[OpenSIPS-Users] TLS errors

nir elkayam nir.elkayam at gmail.com
Mon Jan 18 15:18:44 CET 2010


hi,

attached the lines from the cfg file:

root at XXXX:/usr/local/etc/opensips# cat opensips.cfg | grep tls
disable_tls = no
listen = tls:X.X.X.X:30100
tls_port_no = 30100
tls_verify_server = 0
tls_verify_client = 0
tls_require_client_certificate = 0
tls_method = TLSv1
tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"

thanks for the help,
nir

On Mon, Jan 18, 2010 at 3:41 PM, Bogdan-Andrei Iancu <bogdan at voice-system.ro
> wrote:

> Hi Nir,
>
> the last command does create (if not present) or adds to (if already
> present) the current CA to the CA list file.
>
> Also, have you properly set the TLS related parameters in the config file?
>
> Regards,
> Bogdan
>
> nir elkayam wrote:
> > hi,
> >
> > i follow the script on :
> > http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html
> >
> > mainly, generated root certificate with:
> > opensipsctl tls rootCA
> > and then generate user (i.e. sip server) certificate with:
> > opensipsctl tls userCERT user
> >
> > about the file ca_list, the wiki say:
> >
> > To add more CAs to your list, just do:
> >
> >    *
> >
> >       cat add_cacert.pem >> calist.pem
> >
> > but not sure about that, doesn't the last command should have updated
> > the ca list? i see that the file isn't empty..
> >
> > nir
> >
> >
> >
> > On Fri, Jan 15, 2010 at 6:35 PM, Bogdan-Andrei Iancu
> > <bogdan at voice-system.ro <mailto:bogdan at voice-system.ro>> wrote:
> >
> >     Hi Nir,
> >
> >     I see you manage to start opensips with TLS - what was your error?
> >
> >     for _tls_read -> that is very funny: SSL_read return err 5
> >     (SSL_ERROR_SYSCALL) which means to look at error stack/return
> >     value/errno for the real error (the error was geerated somewhere
> >     deep in
> >     the SSL underlayers), but the errno is Success and stack is empty
> >     :P..... Looks like a ghost error...
> >
> >     for tls_accept -> the error is in the stack, and after googling a
> >     bit ->
> >     "obviously the CA that signed your clients is not known to the
> server.
> >     Take a look at"
> >
> >     http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
> >     http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14
> >
> >
> >     Regards,
> >     Bogdan
> >
> >     nir elkayam wrote:
> >     > hi,
> >     >
> >     > i am using opensips/TLS,
> >     >
> >     > i get the following error
> >     > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: SYSCALL error -> (0)
> >     > <Success>
> >     > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: something wrong in
> >     SSL: 5
> >     > Jan 14 22:53:54 [19740] ERROR:core:tcp_read_req: failed to read
> >     > Jan 14 22:54:46 [19740] ERROR:core:tls_accept: some error in SSL
> >     > (ret=0, err=1, errno=0/Success):
> >     > Jan 14 22:54:46 [19740] ERROR:core:tls_print_errstack:
> >     > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> >     >
> >     > any hinst about these?
> >     > actually the client works but error in encryption process is not
> >     good,
> >     > i think
> >     >
> >     > thanks
> >     >
> >
> ------------------------------------------------------------------------
> >     >
> >     > _______________________________________________
> >     > Users mailing list
> >     > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> >     > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >     >
> >
> >
> >     --
> >     Bogdan-Andrei Iancu
> >     www.voice-system.ro <http://www.voice-system.ro>
> >
> >
> >     _______________________________________________
> >     Users mailing list
> >     Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> >     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> >
> >
> >
> > --
> > ניר אלקיים
> > טל: 050-3930056
> > nir.elkayam at gmail.com <mailto:nir.elkayam at gmail.com>
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
>
> --
> Bogdan-Andrei Iancu
> www.voice-system.ro
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>



-- 
ניר אלקיים
טל: 050-3930056
nir.elkayam at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100118/0d48daa0/attachment-0001.htm 


More information about the Users mailing list