[OpenSIPS-Users] NOTIFY and TLS issue

Bogdan-Andrei Iancu bogdan at opensips.org
Mon Aug 31 11:17:54 CEST 2015


Hi Bogdan,

If the conn with B is still alive (the one created by SUBSCRIBE 
requests), it should be reused when OpenSIPS has to send the NOTIFY. 
Have you enabled the tcp aliases ?

If still a problem, can you make a log (with debug 6) when the NOTIFY is 
to be send + a listing from list_tcp_conns ?

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 28.08.2015 20:53, Bogdan Chifor wrote:
> Hello,
>
> I have a question regarding the following scenario:
>
> 1. I have two devices connected to the server via two-way TLS(TCP).
>  1.1 Device A is behind a NAT
>  1.2 Device B is directly connected to the server
>
> 2. Device B subscribes to the presence of device A.
>
> 3. Device A gets offline and the server generates a NOTIFY message to 
> be sent to device B.
>
> 4. The server does not find an existing tcp connection (from the 
> logs), even though the socket is visible if the "opensipsctl fifo 
> list_tcp_conns" or "netstat" commands are used.
>
> 5. Because the server does not find an existing connection it 
> initiates one (TLS). After that the proto tls module logs the 
> following error: "NOTICE:proto_tls:verify_callback: verify 
> error:num=26:unsupported certificate purpose".
>
> 6. This error is normal because device B does not have a certificate 
> with server authentication extended key usage, it has only the client 
> authentication extended key usage (as normal).
>
> What is the reason behind the start of the new connection and how 
> should I handle this issue?
>
> This is my proto_tls config:
>
> *modparam("proto_tls", "verify_cert", "1")*
> *modparam("proto_tls", "require_cert", "1")*
> *modparam("proto_tls", "tls_method", "TLSv1")*
> *modparam("proto_tls", "certificate", "...")*
> *modparam("proto_tls", "private_key", "...")*
> *modparam("proto_tls", "ca_list", "...")*
> *modparam("proto_tls", "ca_dir", "...")*
>
>
> Any help is appreciated.
>
> Best regards,
>
> Bogdan.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150831/08e8c938/attachment-0001.htm>


More information about the Users mailing list