn_create: failed to do proto 3 specific init for
>>>>> conn 0x7f22a5f91420
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:core:tcp_sync_connect: tcp_conn_create failed, closing the
>>>>> socket
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:proto_tls:proto_tls_send: connect failed
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:tm:msg_send: send() to 52.114.76.76:5061 for proto tls/3 failed
>>>>> Aug 10 11:00:04 bowser /usr/sbin/opensips[55047]: ERROR:tm:t_uac:
>>>>> attempt to send to 'sip:sip2.pstnhub.microsoft.com' failed
>>>>> Aug 10 11:00:05 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:core:tcp_connect_blocking_timeout: connect timed out, 599667
>>>>> us elapsed out of 600000 us
>>>>> Aug 10 11:00:05 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:core:tcp_sync_connect_fd: tcp_blocking_connect failed
>>>>> Aug 10 11:00:05 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:proto_tls:proto_tls_send: connect failed
>>>>> Aug 10 11:00:05 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:tm:msg_send: send() to 52.114.32.169:5061 for proto tls/3 failed
>>>>> Aug 10 11:00:05 bowser /usr/sbin/opensips[55047]: ERROR:tm:t_uac:
>>>>> attempt to send to 'sip:sip3.pstnhub.microsoft.com' failed
>>>>> Aug 10 11:00:09 bowser /usr/sbin/opensips[55047]:
>>>>> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
>>>>>
>>>>> I will send attached the screenshot of the control panel and below
>>>>> the configuration that works.
>>>>>
>>>>> If it isn’t related to the same problem tell me and I send the
>>>>> message to the open list ok!
>>>>>
>>>>> Thanks!
>>>>>
>>>>> # TLS CLIENT
>>>>> #modparam("tls_mgm", "client_domain", "sbcsothis")
>>>>> #modparam("tls_mgm", "match_sip_domain", "[sbcsothis]*")
>>>>> #modparam("tls_mgm", "match_ip_address", "[sbcsothis]*")
>>>>> #modparam("tls_mgm", "verify_cert", "[sbcsothis]1")
>>>>> #modparam("tls_mgm", "require_cert", "[sbcsothis]1")
>>>>> #modparam("tls_mgm", "tls_method", "[sbcsothis]TLSv1-")
>>>>> #modparam("tls_mgm", "certificate",
>>>>> "[sbcsothis]/etc/opensips/tls/user/sothistelecom.com.crt")
>>>>> #modparam("tls_mgm", "private_key",
>>>>> "[sbcsothis]/etc/opensips/tls/user/sothistelecom.com.key")
>>>>> #modparam("tls_mgm", "ca_list",
>>>>> "[sbcsothis]/etc/ssl/certs/ca-certificates.crt")
>>>>> #modparam("tls_mgm", "ca_dir", "[sbcsothis]/etc/ssl/certs/")Config
>>>>> file
>>>>>
>>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220817/167fbe5c/attachment-0001.html>
More information about the Users
mailing list