[OpenSIPS-Users] no TLS client domain found error
Bogdan-Andrei Iancu
bogdan at opensips.org
Wed May 18 06:15:10 UTC 2022
Hi Jehanzaib,
The sequence for the MST TLS domains is wrong.
For each TLS domain block, you need to start only with a server_domain
or client_domain - of course, different names. And for each domain you
need you set the matching conditions. See
https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#domains-param
Basically something like:
modparam("tls_mgm", "server_domain", "formsteams_server")
modparam("tls_mgm", "match_ip_address", "[formsteams_server]....")
modparam("tls_mgm", "match_sip_domain", "[formsteams_server]....")
modparam("tls_mgm", "certificate", "[formsteams_server].....)
....
modparam("tls_mgm", "client_domain", "formsteams_client")
modparam("tls_mgm", "match_ip_address", "[formsteams_client]....")
modparam("tls_mgm", "match_sip_domain", "[formsteams_client]....")
modparam("tls_mgm", "certificate", "[formsteams_client].....)
....
Best regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS eBootcamp 23rd May - 3rd June 2022
https://opensips.org/training/OpenSIPS_eBootcamp_2022/
On 5/18/22 2:38 AM, Jehanzaib Younis wrote:
> Hi Bogdan,
> That's the problem, when I try to add the client_domain I get an
> error. Actually, I have a working config for webrtc but now I am
> adding a new domain for MS teams direct route. In fact, any other
> domain gives an error. If I disable MS Teams domain, the opensips do
> not give an error message and my webrtc client can connect without any
> issue.
>
> loadmodule "tls_mgm.so"
> modparam("tls_mgm", "tls_library", "wolfssl")
>
> #### (WebRTC) Client
> modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")
> modparam("tls_mgm", "certificate",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")
> modparam("tls_mgm", "private_key",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")
> modparam("tls_mgm", "ca_list",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")
> modparam("tls_mgm", "ca_dir",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")
> modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")
> modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")
> modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")
>
> ### This is for MS-Teams direct route
> modparam("tls_mgm", "server_domain", "dom1.formsteams.com
> <http://dom1.formsteams.com>")
> modparam("tls_mgm", "client_domain", "dom1.formsteams.com
> <http://dom1.formsteams.com>")
> modparam("tls_mgm", "certificate", "[dom1.formsteams.com
> <http://dom1.formsteams.com>]/etc/letsencrypt/live/dom1.formsteams.com/cert.pem
> <http://dom1.formsteams.com/cert.pem>")
> modparam("tls_mgm", "private_key", "[dom1.formsteams.com
> <http://dom1.formsteams.com>]/etc/letsencrypt/live/dom1.formsteams.com/privkey.pem
> <http://dom1.formsteams.com/privkey.pem>")
> modparam("tls_mgm", "ca_list", "[dom1.formsteams.com
> <http://dom1.formsteams.com>]/etc/letsencrypt/live/dom1.formsteams.com/fullchain.pem
> <http://dom1.formsteams.com/fullchain.pem>")
> modparam("tls_mgm", "ca_dir", "[dom1.formsteams.com
> <http://dom1.formsteams.com>]/etc/letsencrypt/live/dom1.formsteams.com
> <http://dom1.formsteams.com>")
> modparam("tls_mgm", "tls_method", "[dom1.formsteams.com
> <http://dom1.formsteams.com>]SSLv23")
> modparam("tls_mgm", "verify_cert", "[dom1.formsteams.com
> <http://dom1.formsteams.com>]1")
> modparam("tls_mgm", "require_cert", "[dom1.formsteams.com
> <http://dom1.formsteams.com>]1")
> modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")
>
> When i enable the MS-Teams direct route domain i get the below error:
> no certificate for tls domain ' dom1.formsteams.com
> <http://dom1.formsteams.com> ' defined
>
>
> Regards,
> Jehanzaib
>
>
> On Wed, May 18, 2022 at 3:04 AM Bogdan-Andrei Iancu
> <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>
> Hi Jehanzaib,
>
> What are the TLS client domains you have defined in your tls_mgm
> module ?
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
> https://www.opensips-solutions.com <https://www.opensips-solutions.com>
> OpenSIPS eBootcamp 23rd May - 3rd June 2022
> https://opensips.org/training/OpenSIPS_eBootcamp_2022/ <https://opensips.org/training/OpenSIPS_eBootcamp_2022/>
>
> On 5/17/22 4:32 PM, Jehanzaib Younis wrote:
>> Hi,
>>
>> I am having trouble to send/receive OPTIONS to ms teams.
>> Using the dispatcher module. The socket is defined
>> as tls:*mysbcip*:5061
>> Looks like when my opensips (3.2.x) tries to send OPTIONS. it is
>> giving me the following error
>> *
>> *
>> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
>> ERROR:core:tcp_conn_create: failed to do proto 3 specific init
>> for conn 0x7f00ef2a85a0
>> ERROR:core:tcp_async_connect: tcp_conn_create failed
>> ERROR:proto_tls:proto_tls_send: async TCP connect failed
>> ERROR:tm:msg_send: send() to 52.114.76.76:5061
>> <http://52.114.76.76:5061> for proto tls/3 failed
>> ERROR:tm:t_uac: attempt to send to
>> 'sip:sip3.pstnhub.microsoft.com:5061;transport:tls' failed
>>
>> I am setting the Contact as <sip:mytlsdomain:5061;transport=tls>
>>
>> Looks like the client domain is used for outgoing TLS connection
>> but no idea which domain i need to add here. The socket is my
>> opensips ip address.
>>
>> Has anyone seen a similar kind of behaviour?
>>
>> Thank you.
>>
>> Regards,
>> Jehanzaib
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220518/653102ea/attachment-0001.html>
More information about the Users
mailing list