[OpenSIPS-Users] no TLS client domain found error

Ovidiu Sas osas at voipembedded.com
Wed May 18 13:34:19 UTC 2022 

Please upgrade to the latest version and see if the error persists. If yes,
please run the server in debug mode and save the logs so this issue can be
investigated properly.

Thanks,
Ovidiu

On Wed, May 18, 2022 at 09:02 Jehanzaib Younis <jehanzaib.kiani at gmail.com>
wrote:

> Thank you Bogdan,
> That helped a lot. As you mentioned I need to start only with
> server_domain or client_domain.
> Now I changed my config a bit as shown below:
> #### (WebRTC) Client
> modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")
> modparam("tls_mgm", "certificate",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")
> modparam("tls_mgm", "private_key",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")
> modparam("tls_mgm", "ca_list",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")
> modparam("tls_mgm", "ca_dir",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")
> modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")
> modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")
> modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")
>
> ### This is for MS-Teams direct route
> modparam("tls_mgm", "client_domain", "dom1.formsteams.com")
> modparam("tls_mgm", "certificate", "[dom1.formsteams.com
> ]/etc/letsencrypt/live/dom1.formsteams.com/cert.pem")
> modparam("tls_mgm", "private_key", "[dom1.formsteams.com
> ]/etc/letsencrypt/live/dom1.formsteams.com/privkey.pem")
> modparam("tls_mgm", "ca_list", "[dom1.formsteams.com
> ]/etc/letsencrypt/live/dom1.formsteams.com/fullchain.pem")
> modparam("tls_mgm", "ca_dir", "[dom1.formsteams.com]/etc/letsencrypt/live/
> dom1.formsteams.com")
> modparam("tls_mgm", "tls_method", "[dom1.formsteams.com]SSLv23")
> modparam("tls_mgm", "verify_cert", "[dom1.formsteams.com]1")
> modparam("tls_mgm", "require_cert", "[dom1.formsteams.com]1")
> modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")
>
> Looks like the initial handshake is fine when my server sends OPTIONS to
> MSTeams. There is a bug in the code according to the logs as shown below:
>
> opensips[10659]: CRITICAL:core:io_watch_add: #012>>> used fd map fd=142 is
> not present in fd_array
> (fd=142,type=19,flags=80000003,data=0x7f825805ceb8)#012#012It seems you
> have hit a programming bug.#012Please help us make OpenSIPS better by
> reporting it at https://github.com/OpenSIPS/opensips/issues
> opensips[10659]: CRITICAL:core:io_watch_add: [TCP_main] check failed after
> successful fd add (fd=141,type=19,data=0x7f825804fd98,flags=1) already=0
> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 1, verify
> success
> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 0, verify
> success
> opensips[23993]: INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS
> connection to 52.114.16.74:5061 established
> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 1, verify
> success
> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 0, verify
> success
> opensips[23995]: INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS
> connection to 52.114.76.76:5061 established
>
>
> Regards,
> Jehanzaib
>
>
> On Wed, May 18, 2022 at 6:15 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
> wrote:
>
>> Hi Jehanzaib,
>>
>> The sequence for the MST TLS domains is wrong.
>>
>> For each TLS domain block, you need to start only with a server_domain
>> or client_domain - of course, different names. And for each domain you need
>> you set the matching conditions. See
>> https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#domains-param
>>
>> Basically something like:
>>
>> modparam("tls_mgm", "server_domain", "formsteams_server")
>> modparam("tls_mgm", "match_ip_address", "[formsteams_server]....")
>> modparam("tls_mgm", "match_sip_domain", "[formsteams_server]....")
>> modparam("tls_mgm", "certificate", "[formsteams_server].....)
>> ....
>>
>>
>> modparam("tls_mgm", "client_domain", "formsteams_client")
>> modparam("tls_mgm", "match_ip_address", "[formsteams_client]....")
>> modparam("tls_mgm", "match_sip_domain", "[formsteams_client]....")
>> modparam("tls_mgm", "certificate", "[formsteams_client].....)
>> ....
>>
>>
>> Best regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>   https://www.opensips-solutions.com
>> OpenSIPS eBootcamp 23rd May - 3rd June 2022
>>   https://opensips.org/training/OpenSIPS_eBootcamp_2022/
>>
>> On 5/18/22 2:38 AM, Jehanzaib Younis wrote:
>>
>> Hi Bogdan,
>> That's the problem, when I try to add the client_domain I get an error.
>> Actually, I have a working config for webrtc but now I am adding a new
>> domain for MS teams direct route. In fact, any other domain gives an error.
>> If I disable MS Teams domain, the opensips do not give an error message and
>> my webrtc client can connect without any issue.
>>
>> loadmodule "tls_mgm.so"
>> modparam("tls_mgm", "tls_library", "wolfssl")
>>
>> #### (WebRTC) Client
>> modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")
>> modparam("tls_mgm", "certificate",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")
>> modparam("tls_mgm", "private_key",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")
>> modparam("tls_mgm", "ca_list",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")
>> modparam("tls_mgm", "ca_dir",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")
>> modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")
>> modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")
>> modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")
>>
>> ### This is for MS-Teams direct route
>> modparam("tls_mgm", "server_domain", "dom1.formsteams.com")
>> modparam("tls_mgm", "client_domain", "dom1.formsteams.com")
>> modparam("tls_mgm", "certificate", "[dom1.formsteams.com
>> ]/etc/letsencrypt/live/dom1.formsteams.com/cert.pem")
>> modparam("tls_mgm", "private_key", "[dom1.formsteams.com
>> ]/etc/letsencrypt/live/dom1.formsteams.com/privkey.pem")
>> modparam("tls_mgm", "ca_list", "[dom1.formsteams.com
>> ]/etc/letsencrypt/live/dom1.formsteams.com/fullchain.pem")
>> modparam("tls_mgm", "ca_dir", "[dom1.formsteams.com
>> ]/etc/letsencrypt/live/dom1.formsteams.com")
>> modparam("tls_mgm", "tls_method", "[dom1.formsteams.com]SSLv23")
>> modparam("tls_mgm", "verify_cert", "[dom1.formsteams.com]1")
>> modparam("tls_mgm", "require_cert", "[dom1.formsteams.com]1")
>> modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")
>>
>> When i enable the MS-Teams direct route domain i get the below error:
>> no certificate for tls domain ' dom1.formsteams.com ' defined
>>
>>
>> Regards,
>> Jehanzaib
>>
>>
>> On Wed, May 18, 2022 at 3:04 AM Bogdan-Andrei Iancu <bogdan at opensips.org>
>> wrote:
>>
>>> Hi Jehanzaib,
>>>
>>> What are the TLS client domains you have defined in your tls_mgm module ?
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS eBootcamp 23rd May - 3rd June 2022
>>>   https://opensips.org/training/OpenSIPS_eBootcamp_2022/
>>>
>>> On 5/17/22 4:32 PM, Jehanzaib Younis wrote:
>>>
>>> Hi,
>>>
>>> I am having trouble to send/receive OPTIONS to ms teams.
>>> Using the dispatcher module. The socket is defined as tls:*mysbcip*:5061
>>> Looks like when my opensips (3.2.x) tries to send OPTIONS. it is giving
>>> me the following error
>>>
>>> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
>>> ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn
>>> 0x7f00ef2a85a0
>>> ERROR:core:tcp_async_connect: tcp_conn_create failed
>>> ERROR:proto_tls:proto_tls_send: async TCP connect failed
>>> ERROR:tm:msg_send: send() to 52.114.76.76:5061 for proto tls/3 failed
>>> ERROR:tm:t_uac: attempt to send to '
>>> sip:sip3.pstnhub.microsoft.com:5061;transport:tls' failed
>>>
>>> I am setting the Contact as <sip:mytlsdomain:5061;transport=tls>
>>>
>>> Looks like the client domain is used for outgoing TLS connection but no
>>> idea which domain i need to add here. The socket is my opensips ip address.
>>>
>>> Has anyone seen a similar kind of behaviour?
>>>
>>> Thank you.
>>>
>>> Regards,
>>> Jehanzaib
>>>
>>> _______________________________________________
>>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-- 
VoIP Embedded, Inc.
http://www.voipembedded.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220518/0aef2e29/attachment-0001.html>

More information about the Users mailing list