[OpenSIPS-Users] no TLS client domain found error
Jehanzaib Younis
jehanzaib.kiani at gmail.com
Wed May 25 10:34:37 UTC 2022
Thank you Bogdan,
I will change it. By the way, I noticed that as soon as I added the
following before the OPTIONS were sent to MS Teams. There were no
CRITICAL:core:io_watch_add bug logs.
set_advertised_address("xx.xx.xx.xx");
set_advertised_port("5061");
Regards,
Jehanzaib
On Wed, May 25, 2022 at 7:52 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
wrote:
> Hi Jehanzaib,
>
> For now, to get rid of that issue, just disable the tls_async in your cfg:
>
> https://opensips.org/html/docs/modules/3.2.x/proto_tls.html#param_tls_async
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
> https://www.opensips-solutions.com
> OpenSIPS Summit 27-30 Sept 2022, Athens
> https://www.opensips.org/events/Summit-2022Athens/
>
> On 5/21/22 5:21 AM, Jehanzaib Younis wrote:
>
> Thank you, Ovidiu.
> I Just posted my logs on github.
>
> Regards,
> Jehanzaib
>
>
> On Fri, May 20, 2022 at 3:02 AM Ovidiu Sas <osas at voipembedded.com> wrote:
>
>> Set the log_level parameter to 4 and restart opensips. Once the error
>> occurs, collect all the logs from the start (from syslog) and send them to
>> Razvan.
>> There’s bug tracking this issue:
>> https://github.com/OpenSIPS/opensips/issues/2724
>>
>> For compiling tls_wolfssl, try from a clean clone.
>>
>> -ovidiu
>>
>> On Thu, May 19, 2022 at 08:08 Jehanzaib Younis <jehanzaib.kiani at gmail.com>
>> wrote:
>>
>>> Thanks Ovidiu,
>>> I just checked the source code, the same bug is also present in
>>> the opensips-3.2.6 branch. I have another issue with 3.2.6. I am not able
>>> to compile tls_wolfssl. No issue with 3.3 though.
>>> Now I need to check what is causing this.
>>>
>>> I am getting the following error:
>>>
>>> make[1]: Entering directory `/usr/src/opensips-3.2/modules/tls_wolfssl'
>>> configure: WARNING: unrecognized options: --disable-shared,
>>> --enable-static
>>> checking whether make supports nested variables... (cached) yes
>>> ./configure: line 5259: syntax error near unexpected token `2.4.2'
>>> ./configure: line 5259: `LT_PREREQ(2.4.2)'
>>> make[1]: *** [lib/lib/libwolfssl.a] Error 2
>>>
>>>
>>>
>>> Regards,
>>> Jehanzaib
>>>
>>>
>>> On Thu, May 19, 2022 at 1:35 AM Ovidiu Sas <osas at voipembedded.com>
>>> wrote:
>>>
>>>> Please upgrade to the latest version and see if the error persists. If
>>>> yes, please run the server in debug mode and save the logs so this issue
>>>> can be investigated properly.
>>>>
>>>> Thanks,
>>>> Ovidiu
>>>>
>>>> On Wed, May 18, 2022 at 09:02 Jehanzaib Younis <
>>>> jehanzaib.kiani at gmail.com> wrote:
>>>>
>>>>> Thank you Bogdan,
>>>>> That helped a lot. As you mentioned I need to start only with
>>>>> server_domain or client_domain.
>>>>> Now I changed my config a bit as shown below:
>>>>> #### (WebRTC) Client
>>>>> modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")
>>>>> modparam("tls_mgm", "certificate",
>>>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")
>>>>> modparam("tls_mgm", "private_key",
>>>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")
>>>>> modparam("tls_mgm", "ca_list",
>>>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")
>>>>> modparam("tls_mgm", "ca_dir",
>>>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")
>>>>> modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")
>>>>> modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")
>>>>> modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")
>>>>>
>>>>> ### This is for MS-Teams direct route
>>>>> modparam("tls_mgm", "client_domain", "dom1.formsteams.com")
>>>>> modparam("tls_mgm", "certificate", "[dom1.formsteams.com
>>>>> ]/etc/letsencrypt/live/dom1.formsteams.com/cert.pem")
>>>>> modparam("tls_mgm", "private_key", "[dom1.formsteams.com
>>>>> ]/etc/letsencrypt/live/dom1.formsteams.com/privkey.pem")
>>>>> modparam("tls_mgm", "ca_list", "[dom1.formsteams.com
>>>>> ]/etc/letsencrypt/live/dom1.formsteams.com/fullchain.pem")
>>>>> modparam("tls_mgm", "ca_dir", "[dom1.formsteams.com
>>>>> ]/etc/letsencrypt/live/dom1.formsteams.com")
>>>>> modparam("tls_mgm", "tls_method", "[dom1.formsteams.com]SSLv23")
>>>>> modparam("tls_mgm", "verify_cert", "[dom1.formsteams.com]1")
>>>>> modparam("tls_mgm", "require_cert", "[dom1.formsteams.com]1")
>>>>> modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")
>>>>>
>>>>> Looks like the initial handshake is fine when my server sends OPTIONS
>>>>> to MSTeams. There is a bug in the code according to the logs as shown below:
>>>>>
>>>>> opensips[10659]: CRITICAL:core:io_watch_add: #012>>> used fd map
>>>>> fd=142 is not present in fd_array
>>>>> (fd=142,type=19,flags=80000003,data=0x7f825805ceb8)#012#012It seems you
>>>>> have hit a programming bug.#012Please help us make OpenSIPS better by
>>>>> reporting it at https://github.com/OpenSIPS/opensips/issues
>>>>> opensips[10659]: CRITICAL:core:io_watch_add: [TCP_main] check failed
>>>>> after successful fd add (fd=141,type=19,data=0x7f825804fd98,flags=1)
>>>>> already=0
>>>>> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 1, verify
>>>>> success
>>>>> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 0, verify
>>>>> success
>>>>> opensips[23993]: INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS
>>>>> connection to 52.114.16.74:5061 established
>>>>> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 1, verify
>>>>> success
>>>>> opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 0, verify
>>>>> success
>>>>> opensips[23995]: INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS
>>>>> connection to 52.114.76.76:5061 established
>>>>>
>>>>>
>>>>> Regards,
>>>>> Jehanzaib
>>>>>
>>>>>
>>>>> On Wed, May 18, 2022 at 6:15 PM Bogdan-Andrei Iancu <
>>>>> bogdan at opensips.org> wrote:
>>>>>
>>>>>> Hi Jehanzaib,
>>>>>>
>>>>>> The sequence for the MST TLS domains is wrong.
>>>>>>
>>>>>> For each TLS domain block, you need to start only with a server_domain
>>>>>> or client_domain - of course, different names. And for each domain you need
>>>>>> you set the matching conditions. See
>>>>>> https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#domains-param
>>>>>>
>>>>>> Basically something like:
>>>>>>
>>>>>> modparam("tls_mgm", "server_domain", "formsteams_server")
>>>>>> modparam("tls_mgm", "match_ip_address", "[formsteams_server]....")
>>>>>> modparam("tls_mgm", "match_sip_domain", "[formsteams_server]....")
>>>>>> modparam("tls_mgm", "certificate", "[formsteams_server].....)
>>>>>> ....
>>>>>>
>>>>>>
>>>>>> modparam("tls_mgm", "client_domain", "formsteams_client")
>>>>>> modparam("tls_mgm", "match_ip_address", "[formsteams_client]....")
>>>>>> modparam("tls_mgm", "match_sip_domain", "[formsteams_client]....")
>>>>>> modparam("tls_mgm", "certificate", "[formsteams_client].....)
>>>>>> ....
>>>>>>
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Bogdan-Andrei Iancu
>>>>>>
>>>>>> OpenSIPS Founder and Developer
>>>>>> https://www.opensips-solutions.com
>>>>>> OpenSIPS eBootcamp 23rd May - 3rd June 2022
>>>>>> https://opensips.org/training/OpenSIPS_eBootcamp_2022/
>>>>>>
>>>>>> On 5/18/22 2:38 AM, Jehanzaib Younis wrote:
>>>>>>
>>>>>> Hi Bogdan,
>>>>>> That's the problem, when I try to add the client_domain I get an
>>>>>> error. Actually, I have a working config for webrtc but now I am adding a
>>>>>> new domain for MS teams direct route. In fact, any other domain gives an
>>>>>> error. If I disable MS Teams domain, the opensips do not give an
>>>>>> error message and my webrtc client can connect without any issue.
>>>>>>
>>>>>> loadmodule "tls_mgm.so"
>>>>>> modparam("tls_mgm", "tls_library", "wolfssl")
>>>>>>
>>>>>> #### (WebRTC) Client
>>>>>> modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")
>>>>>> modparam("tls_mgm", "certificate",
>>>>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")
>>>>>> modparam("tls_mgm", "private_key",
>>>>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")
>>>>>> modparam("tls_mgm", "ca_list",
>>>>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")
>>>>>> modparam("tls_mgm", "ca_dir",
>>>>>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")
>>>>>> modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")
>>>>>> modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")
>>>>>> modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")
>>>>>>
>>>>>> ### This is for MS-Teams direct route
>>>>>> modparam("tls_mgm", "server_domain", "dom1.formsteams.com")
>>>>>> modparam("tls_mgm", "client_domain", "dom1.formsteams.com")
>>>>>> modparam("tls_mgm", "certificate", "[dom1.formsteams.com
>>>>>> ]/etc/letsencrypt/live/dom1.formsteams.com/cert.pem")
>>>>>> modparam("tls_mgm", "private_key", "[dom1.formsteams.com
>>>>>> ]/etc/letsencrypt/live/dom1.formsteams.com/privkey.pem")
>>>>>> modparam("tls_mgm", "ca_list", "[dom1.formsteams.com
>>>>>> ]/etc/letsencrypt/live/dom1.formsteams.com/fullchain.pem")
>>>>>> modparam("tls_mgm", "ca_dir", "[dom1.formsteams.com
>>>>>> ]/etc/letsencrypt/live/dom1.formsteams.com")
>>>>>> modparam("tls_mgm", "tls_method", "[dom1.formsteams.com]SSLv23")
>>>>>> modparam("tls_mgm", "verify_cert", "[dom1.formsteams.com]1")
>>>>>> modparam("tls_mgm", "require_cert", "[dom1.formsteams.com]1")
>>>>>> modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")
>>>>>>
>>>>>> When i enable the MS-Teams direct route domain i get the below error:
>>>>>> no certificate for tls domain ' dom1.formsteams.com ' defined
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Jehanzaib
>>>>>>
>>>>>>
>>>>>> On Wed, May 18, 2022 at 3:04 AM Bogdan-Andrei Iancu <
>>>>>> bogdan at opensips.org> wrote:
>>>>>>
>>>>>>> Hi Jehanzaib,
>>>>>>>
>>>>>>> What are the TLS client domains you have defined in your tls_mgm
>>>>>>> module ?
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Bogdan-Andrei Iancu
>>>>>>>
>>>>>>> OpenSIPS Founder and Developer
>>>>>>> https://www.opensips-solutions.com
>>>>>>> OpenSIPS eBootcamp 23rd May - 3rd June 2022
>>>>>>> https://opensips.org/training/OpenSIPS_eBootcamp_2022/
>>>>>>>
>>>>>>> On 5/17/22 4:32 PM, Jehanzaib Younis wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am having trouble to send/receive OPTIONS to ms teams.
>>>>>>> Using the dispatcher module. The socket is defined as tls:*mysbcip*
>>>>>>> :5061
>>>>>>> Looks like when my opensips (3.2.x) tries to send OPTIONS. it is
>>>>>>> giving me the following error
>>>>>>>
>>>>>>> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
>>>>>>> ERROR:core:tcp_conn_create: failed to do proto 3 specific init for
>>>>>>> conn 0x7f00ef2a85a0
>>>>>>> ERROR:core:tcp_async_connect: tcp_conn_create failed
>>>>>>> ERROR:proto_tls:proto_tls_send: async TCP connect failed
>>>>>>> ERROR:tm:msg_send: send() to 52.114.76.76:5061 for proto tls/3
>>>>>>> failed
>>>>>>> ERROR:tm:t_uac: attempt to send to '
>>>>>>> sip:sip3.pstnhub.microsoft.com:5061;transport:tls' failed
>>>>>>>
>>>>>>> I am setting the Contact as <sip:mytlsdomain:5061;transport=tls>
>>>>>>>
>>>>>>> Looks like the client domain is used for outgoing TLS connection but
>>>>>>> no idea which domain i need to add here. The socket is my opensips ip
>>>>>>> address.
>>>>>>>
>>>>>>> Has anyone seen a similar kind of behaviour?
>>>>>>>
>>>>>>> Thank you.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Jehanzaib
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>> --
>>>> VoIP Embedded, Inc.
>>>> http://www.voipembedded.com
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>> --
>> VoIP Embedded, Inc.
>> http://www.voipembedded.com
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220525/f7d6a4ef/attachment-0001.html>
More information about the Users
mailing list