[OpenSIPS-Users] OpenSIPS and TLS with wildcard certificates again
Adrian Georgescu
ag at ag-projects.com
Sat Sep 15 11:05:11 CEST 2012
The client must trust the certificate authority that signed the certificate presented by the server. Try load the same CA file in Jitsi's supported list of CAs.
Adrian
On Sep 14, 2012, at 2:13 PM, Peter Lemenkov wrote:
> Hello All!
>
> First of all - I've read a bit about TLS and certificates in OpenSIPS
> but I still don't have a clue what's wrong with this.
>
> My problem is - although openssl can verify certificate as well as it
> can be loaded by opensips, client apps are refusing to connect.
> Namely, empathy and Jitsi.
>
> My setup is quite simple (well, I thought so). I've got a bunch of SIP
> domains, lets,say sip0[0-9].domain.com fully resolvable via DNS (w/o
> additional DNS SRV records - just domain names). I've got wildcard SSL
> certificate from Thawte (for "*.domain.com" without quotes) and a CA
> bundle from Thawte (
> https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem
> ). I appended it to the end of the system-wide certificate bundle (and
> checked with openssl). And now here is my relevant config data (I
> added "192.168.0.1 sip01.domain.com" to /etc/hosts for the sake of
> simplicity):
>
> disable_tls = 0
> listen = tls:192.168.0.1:5051
> tls_verify_server = 0
> tls_verify_client = 0
> tls_require_client_certificate = 0
> tls_method = TLSv1
>
> alias=sip01.domain.com:5051
>
> tls_certificate = "./wildcard.domain.com.crt"
> tls_private_key = "./wildcard.domain.com.key"
> tls_ca_list = "./ca-bundle.crt" # system-wide CA bundle + SSL_CA_Bundle.pem
>
>
> All I got so far is
>
> Sep 14 16:02:29 [14877] ERROR:core:tls_accept: New TLS connection from
> 192.168.0.2:59588 failed to accept: rejected by client
>
> Here is a confirmation from openssl:
>
> work ~/work/OpenSIPS (git::1.8.x-ipport): openssl verify -CAfile
> ./ca-bundle.crt ./wildcard.domain.com.crt
> ./wildcard.domain.com.crt: OK
> work ~/work/OpenSIPS (git::1.8.x-ipport):
>
> I'm using the same certificate for https and it works quite fine in
> Firefox. What did I miss so far?
>
> --
> With best regards, Peter Lemenkov.
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
More information about the Users
mailing list