[OpenSIPS-Users] NOTIFY and TLS issue

Bogdan Chifor chiforbogdan86 at gmail.com
Fri Aug 28 19:53:55 CEST 2015


Hello,

I have a question regarding the following scenario:

1. I have two devices connected to the server via two-way TLS(TCP).
 1.1 Device A is behind a NAT
 1.2 Device B is directly connected to the server

2. Device B subscribes to the presence of device A.

3. Device A gets offline and the server generates a NOTIFY message to be
sent to device B.

4. The server does not find an existing tcp connection (from the logs),
even though the socket is visible if the "opensipsctl fifo list_tcp_conns"
or "netstat" commands are used.

5. Because the server does not find an existing connection it initiates one
(TLS). After that the proto tls module logs the following error:
"NOTICE:proto_tls:verify_callback: verify error:num=26:unsupported
certificate purpose".

6. This error is normal because device B does not have a certificate with
server authentication extended key usage, it has only the client
authentication extended key usage (as normal).

What is the reason behind the start of the new connection and how should I
handle this issue?

This is my proto_tls config:

*modparam("proto_tls", "verify_cert", "1")*
*modparam("proto_tls", "require_cert", "1")*
*modparam("proto_tls", "tls_method", "TLSv1")*
*modparam("proto_tls", "certificate", "...")*
*modparam("proto_tls", "private_key", "...")*
*modparam("proto_tls", "ca_list", "...")*
*modparam("proto_tls", "ca_dir", "...")*


Any help is appreciated.

Best regards,

Bogdan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150828/55fd38cd/attachment-0001.htm>


More information about the Users mailing list