[OpenSIPS-Users] mid_registrar TLS

Bogdan-Andrei Iancu bogdan at opensips.org
Thu Feb 10 11:15:03 UTC 2022 

Yes, doing a wildcard for SIP/IP matching in the TLS domain definition 
is the correct approach if you plan to use only one certificate.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS eBootcamp
   https://www.opensips.org/Training/Bootcamp

On 2/10/22 1:09 PM, Alberto wrote:
> I was confused because I use a wildcard cert, so I only have one cert 
> for server/client and any possible subdomain. I don't need to match 
> server/client requests to different certs.
> So I ended up with this config and it seems to work fine.
> Thanks
>
> loadmodule "tls_mgm.so"
> modparam("tls_mgm", "tls_library", "wolfssl")
>
> modparam("tls_mgm", "server_domain", "sd_1")
> modparam("tls_mgm", "ca_list", "[sd_1]/etc/letsencrypt/fullchain.pem")
> modparam("tls_mgm", "certificate", "[sd_1]/etc/letsencrypt/cert.pem")
> modparam("tls_mgm", "private_key", "[sd_1]/etc/letsencrypt/privkey.pem")
> modparam("tls_mgm", "require_cert", "[sd_1]0")
> modparam("tls_mgm", "tls_method", "[sd_1]TLSv1-")
> modparam("tls_mgm", "verify_cert", "[sd_1]0")
> modparam("tls_mgm", "match_sip_domain", "[sd_1]*")
> modparam("tls_mgm", "match_ip_address", "[sd_1]*")
>
> modparam("tls_mgm", "client_domain", "cd_1")
> modparam("tls_mgm", "ca_list", "[cd_1]/etc/letsencrypt/fullchain.pem")
> modparam("tls_mgm", "certificate", "[cd_1]/etc/letsencrypt/cert.pem")
> modparam("tls_mgm", "private_key", "[cd_1]/etc/letsencrypt/privkey.pem")
> modparam("tls_mgm", "require_cert", "[cd_1]0")
> modparam("tls_mgm", "tls_method", "[cd_1]TLSv1-")
> modparam("tls_mgm", "verify_cert", "[cd_1]0")
> modparam("tls_mgm", "match_sip_domain", "[cd_1]*")
> modparam("tls_mgm", "match_ip_address", "[cd_1]*")
>
>
> On Thu, 10 Feb 2022 at 07:59, Bogdan-Andrei Iancu <bogdan at opensips.org 
> <mailto:bogdan at opensips.org>> wrote:
>
>     Hi Alberto,
>
>     When OpenSIPS is about the create a new TLS connection, it has to
>     know what TSL certificate (client) to use for it.
>
>     There are 2 way of indicating that :
>
>     * use "match_ip_address" [1] to map the TLS client domain to some
>     IPs you want to connect to via TLS
>
>     * use "client_tls_domain_avp" [2] to manually select from script
>     which TLS domain to be used - set the AVP before the t_relay() to
>     the TLS destination.
>
>
>     [1]
>     https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address
>     <https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address>
>
>     [2]
>     https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp
>     <https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp>
>
>     Best regards,
>
>     Bogdan-Andrei Iancu
>
>     OpenSIPS Founder and Developer
>        https://www.opensips-solutions.com  <https://www.opensips-solutions.com>
>     OpenSIPS eBootcamp
>        https://www.opensips.org/Training/Bootcamp  <https://www.opensips.org/Training/Bootcamp>
>
>     On 2/4/22 2:40 PM, Alberto wrote:
>>     Hi,
>>     I have a sip client connecting to opensips using tls, all
>>     requests are then routed to an asterisk server using mid_registrar.
>>
>>     UDP to UDP and TCP to TCP work fine, but TLS doesn't.
>>
>>     This is the error, but I'm having a hard time understanding it.
>>
>>     Feb  4 12:29:32 [3406] //etc/opensips/opensips.cfg:453 Forward
>>     REGISTER for sip:tls-1001 at 10.0.0.252:5061
>>     <http://sip:tls-1001@10.0.0.252:5061> to
>>     10.0.0.153:5061;transport=tls
>>     Feb  4 12:29:32 [3406] ERROR:proto_tls:proto_tls_conn_init: no
>>     TLS client domain found
>>     Feb  4 12:29:32 [3406] ERROR:core:tcp_conn_create: failed to do
>>     proto 3 specific init for conn 0x7ff9be1810f8
>>     Feb  4 12:29:32 [3406] ERROR:core:tcp_async_connect:
>>     tcp_conn_create failed, closing the socket
>>     Feb  4 12:29:32 [3406] ERROR:proto_tls:proto_tls_send: async TCP
>>     connect failed
>>     Feb  4 12:29:32 [3406] ERROR:tm:msg_send: send() to
>>     10.0.0.153:5061 <http://10.0.0.153:5061> for proto tls/3 failed
>>     Feb  4 12:29:32 [3406] ERROR:tm:t_forward_nonack: sending request
>>     failed
>>     Feb  4 12:29:32 [3406] ERROR:tm:w_t_relay: t_forward_nonack failed
>>
>>
>>     My configuration:
>>     #############
>>     loadmodule "mid_registrar.so"
>>     modparam("mid_registrar", "attr_avp", "$avp(avp_json)")
>>     modparam("mid_registrar", "max_contacts", 1)
>>     modparam("mid_registrar", "mode", 0)
>>     modparam("mid_registrar", "tcp_persistent_flag",
>>     "TCP_PERSIST_REGISTRATIONS")
>>
>>     loadmodule "tls_mgm.so"
>>     modparam("tls_mgm", "tls_library", "wolfssl")
>>     modparam("tls_mgm", "server_domain", "dom1")
>>     modparam("tls_mgm", "ca_list",
>>     "[dom1]/etc/letsencrypt/fullchain.pem")
>>     modparam("tls_mgm", "certificate", "[dom1]/etc/letsencrypt/cert.pem")
>>     modparam("tls_mgm", "private_key",
>>     "[dom1]/etc/letsencrypt/privkey.pem")
>>     modparam("tls_mgm", "require_cert", "[dom1]0")
>>     modparam("tls_mgm", "tls_method", "[dom1]TLSv1-")
>>     modparam("tls_mgm", "verify_cert", "[dom1]0")
>>
>>     loadmodule "proto_tls.so"
>>
>>     ###############
>>     $ru = "sip:10.0.0.153:5061;transport=tls";
>>     setflag("TCP_PERSISTENT");
>>     route(relay);
>>
>>
>>     Thanks
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at lists.opensips.org  <mailto:Users at lists.opensips.org>
>>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users  <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220210/65f16008/attachment.html>

More information about the Users mailing list