Hello,<br><br>I tried to get help from users group, but seems nobody can help me. So, I foward the email to developers group and hope get answer here.<br>Thanks!<br><br>Steven.W.D<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>
From: <b class="gmail_sendername">doolin wu</b> <span dir="ltr"><<a href="mailto:doolinwu@gmail.com">doolinwu@gmail.com</a>></span><br>Date: Tue, Feb 2, 2010 at 3:09 PM<br>Subject: TLS call failed<br>To: <a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a><br>
<br><br><div>Hello,</div>
<div> </div>
<div>I'm trying use TLS feature of OpenSIPS-1.5-tls. TLS was configured and server run successfully.</div>
<div>I tried to make 2 SIP UAs work with my OpenSIPS-1.5-tls, but all of them are failed.</div>
<div>Here is my settings:</div>
<div> >Server:</div>
<div> tls_verify_server = 0
<div> tls_verify_client = 0</div>
<div> tls_require_client_certificate = 0</div>
<div> tls_method = TLSv1</div>
<div> tls_certificate = "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-cert.pem"</div>
<div> tls_private_key = "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-privkey.pem"</div>
<div> tls_ca_list = "/usr/local/opensips.1.5.tls//etc/opensips/tls/user/user-calist.pem"</div></div>
<div> </div>
<div> >Client:</div>
<div> The self-signed rootCA (tls\rootCA\cacert.pem) was imported in to client successfully</div>
<div> </div>
<div>First one UA is VoIP client on NOKIA N97. Client register to SIP server with TLS successfully, but when make call from N97 to others I got error code 477 Send failed (477/TM).</div>
<div>I traced opensips, looks like opensips tried to forward the invite to callee, but the tls socket failed to send the request.</div>
<div>Logs from opensips here:</div>
<blockquote style="margin-right: 0px;" dir="ltr">
<div>Feb 2 07:19:32 [5779] ERROR:core:tcp_send: failed to send</div>
<div>Feb 2 07:19:32 [5779] ERROR:tm:msg_send: tcp_send failed</div>
<div>Feb 2 07:19:32 [5779] ERROR:tm:t_forward_nonack: sending request failed</div>
<div>Feb 2 07:19:32 [5779] DBG:tm:t_relay_to: t_forward_nonack returned error</div>
<div>Feb 2 07:19:32 [5779] DBG:core:parse_headers: flags=ffffffffffffffff</div>
<div>Feb 2 07:19:32 [5779] DBG:core:check_via_address: params 10.57.52.186, 10.57.52.186, 0</div>
<div>Feb 2 07:19:32 [5779] DBG:tm:cleanup_uac_timers: RETR/FR timers reset</div>
<div>Feb 2 07:19:32 [5779] DBG:tm:set_timer: relative timeout is 30</div>
<div>Feb 2 07:19:32 [5779] DBG:tm:insert_timer_unsafe: [0]: 0xb61a180c (92)</div>
<div>Feb 2 07:19:32 [5779] DBG:core:tcp_send: tcp connection found (0xb61d7908), acquiring fd</div>
<div>Feb 2 07:19:32 [5779] DBG:core:tcp_send: c= 0xb61d7908, n=8</div>
<div>Feb 2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61f4b48, 2, fd 41 from 16 (5779)</div>
<div>Feb 2 07:19:32 [5787] DBG:core:tcpconn_add: hashes: 719, 4</div>
<div>Feb 2 07:19:32 [5787] DBG:core:io_watch_add: io_watch_add(0x817bbc0, 41, 2, 0xb61f4b48), fd_no=31</div>
<div>Feb 2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61f4b48, -2, fd -1 from 16 (5779)</div>
<div>Feb 2 07:19:32 [5787] DBG:core:io_watch_del: io_watch_del (0x817bbc0, 41, -1, 0x10) fd_no=32 called</div>
<div>Feb 2 07:19:32 [5787] DBG:core:tcpconn_destroy: destroying connection 0xb61f4b48, flags 0002</div>
<div>Feb 2 07:19:32 [5787] DBG:core:tls_close: closing SSL connection</div>
<div>Feb 2 07:19:32 [5787] DBG:core:tls_update_fd: New fd is 41</div>
<div>Feb 2 07:19:32 [5787] DBG:core:tls_shutdown: shutdown successful</div>
<div>Feb 2 07:19:32 [5787] DBG:core:tls_tcpconn_clean: entered</div>
<div>Feb 2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61d7908, 1, fd -1 from 16 (5779)</div>
<div>Feb 2 07:19:32 [5779] DBG:core:tcp_send: after receive_fd: c= 0xb61d7908 n=4 fd=34</div>
<div>Feb 2 07:19:32 [5779] DBG:core:tcp_send: sending...</div>
<div>Feb 2 07:19:32 [5779] DBG:core:tls_update_fd: New fd is 34</div>
<div>Feb 2 07:19:32 [5779] DBG:core:tls_write: write was successful (374 bytes)</div>
<div>Feb 2 07:19:32 [5779] DBG:core:tcp_send: after write: c= 0xb61d7908 n=374 fd=34</div>
<div>Feb 2 07:19:32 [5779] DBG:core:tcp_send: buf=</div>
<div> </div></blockquote>
<div dir="ltr">Could some one help to have a look the problem?</div>
<blockquote style="margin-right: 0px;" dir="ltr">
<div> </div></blockquote>
<div dir="ltr">Meanwhile, I use eyebeam 1.5 as client. Things more bad as the register failed.</div>
<div dir="ltr">I traced eyebeam and found the eyebeam failed when verify server's certificate. Here I have something unclear about use the certificates between client and server.</div>
<div dir="ltr">To configure run opensips with TLS(just talk about the self-signed case), we should create two certififcates. one is self-signed rootCA (tls\rootCA\cacert.pem), another one is a certificate signed by rootCA (tls\user\user-cert.pem). The server hold rootCA by config tls_ca_list and send certificate (by config tls_certificate) to client when handshark with client.</div>
<div dir="ltr">My question is how to config certificate in client side. In these two cases (use N97 and eyebeam), I just imported the rootCA to my client. </div>
<div dir="ltr">Is it right for config certificate on client? N97 seems OK with the rootCA. But eyebeam failed. The guidline of eyebeam says:</div>
<blockquote style="margin-right: 0px;" dir="ltr">
<div dir="ltr">During the TLS handshke, <b>the TLS server has to send to the client the whole chain of certificate excepting the root certificate</b>; the client must posses the root certificate otherwise the authentication cannot happen.</div>
<div dir="ltr"> </div></blockquote>
<div dir="ltr">Any idea to config opensips send 'the whole chain of certificate excepting the root certificate' ?</div>
<div dir="ltr"> </div>
<div dir="ltr">Thanks for your kindly support.</div>
<div>-- </div><font color="#888888">
<div>Steven.W.Doolin</div>
<div> </div>
</font></div><br><br clear="all"><br>-- <br>Steven Wu<br>Teleca Mobile Solution<br>