[OpenSIPS-Users] tls_mgm domain database configuration

James Nicholls james.nicholls at qunifi.com
Mon Apr 24 10:44:58 UTC 2023

Thanks very much Callum, seeing a working example with separate client/server tls_mgm rows really helped get us sorted.

I notice that you set verify_cert (and require_cert) to 0, is there any reason for that? I won't go into too much detail because it's probably worth another thread, but we're seeing problems with TLS calling when it's on, opensips doesn't like my 3CX instance that uses a Lets Encrypt cert.

Kind regards,

From: Callum Guy <callum.guy at x-on.co.uk>
Sent: 07 April 2023 14:43
To: James Nicholls <james.nicholls at qunifi.com>; OpenSIPS users mailling list <users at lists.opensips.org>
Subject: Re: [OpenSIPS-Users] tls_mgm domain database configuration

Hi James,

It could certainly be clearer!

Here's an extract from my script and some example inserts for a client and server record.


INSERT INTO opensips_dev.tls_mgm (id, domain, match_ip_address, match_sip_domain, type, method, verify_cert, require_cert, certificate, private_key, crl_check_all, crl_dir, ca_list, ca_dir, cipher_list, dh_params, ec_curve) VALUES (5, 'default', '*', '*', 1, 'TLSv1_2', 0, 0, 0x2D2D2D2D2D424547494E20434...2D2D2D2D0A, 0x2D2D2D2D2D424547494...B45592D2D2D2D2D0A, 0, null, null, null, 'EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH,!RSA,!SHA', 0x2D2D2D2D2D4245...D2D2D0A, 'secp384r1');

INSERT INTO opensips_dev.tls_mgm (id, domain, match_ip_address, match_sip_domain, type, method, verify_cert, require_cert, certificate, private_key, crl_check_all, crl_dir, ca_list, ca_dir, cipher_list, dh_params, ec_curve) VALUES (15, 'default', '*', '*', 2, 'TLSv1_2', 0, 0, 0x2D2D2D2...D2D0A, 0x2D2D2D2D2...D2D2D0A, 0, null, null, null, 'EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH,!RSA,!SHA', 0x2D2D2D2D2D42454...2D0A, 'secp384r1');

Hope that helps get you moving!


On Fri, 7 Apr 2023 at 09:12, James Nicholls via Users <users at lists.opensips.org<mailto:users at lists.opensips.org>> wrote:
Hi all,

I have an existing opensips 3.3.4 setup that uses modparam to set tls_mgm certificates with separate server_domain and client_domain entries. This works fine for registration and calling using TLS but I want to be able to update certificates with tls_reload so I'm trying to move them to the database instead.

The tls_mgm table schema added by opensips-cli has a domain and type column. Does "type" mean client/server or is it something else? I have tried having separate entries for client/server certs, or combining them into one row, but I can't get it to work. Everything seems to result in "no TLS client domain found" as below.

Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn 0x7f3c9f1b5e98
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: DBG:core:tcpconn_destroy: delaying (0x7f3c9f1b5e98, flags 0018) ref = -1 ...
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_async_connect: tcp_conn_create failed, closing the socket
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_send: async TCP connect failed
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:msg_send: send() to (PBX IP):5061 for proto tls/3 failed
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:t_forward_nonack: sending request failed

Example row in the tls_mgm table:

          domain: (SIP branded hostname)
match_ip_address: (opensips IP):4003
match_sip_domain: *
            type: 1
          method: TLSv1_2-
     verify_cert: 0
    require_cert: 0
     certificate: -----BEGIN CERTIFICATE----- [...]
     private_key: -----BEGIN RSA PRIVATE KEY----- [...]
   crl_check_all: 0
         crl_dir: NULL
         ca_list: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
          ca_dir: NULL
     cipher_list: NULL
       dh_params: NULL
        ec_curve: NULL

Is there any documentation for adding certificates to the tls_mgm table? I haven't found anything in the 3.3.x docs, the only examples use modparam. Hopefully I have got something really obvious wrong.

Kind regards,

James Nicholls

Users mailing list
Users at lists.opensips.org<mailto:Users at lists.opensips.org>


0333 332 0000  |  x-on.co.uk<https://www.x-on.co.uk>  |   [http://www.x-on.co.uk//images/icon/linkedin.png] <https://www.linkedin.com/company/x-on>   [http://www.x-on.co.uk//images/icon/facebook.png] <https://www.facebook.com/XonTel>   [http://www.x-on.co.uk//images/icon/twitter.png] <https://twitter.com/xonuk>    |  Practice Index Reviews<https://practiceindex.co.uk/gp/x-on>

Our new office address: 22 Riduna Park, Melton IP12 1QT.

X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales.
Registered Office : Glebe Farm, Down Street, Dummer, Basingstoke, Hampshire, England RG25 2AD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230424/8eef0e79/attachment-0001.html>

More information about the Users mailing list