[OpenSIPS-Users] OCS Opensisp certificate issues using TLS

Bogdan-Andrei Iancu bogdan at voice-system.ro
Tue Jan 20 14:04:48 CET 2009


Hi Gianluca,

You get this:

Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in SSL: 5

5 is SSL_ERROR_SYSCALL . See:
    http://openssl.org/docs/ssl/SSL_get_error.html

Regards,
Bogdan

gianluca moretti wrote:
> We try to integrate OCS 2007 and opensisps using TLS
>  
> SCENARIO:
>  
>    [wesip]          Sending register to OCS
>      Seas         ------------------------------------>  EDGE --> OCS  
> [Opensips]
>  
>
> Issue: Opensisps cannot connect to EDGE server and in details 
> opensisps send always a the certificate to the client
> any idea to avoid to opensisps to send the always certificate.
> EDGE: CertVerifyCertificateChainPolicy retuned a failure in 
> CERT_CHAIN_POLICY_STATUS
> OPENSIPS:
> Jan 17 16:06:12 [30303] DBG:core:tls_dump_cert_info: tls_connect: 
> local (client) certificate issuer: /CN=Your_NAME/ST=Your_ST
> ATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
> Jan 17 16:06:12 [30303] DBG:core:tls_write: write was successful (791 
> bytes)
> Jan 17 16:06:12 [30303] DBG:core:tcp_send: after write: c= 0xb612fcf8 
> n=791 fd=23
> Jan 17 16:06:12 [30303] DBG:core:tcp_send: buf=
> REGISTER sip:hmcint.local:5060;transport=tcp SIP/2.0
> Via: SIP/2.0/TLS 192.168.5.59:5061;branch=z9hG4bKd863.89657825.0;i=2
> Via: SIP/2.0/TCP 192.168.5.59;branch=z9hG4bKd863.79657825.0
> To: sip:max.ambrogi at hmcint.local;transport=tcp
> From: 
> sip:max.ambrogi at hmcint.local;transport=tcp;tag=BB479256370FF64C226AA6220F2364DD
> CSeq: 1 REGISTER
> Call-ID: 24D8315A8EBB948A4DD4F1A3518E4029 at 192.168.5.59 
> <mailto:24D8315A8EBB948A4DD4F1A3518E4029 at 192.168.5.59>
> Content-Length: 0
> Max-Forwards: 70
> Contact: 
> <sip:192.168.5.59:5060;transport=tcp;AppId=.sip2msipGW>;methods="INVITE, 
> MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY
> , ACK, 
> REFER";proxy=replace;+sip.instance="<urn:uuid:787C69C1-2A21-441f-B792-A908ABFF5010>"
> Supported: gruu-10,adhoclist,msrtc-event-categories,ms-forking
> ms-keep-alive: UAC;hop-hop=yes
> Event:  registration
> X-WeSIP-SPIRAL: true
>  
> Jan 17 16:06:12 [30303] DBG:tm:set_timer: relative timeout is 30
> Jan 17 16:06:12 [30303] DBG:tm:insert_timer_unsafe: [0]: 0xb610d020 (300)
> Jan 17 16:06:12 [30303] DBG:tm:t_relay_to: new transaction fwd'ed
> Jan 17 16:06:12 [30303] DBG:tm:t_unref: UNREF_UNSAFE: after is 0
> Jan 17 16:06:12 [30303] DBG:core:destroy_avp_list: destroying list (nil)
> Jan 17 16:06:12 [30303] DBG:core:receive_msg: cleaning up
> Jan 17 16:06:12 [30304] DBG:core:tls_update_fd: New fd is 23
> Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in SSL: 5
> Jan 17 16:06:12 [30304] ERROR:core:tcp_read_req: failed to read
> Jan 17 16:06:12 [30304] DBG:core:io_watch_del: io_watch_del 
> (0x8164160, 23, -1, 0x10) fd_no=2 called
> Jan 17 16:06:12 [30304] DBG:core:release_tcpconn:  releasing con 
> 0xb612fcf8, state -2, fd=23, id=9
> Jan 17 16:06:12 [30304] DBG:core:release_tcpconn:  extra_data 0xb613fe10
> Jan 17 16:06:12 [30311] DBG:core:handle_tcp_child: reader response= 
> b612fcf8, -2 from 1
> Jan 17 16:06:12 [30311] DBG:core:tcpconn_destroy: destroying 
> connection 0xb612fcf8, flags 0002
> Jan 17 16:06:12 [30311] DBG:core:tls_close: closing SSL connection
>  
>  
> The opensips.cfg is configured as following:
> disable_tls = no
> listen = tls:##OPENSIPSIP##:5061
> tls_verify_server = 0
> tls_verify_client = 0
> tls_require_client_certificate = 0
> tls_method = TLSv1
> tls_ca_list = "/product/opensips//etc/opensips/tls/dario/dario-calist.pem"
> tls_certificate = "/product/opensips//etc/opensips/tls/user/user-cert.pem"
> tls_private_key = 
> "/product/opensips//etc/opensips/tls/user/user-privkey.pem"
> tls_ciphers_list="RC4-MD5"
>  
> route{
>  
> if(is_present_hf("X-WeSIP-SPIRAL")){
>                 log("\nSPIRAL!!!\n");
>                 t_relay("tls:EDGEIP:5061");
>                 exit;}
> (on WESIP SPIRAL is equal TRUE)
>  
> OPENSIPSIP is the CLIENT e EDGEIP is the SERVER
>  
>        
> Using Open SSL the connection is OK
> openssl s_client -connect EDGEIP:5061 -ssl2 -CAfile 
> /product/opensips_dev/etc/opensips/tls/user/user-calist.pem -cipher 
> RC4-MD5
>  
> New, TLSv1/SSLv3, Cipher is RC4-MD5
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : RC4-MD5
>     Session-ID: 
> E708000007E4CC591AA8982939C17298FBEDF72E749C010EFFC39FBEB2D143A6
>     Session-ID-ctx:
>     Master-Key: 
> 5835CA1877799D4B507AA31DB8DEA5F11D27DD077FE43F52DC9606ABF296AF6043402938E384FFF7B1485DC77D4D13D7
>     Key-Arg   : None
>     Krb5 Principal: None
>     Start Time: 1232205185
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>  
> Regards
>  
>
>
> ------------------------------------------------------------------------
> Scoprilo insieme ai nuovi servizi Windows Live! Messenger 9: oltre le 
> parole. <http://download.live.com/messenger/?mkt=it-it>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   




More information about the Users mailing list