[OpenSIPS-Users] [OpenSIPS] TLS Client Verification Disabled - How To?

Chandrakant Solanki solanki.chandrakant at gmail.com
Thu Feb 23 08:01:44 CET 2012 

Hi All,

I am using opensips 1.7.0 with TLS.
*
# cd /usr/src/opensips/opensips-1.7.0-tls/
# make
# make install*

*# cd /usr/local/etc/opensips/tls/
# vim ca.conf*
[ root_ca_distinguished_name ]
commonName          = sip1.example.com #Your_NAME          # please update
stateOrProvinceName = California               #Your_STATE         # please
update
countryName         = US                       #CO                 # please
update
emailAddress        = myemail at gmail.com #YOUR_EMAIL         # please update
organizationName    = example1 #YOUR_ORG_NAME      # please update

*# vim user.conf*
[ server_distinguished_name ]
commonName             = sip1.example.com
#somename.somewhere.com
# please update
stateOrProvinceName    = California                     #Some
State                           # please update
countryName            = US
#XY                                   # please update
emailAddress           = myemail at gmail.com
#root at somename.somewhere.com
# please update
organizationName       = example1        #My Large Organization
Name           # please update
organizationalUnitName = OpenSIPS                          #My Subunit of
Large Organization     # please update

Generating rootCA and user certificate....

*# opensipsctl tls rootCA
# opensipsctl tls userCERT user
*
Here, is my opensips.cfg file ...

debug=7
fork=yes
log_facility=LOG_LOCAL0
log_stderror=no
children=4
sip_warning=yes
check_via=no
dns=no
rev_dns=no

disable_tls=0
listen=udp:172.18.100.73:5060
listen=tls:172.18.100.73:5061
tls_verify_server=0
tls_verify_client=1
tls_require_client_certificate=1
tls_method=SSLv23
tls_private_key="/usr/local/etc/opensips/tls/user/user-privkey.pem"
tls_certificate="/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_ca_list="/usr/local/etc/opensips/tls/user/user-calist.pem"

mpath="/usr/local/lib/opensips/modules/"

# default db_url to be used by modules requiring DB connection
db_default_url="mysql://opensips:opensipsrw@localhost/opensips"


Now, when I tried to register client (jitsi) ... it gives following error
...

Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18377]:
NOTICE:core:verify_callback: depth = 0
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18377]:
NOTICE:core:verify_callback: subject = /serialNumber=*ceritifcate details
like Office, State etc.*
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18377]:
NOTICE:core:verify_callback: verify error:num=20:unable to get local issuer
certificate
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18377]:
NOTICE:core:verify_callback: error code is 20
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18377]:
NOTICE:core:verify_callback: something wrong with the cert ... error code
is 20 (check x509_vfy.h)
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18377]:
NOTICE:core:verify_callback: verify return:0
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18377]:
WARNING:core:tls_connect: server certificate verification failed!!!
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18377]:
ERROR:core:_tls_read: something wrong in SSL: 1
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18377]:
ERROR:core:tls_print_errstack: error:1409442E:SSL
routines:SSL3_READ_BYTES:tlsv1 alert protocol version
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18377]:
ERROR:core:tcp_read_req: failed to read
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18378]:
ERROR:core:_tls_read: something wrong in SSL: 1
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18378]:
ERROR:core:tls_print_errstack: error:1409442E:SSL
routines:SSL3_READ_BYTES:tlsv1 alert protocol version
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18378]:
ERROR:core:tcp_read_req: failed to read
Feb 23 12:15:58 jaxtrsms /usr/local/sbin/opensips[18382]:
ERROR:core:tls_shutdown: something wrong in SSL:
Feb 23 12:16:29 jaxtrsms /usr/local/sbin/opensips[18376]:
INFO:core:probe_max_sock_buff: using snd buffer of 255 kb
Feb 23 12:16:40 jaxtrsms /usr/local/sbin/opensips[18376]:
ERROR:core:tcp_blocking_connect: timeout 10 s elapsed from 10 s
Feb 23 12:16:40 jaxtrsms /usr/local/sbin/opensips[18376]:
ERROR:core:tcpconn_connect: tcp_blocking_connect failed
Feb 23 12:16:40 jaxtrsms /usr/local/sbin/opensips[18376]:
ERROR:core:tcp_send: connect failed
Feb 23 12:16:40 jaxtrsms /usr/local/sbin/opensips[18376]:
ERROR:tm:msg_send: tcp_send failed


and sometime I get following error ...

Feb 23 12:06:57 localhost /usr/local/sbin/opensips[12483]:
INFO:core:probe_max_sock_buff: using snd buffer of 512 kb
Feb 23 12:06:57 localhost /usr/local/sbin/opensips[12474]:
ERROR:core:tls_accept: some error in SSL (ret=-1, err=1, errno=0/Success):
Feb 23 12:06:57 localhost /usr/local/sbin/opensips[12474]:
ERROR:core:tls_print_errstack: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

Please help me, anything wrong with configure or give guidance to configure
opensips 1.7 with tls.

-- 
Regards,

Chandrakant Solanki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120223/77fb7348/attachment-0001.htm>

More information about the Users mailing list