[OpenSIPS-Users] OCS Opensisp certificate issues using TLS
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Tue Jan 20 16:21:43 CET 2009
Probably we should try to get more info about the error at runtime . Let
me do some checks to see how we can squize more info about the error and
to print it.
Regards,
Bogdan
gianluca moretti wrote:
> Bogdan, the error is ok, how can i solve the problem.
> The update to this issue is if the client send the his certificate to
> the server and this cause the problem.
>
> Ciao
>
> Best regards
>
> > Date: Tue, 20 Jan 2009 15:04:48 +0200
> > From: bogdan at voice-system.ro
> > To: gianluca.moretti at hotmail.it
> > CC: users at lists.opensips.org; devel at lists.opensips.org
> > Subject: Re: [OpenSIPS-Users] OCS Opensisp certificate issues using TLS
> >
> > Hi Gianluca,
> >
> > You get this:
> >
> > Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in SSL: 5
> >
> > 5 is SSL_ERROR_SYSCALL . See:
> > http://openssl.org/docs/ssl/SSL_get_error.html
> >
> > Regards,
> > Bogdan
> >
> > gianluca moretti wrote:
> > > We try to integrate OCS 2007 and opensisps using TLS
> > >
> > > SCENARIO:
> > >
> > > [wesip] Sending register to OCS
> > > Seas ------------------------------------> EDGE --> OCS
> > > [Opensips]
> > >
> > >
> > > Issue: Opensisps cannot connect to EDGE server and in details
> > > opensisps send always a the certificate to the client
> > > any idea to avoid to opensisps to send the always certificate.
> > > EDGE: CertVerifyCertificateChainPolicy retuned a failure in
> > > CERT_CHAIN_POLICY_STATUS
> > > OPENSIPS:
> > > Jan 17 16:06:12 [30303] DBG:core:tls_dump_cert_info: tls_connect:
> > > local (client) certificate issuer: /CN=Your_NAME/ST=Your_ST
> > > ATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
> > > Jan 17 16:06:12 [30303] DBG:core:tls_write: write was successful (791
> > > bytes)
> > > Jan 17 16:06:12 [30303] DBG:core:tcp_send: after write: c= 0xb612fcf8
> > > n=791 fd=23
> > > Jan 17 16:06:12 [30303] DBG:core:tcp_send: buf=
> > > REGISTER sip:hmcint.local:5060;transport=tcp SIP/2.0
> > > Via: SIP/2.0/TLS 192.168.5.59:5061;branch=z9hG4bKd863.89657825.0;i=2
> > > Via: SIP/2.0/TCP 192.168.5.59;branch=z9hG4bKd863.79657825.0
> > > To: sip:max.ambrogi at hmcint.local;transport=tcp
> > > From:
> > >
> sip:max.ambrogi at hmcint.local;transport=tcp;tag=BB479256370FF64C226AA6220F2364DD
> > > CSeq: 1 REGISTER
> > > Call-ID: 24D8315A8EBB948A4DD4F1A3518E4029 at 192.168.5.59
> > > <mailto:24D8315A8EBB948A4DD4F1A3518E4029 at 192.168.5.59>
> > > Content-Length: 0
> > > Max-Forwards: 70
> > > Contact:
> > >
> <sip:192.168.5.59:5060;transport=tcp;AppId=.sip2msipGW>;methods="INVITE,
> > > MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY
> > > , ACK,
> > >
> REFER";proxy=replace;+sip.instance="<urn:uuid:787C69C1-2A21-441f-B792-A908ABFF5010>"
> > > Supported: gruu-10,adhoclist,msrtc-event-categories,ms-forking
> > > ms-keep-alive: UAC;hop-hop=yes
> > > Event: registration
> > > X-WeSIP-SPIRAL: true
> > >
> > > Jan 17 16:06:12 [30303] DBG:tm:set_timer: relative timeout is 30
> > > Jan 17 16:06:12 [30303] DBG:tm:insert_timer_unsafe: [0]:
> 0xb610d020 (300)
> > > Jan 17 16:06:12 [30303] DBG:tm:t_relay_to: new transaction fwd'ed
> > > Jan 17 16:06:12 [30303] DBG:tm:t_unref: UNREF_UNSAFE: after is 0
> > > Jan 17 16:06:12 [30303] DBG:core:destroy_avp_list: destroying list
> (nil)
> > > Jan 17 16:06:12 [30303] DBG:core:receive_msg: cleaning up
> > > Jan 17 16:06:12 [30304] DBG:core:tls_update_fd: New fd is 23
> > > Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in
> SSL: 5
> > > Jan 17 16:06:12 [30304] ERROR:core:tcp_read_req: failed to read
> > > Jan 17 16:06:12 [30304] DBG:core:io_watch_del: io_watch_del
> > > (0x8164160, 23, -1, 0x10) fd_no=2 called
> > > Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: releasing con
> > > 0xb612fcf8, state -2, fd=23, id=9
> > > Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: extra_data
> 0xb613fe10
> > > Jan 17 16:06:12 [30311] DBG:core:handle_tcp_child: reader response=
> > > b612fcf8, -2 from 1
> > > Jan 17 16:06:12 [30311] DBG:core:tcpconn_destroy: destroying
> > > connection 0xb612fcf8, flags 0002
> > > Jan 17 16:06:12 [30311] DBG:core:tls_close: closing SSL connection
> > >
> > >
> > > The opensips.cfg is configured as following:
> > > disable_tls = no
> > > listen = tls:##OPENSIPSIP##:5061
> > > tls_verify_server = 0
> > > tls_verify_client = 0
> > > tls_require_client_certificate = 0
> > > tls_method = TLSv1
> > > tls_ca_list =
> "/product/opensips//etc/opensips/tls/dario/dario-calist.pem"
> > > tls_certificate =
> "/product/opensips//etc/opensips/tls/user/user-cert.pem"
> > > tls_private_key =
> > > "/product/opensips//etc/opensips/tls/user/user-privkey.pem"
> > > tls_ciphers_list="RC4-MD5"
> > >
> > > route{
> > >
> > > if(is_present_hf("X-WeSIP-SPIRAL")){
> > > log("\nSPIRAL!!!\n");
> > > t_relay("tls:EDGEIP:5061");
> > > exit;}
> > > (on WESIP SPIRAL is equal TRUE)
> > >
> > > OPENSIPSIP is the CLIENT e EDGEIP is the SERVER
> > >
> > >
> > > Using Open SSL the connection is OK
> > > openssl s_client -connect EDGEIP:5061 -ssl2 -CAfile
> > > /product/opensips_dev/etc/opensips/tls/user/user-calist.pem -cipher
> > > RC4-MD5
> > >
> > > New, TLSv1/SSLv3, Cipher is RC4-MD5
> > > Server public key is 1024 bit
> > > SSL-Session:
> > > Protocol : TLSv1
> > > Cipher : RC4-MD5
> > > Session-ID:
> > > E708000007E4CC591AA8982939C17298FBEDF72E749C010EFFC39FBEB2D143A6
> > > Session-ID-ctx:
> > > Master-Key:
> > >
> 5835CA1877799D4B507AA31DB8DEA5F11D27DD077FE43F52DC9606ABF296AF6043402938E384FFF7B1485DC77D4D13D7
> > > Key-Arg : None
> > > Krb5 Principal: None
> > > Start Time: 1232205185
> > > Timeout : 7200 (sec)
> > > Verify return code: 0 (ok)
> > >
> > > Regards
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------
> > > Scoprilo insieme ai nuovi servizi Windows Live! Messenger 9: oltre le
> > > parole. <http://download.live.com/messenger/?mkt=it-it>
> > >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.opensips.org
> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > >
> >
>
>
> ------------------------------------------------------------------------
> Scopri le novità! Più veloce, più tua, più Hotmail.
> <http://www.messenger.it/hotmail.aspx>
More information about the Users
mailing list