[OpenSIPS-Users] no TLS client domain found error

Jehanzaib Younis jehanzaib.kiani at gmail.com
Thu May 19 12:07:58 UTC 2022 

Thanks Ovidiu,
I just checked the source code, the same bug is also present in
the opensips-3.2.6 branch. I have another issue with 3.2.6. I am not able
to compile tls_wolfssl. No issue with 3.3 though.
Now I need to check what is causing this.

I am getting the following error:

make[1]: Entering directory `/usr/src/opensips-3.2/modules/tls_wolfssl'
configure: WARNING: unrecognized options: --disable-shared, --enable-static
checking whether make supports nested variables... (cached) yes
./configure: line 5259: syntax error near unexpected token `2.4.2'
./configure: line 5259: `LT_PREREQ(2.4.2)'
make[1]: *** [lib/lib/libwolfssl.a] Error 2



Regards,
Jehanzaib


On Thu, May 19, 2022 at 1:35 AM Ovidiu Sas <osas at voipembedded.com> wrote:

> Please upgrade to the latest version and see if the error persists. If
> yes, please run the server in debug mode and save the logs so this issue
> can be investigated properly.
>
> Thanks,
> Ovidiu
>
> On Wed, May 18, 2022 at 09:02 Jehanzaib Younis <jehanzaib.kiani at gmail.com>
> wrote:
>
>> Thank you Bogdan,
>> That helped a lot. As you mentioned I need to start only with
>> server_domain or client_domain.
>> Now I changed my config a bit as shown below:
>> #### (WebRTC) Client
>> modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")
>> modparam("tls_mgm", "certificate",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")
>> modparam("tls_mgm", "private_key",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")
>> modparam("tls_mgm", "ca_list",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")
>> modparam("tls_mgm", "ca_dir",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")
>> modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")
>> modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")
>> modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")
>>
>> ### This is for MS-Teams direct route
>> modparam("tls_mgm", "client_domain", "dom1.formsteams.com")
>> modparam("tls_mgm", "certificate", "[dom1.formsteams.com
>> ]/etc/letsencrypt/live/dom1.formsteams.com/cert.pem")
>> modparam("tls_mgm", "private_key", "[dom1.formsteams.com
>> ]/etc/letsencrypt/live/dom1.formsteams.com/privkey.pem")
>> modparam("tls_mgm", "ca_list", "[dom1.formsteams.com
>> ]/etc/letsencrypt/live/dom1.formsteams.com/fullchain.pem")
>> modparam("tls_mgm", "ca_dir", "[dom1.formsteams.com
>> ]/etc/letsencrypt/live/dom1.formsteams.com")
>> modparam("tls_mgm", "tls_method", "[dom1.formsteams.com]SSLv23")
>> modparam("tls_mgm", "verify_cert", "[dom1.formsteams.com]1")
>> modparam("tls_mgm", "require_cert", "[dom1.formsteams.com]1")
>> modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")
>>
>> Looks like the initial handshake is fine when my server sends OPTIONS to
>> MSTeams. There is a bug in the code according to the logs as shown below:
>>
>> opensips[10659]: CRITICAL:core:io_watch_add: #012>>> used fd map fd=142
>> is not present in fd_array
>> (fd=142,type=19,flags=80000003,data=0x7f825805ceb8)#012#012It seems you
>> have hit a programming bug.#012Please help us make OpenSIPS better by
>> reporting it at https://github.com/OpenSIPS/opensips/issues
>> opensips[10659]: CRITICAL:core:io_watch_add: [TCP_main] check failed
>> after successful fd add (fd=141,type=19,data=0x7f825804fd98,flags=1)
>> already=0
>> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 1, verify
>> success
>> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 0, verify
>> success
>> opensips[23993]: INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS
>> connection to 52.114.16.74:5061 established
>> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 1, verify
>> success
>> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 0, verify
>> success
>> opensips[23995]: INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS
>> connection to 52.114.76.76:5061 established
>>
>>
>> Regards,
>> Jehanzaib
>>
>>
>> On Wed, May 18, 2022 at 6:15 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
>> wrote:
>>
>>> Hi Jehanzaib,
>>>
>>> The sequence for the MST TLS domains is wrong.
>>>
>>> For each TLS domain block, you need to start only with a server_domain
>>> or client_domain - of course, different names. And for each domain you need
>>> you set the matching conditions. See
>>> https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#domains-param
>>>
>>> Basically something like:
>>>
>>> modparam("tls_mgm", "server_domain", "formsteams_server")
>>> modparam("tls_mgm", "match_ip_address", "[formsteams_server]....")
>>> modparam("tls_mgm", "match_sip_domain", "[formsteams_server]....")
>>> modparam("tls_mgm", "certificate", "[formsteams_server].....)
>>> ....
>>>
>>>
>>> modparam("tls_mgm", "client_domain", "formsteams_client")
>>> modparam("tls_mgm", "match_ip_address", "[formsteams_client]....")
>>> modparam("tls_mgm", "match_sip_domain", "[formsteams_client]....")
>>> modparam("tls_mgm", "certificate", "[formsteams_client].....)
>>> ....
>>>
>>>
>>> Best regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS eBootcamp 23rd May - 3rd June 2022
>>>   https://opensips.org/training/OpenSIPS_eBootcamp_2022/
>>>
>>> On 5/18/22 2:38 AM, Jehanzaib Younis wrote:
>>>
>>> Hi Bogdan,
>>> That's the problem, when I try to add the client_domain I get an error.
>>> Actually, I have a working config for webrtc but now I am adding a new
>>> domain for MS teams direct route. In fact, any other domain gives an error.
>>> If I disable MS Teams domain, the opensips do not give an error message and
>>> my webrtc client can connect without any issue.
>>>
>>> loadmodule "tls_mgm.so"
>>> modparam("tls_mgm", "tls_library", "wolfssl")
>>>
>>> #### (WebRTC) Client
>>> modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")
>>> modparam("tls_mgm", "certificate",
>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")
>>> modparam("tls_mgm", "private_key",
>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")
>>> modparam("tls_mgm", "ca_list",
>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")
>>> modparam("tls_mgm", "ca_dir",
>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")
>>> modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")
>>> modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")
>>> modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")
>>>
>>> ### This is for MS-Teams direct route
>>> modparam("tls_mgm", "server_domain", "dom1.formsteams.com")
>>> modparam("tls_mgm", "client_domain", "dom1.formsteams.com")
>>> modparam("tls_mgm", "certificate", "[dom1.formsteams.com
>>> ]/etc/letsencrypt/live/dom1.formsteams.com/cert.pem")
>>> modparam("tls_mgm", "private_key", "[dom1.formsteams.com
>>> ]/etc/letsencrypt/live/dom1.formsteams.com/privkey.pem")
>>> modparam("tls_mgm", "ca_list", "[dom1.formsteams.com
>>> ]/etc/letsencrypt/live/dom1.formsteams.com/fullchain.pem")
>>> modparam("tls_mgm", "ca_dir", "[dom1.formsteams.com
>>> ]/etc/letsencrypt/live/dom1.formsteams.com")
>>> modparam("tls_mgm", "tls_method", "[dom1.formsteams.com]SSLv23")
>>> modparam("tls_mgm", "verify_cert", "[dom1.formsteams.com]1")
>>> modparam("tls_mgm", "require_cert", "[dom1.formsteams.com]1")
>>> modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")
>>>
>>> When i enable the MS-Teams direct route domain i get the below error:
>>> no certificate for tls domain ' dom1.formsteams.com ' defined
>>>
>>>
>>> Regards,
>>> Jehanzaib
>>>
>>>
>>> On Wed, May 18, 2022 at 3:04 AM Bogdan-Andrei Iancu <bogdan at opensips.org>
>>> wrote:
>>>
>>>> Hi Jehanzaib,
>>>>
>>>> What are the TLS client domains you have defined in your tls_mgm module
>>>> ?
>>>>
>>>> Regards,
>>>>
>>>> Bogdan-Andrei Iancu
>>>>
>>>> OpenSIPS Founder and Developer
>>>>   https://www.opensips-solutions.com
>>>> OpenSIPS eBootcamp 23rd May - 3rd June 2022
>>>>   https://opensips.org/training/OpenSIPS_eBootcamp_2022/
>>>>
>>>> On 5/17/22 4:32 PM, Jehanzaib Younis wrote:
>>>>
>>>> Hi,
>>>>
>>>> I am having trouble to send/receive OPTIONS to ms teams.
>>>> Using the dispatcher module. The socket is defined as tls:*mysbcip*
>>>> :5061
>>>> Looks like when my opensips (3.2.x) tries to send OPTIONS. it is giving
>>>> me the following error
>>>>
>>>> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
>>>> ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn
>>>> 0x7f00ef2a85a0
>>>> ERROR:core:tcp_async_connect: tcp_conn_create failed
>>>> ERROR:proto_tls:proto_tls_send: async TCP connect failed
>>>> ERROR:tm:msg_send: send() to 52.114.76.76:5061 for proto tls/3 failed
>>>> ERROR:tm:t_uac: attempt to send to '
>>>> sip:sip3.pstnhub.microsoft.com:5061;transport:tls' failed
>>>>
>>>> I am setting the Contact as <sip:mytlsdomain:5061;transport=tls>
>>>>
>>>> Looks like the client domain is used for outgoing TLS connection but no
>>>> idea which domain i need to add here. The socket is my opensips ip address.
>>>>
>>>> Has anyone seen a similar kind of behaviour?
>>>>
>>>> Thank you.
>>>>
>>>> Regards,
>>>> Jehanzaib
>>>>
>>>> _______________________________________________
>>>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>>
>>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
> --
> VoIP Embedded, Inc.
> http://www.voipembedded.com
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220520/c9cdf614/attachment-0001.html>

More information about the Users mailing list