[OpenSIPS-Users] tls_mgm domain database configuration

James Nicholls james.nicholls at qunifi.com
Mon Apr 24 10:51:56 UTC 2023

Hi Pratik,

We managed to get it working with the following in the tls_mgm table (client then server):

| domain | match_ip_address | match_sip_domain | type | method   | verify_cert | require_cert | crl_check_all | crl_dir | cipher_list | dh_params | ec_curve | ca_list                                           |
| <fqdn> | *                | <fqdn>           |    1 | TLSv1_2- |           0 |            0 |             0 | NULL    | NULL        | NULL      | NULL     | /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem |
| <fqdn> | <sbc_ip>:4003    | <fqdn>,*.<fqdn>  |    2 | TLSv1_2- |           0 |            0 |             0 | NULL    | NULL        | NULL      | NULL     | /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem |

This works fine as is (replace <fqdn> and <sbc_ip> and add certificate/private_key) and TLS calling works but it doesn't manage to verify certs properly if we set verify_cert=1.

Kind regards,
From: Pratik Patel <pratik.patel19970128 at gmail.com>
Sent: 07 April 2023 15:10
To: James Nicholls <james.nicholls at qunifi.com>; OpenSIPS users mailling list <users at lists.opensips.org>
Subject: Re: [OpenSIPS-Users] tls_mgm domain database configuration

Hi James,

Can you please share what parameters you have configured for TLS in opensips 3.3?

Because I have also facing same issue for wss connection.

I have try same certificate in freeswitch and check that WSS url in piesocket that connect established.

But when I configured same certificate in opensips and check in piesocket then connection not established.

So if you share what you have configured I will try same on my side to solve my issue.

On Fri, Apr 7, 2023, 13:43 James Nicholls via Users <users at lists.opensips.org<mailto:users at lists.opensips.org>> wrote:
Hi all,

I have an existing opensips 3.3.4 setup that uses modparam to set tls_mgm certificates with separate server_domain and client_domain entries. This works fine for registration and calling using TLS but I want to be able to update certificates with tls_reload so I'm trying to move them to the database instead.

The tls_mgm table schema added by opensips-cli has a domain and type column. Does "type" mean client/server or is it something else? I have tried having separate entries for client/server certs, or combining them into one row, but I can't get it to work. Everything seems to result in "no TLS client domain found" as below.

Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn 0x7f3c9f1b5e98
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: DBG:core:tcpconn_destroy: delaying (0x7f3c9f1b5e98, flags 0018) ref = -1 ...
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_async_connect: tcp_conn_create failed, closing the socket
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_send: async TCP connect failed
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:msg_send: send() to (PBX IP):5061 for proto tls/3 failed
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:t_forward_nonack: sending request failed

Example row in the tls_mgm table:

          domain: (SIP branded hostname)
match_ip_address: (opensips IP):4003
match_sip_domain: *
            type: 1
          method: TLSv1_2-
     verify_cert: 0
    require_cert: 0
     certificate: -----BEGIN CERTIFICATE----- [...]
     private_key: -----BEGIN RSA PRIVATE KEY----- [...]
   crl_check_all: 0
         crl_dir: NULL
         ca_list: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
          ca_dir: NULL
     cipher_list: NULL
       dh_params: NULL
        ec_curve: NULL

Is there any documentation for adding certificates to the tls_mgm table? I haven't found anything in the 3.3.x docs, the only examples use modparam. Hopefully I have got something really obvious wrong.

Kind regards,

James Nicholls

Users mailing list
Users at lists.opensips.org<mailto:Users at lists.opensips.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230424/5555d411/attachment.html>

More information about the Users mailing list