[OpenSIPS-Users] OpenSIPS and TLS with wildcard certificates again

Peter Lemenkov lemenkov at gmail.com
Fri Sep 14 14:13:42 CEST 2012


Hello All!

First of all - I've read a bit about TLS and certificates in OpenSIPS
but I still don't have a clue what's wrong with this.

My problem is - although openssl can verify certificate as well as it
can be loaded by opensips, client apps are refusing to connect.
Namely, empathy and Jitsi.

My setup is quite simple (well, I thought so). I've got a bunch of SIP
domains, lets,say sip0[0-9].domain.com fully resolvable via DNS (w/o
additional DNS SRV records - just domain names). I've got wildcard SSL
certificate from Thawte (for "*.domain.com" without quotes) and a CA
bundle from Thawte (
https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem
). I appended it to the end of the system-wide certificate bundle (and
checked with openssl). And now here is my relevant config data (I
added "192.168.0.1 sip01.domain.com" to /etc/hosts for the sake of
simplicity):

disable_tls = 0
listen = tls:192.168.0.1:5051
tls_verify_server = 0
tls_verify_client = 0
tls_require_client_certificate = 0
tls_method = TLSv1

alias=sip01.domain.com:5051

tls_certificate = "./wildcard.domain.com.crt"
tls_private_key = "./wildcard.domain.com.key"
tls_ca_list = "./ca-bundle.crt" # system-wide CA bundle + SSL_CA_Bundle.pem


All I got so far is

Sep 14 16:02:29 [14877] ERROR:core:tls_accept: New TLS connection from
192.168.0.2:59588 failed to accept: rejected by client

Here is a confirmation from openssl:

work ~/work/OpenSIPS (git::1.8.x-ipport): openssl verify -CAfile
./ca-bundle.crt ./wildcard.domain.com.crt
./wildcard.domain.com.crt: OK
work ~/work/OpenSIPS (git::1.8.x-ipport):

I'm using the same certificate for https and it works quite fine in
Firefox. What did I miss so far?

-- 
With best regards, Peter Lemenkov.



More information about the Users mailing list