[OpenSIPS-Users] Opensips tls and certificate issue

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Feb 3 10:53:21 CET 2015 

Hi Martin,

The relevant log is:

Feb  3 06:18:36 [3626] ERROR:core:tls_accept: New TLS connection from 
123.12.28.14(my_ip):50761 failed to accept: rejected by client

So, the client opens a connection to OpenSIPS, OpenSIPS accepts the 
connection, but the connection setup fails as the client rejects the 
certificate sent by OpenSIPS.

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 03.02.2015 05:24, martin-n martin-n wrote:
>
> Hello. I'am pretty new with opensips, so installed the latest opensips 
> version *opensips 2.1.1dev-tls (x86_64/linux), *to make a sip server.
>
> I configured it to use tls. I generated the certificates according to 
> this tutorial: 
> https://github.com/antonraharja/book-opensips-101/blob/master/content/3.2.%20SIP%20TLS%20Secure%20Calling.mediawiki
>
> Then i did setup the blink. I took *cacert.pem* from rootCA folder and 
> set it up as a *Certificate Authority File. *In the account options i 
> did setup the certificate file, *server-calist.pem*. I also did add 
> the private key to the client version of *server-calist.pem* file.
>
> But when i try to log-in to my server i get:
>
> Feb  3 06:18:36 [3630] DBG:core:probe_max_sock_buff: getsockopt: snd 
> is initially 425984
> Feb  3 06:18:36 [3630] INFO:core:probe_max_sock_buff: using snd buffer 
> of 416 kb
> Feb  3 06:18:36 [3630] INFO:core:init_sock_keepalive: -- TCP keepalive 
> enabled on socket
> Feb  3 06:18:36 [3630] DBG:core:print_ip: tcpconn_new: new tcp 
> connection to: 123.12.28.14(my_ip)
> Feb  3 06:18:36 [3630] DBG:core:tcpconn_new: on port 50761, type 3
> Feb  3 06:18:36 [3630] DBG:core:tls_tcpconn_init: entered: Creating a 
> whole new ssl connection
> Feb  3 06:18:36 [3630] DBG:core:tls_tcpconn_init: looking up socket 
> based TLS server domain [my_server_ip:7061]
> Feb  3 06:18:36 [3630] DBG:core:tls_find_server_domain: virtual TLS 
> server domain not found, Using default TLS server domain settings
> Feb  3 06:18:36 [3630] DBG:core:tls_tcpconn_init: found socket based 
> TLS server domain [0.0.0.0:0]
> Feb  3 06:18:36 [3630] DBG:core:tls_tcpconn_init: Setting in ACCEPT 
> mode (server)
> Feb  3 06:18:36 [3630] DBG:core:tcpconn_add: hashes: 795, 1
> Feb  3 06:18:36 [3630] DBG:core:handle_new_connect: new connection: 
> 0x7fb5b3e82170 25 flags: 0002
> Feb  3 06:18:36 [3630] DBG:core:send2child: to tcp child 0 0(3626), 
> 0x7fb5b3e82170 rw 1
> Feb  3 06:18:36 [3626] DBG:core:handle_io: We have received conn 
> 0x7fb5b3e82170 with rw 1
> Feb  3 06:18:36 [3626] DBG:core:io_watch_add: [TCP_worker] 
> io_watch_add op on 21 (0x89a400, 21, 8, 0x7fb5b3e82170,1), fd_no=2
> Feb  3 06:18:36 [3626] DBG:core:tcp_read_req: Using the global ( per 
> process ) buff
> Feb  3 06:18:36 [3626] DBG:core:tls_update_fd: New fd is 21
> Feb  3 06:18:36 [3626] ERROR:core:tls_accept: New TLS connection from 
> 123.12.28.14(my_ip):50761 failed to accept: rejected by client
> Feb  3 06:18:36 [3626] DBG:core:io_watch_del: [TCP_worker] 
> io_watch_del op on index 1 21 (0x89a400, 21, 1, 0x10,0x3) fd_no=3 called
> Feb  3 06:18:36 [3626] INFO:core:io_watch_del: [TCP_worker] size=3, fd 
> array is 17 21 3
> Feb  3 06:18:36 [3626] INFO:core:io_watch_del: [TCP_worker] size=3, 
> prio array is 2 2 3
> Feb  3 06:18:36 [3626] INFO:core:io_watch_del: [TCP_worker] size=2, fd 
> array is 17 3
> Feb  3 06:18:36 [3626] INFO:core:io_watch_del: [TCP_worker] size=3, 
> prio array is 1 1 2
> Feb  3 06:18:36 [3626] DBG:core:release_tcpconn:  releasing con 
> 0x7fb5b3e82170, state -2, fd=21, id=1
> Feb  3 06:18:36 [3626] DBG:core:release_tcpconn:  extra_data 
> 0x7fb5b3e822f0
> Feb  3 06:18:36 [3630] DBG:core:handle_tcp_child: reader response= 
> 7fb5b3e82170, -2 from 0
> Feb  3 06:18:36 [3630] DBG:core:tcpconn_destroy: destroying connection 
> 0x7fb5b3e82170, flags 0002
> Feb  3 06:18:36 [3630] DBG:core:tls_close: closing TLS connection
> Feb  3 06:18:36 [3630] DBG:core:tls_update_fd: New fd is 25
> Feb  3 06:18:36 [3630] DBG:core:tls_shutdown: shutdown successful
> Feb  3 06:18:36 [3630] DBG:core:tls_tcpconn_clean: entered
>
> My config looks like so:
>
> auto_aliases=no
>
>
> listen=udp:my_server_ip:7060   # CUSTOMIZE ME
>
>
> disable_tcp=no
>
>
> disable_tls=no
> listen=tls:my_server_ip:7061   # CUSTOMIZE ME
> tls_verify_server= 0
> tls_verify_client = 1
> tls_require_client_certificate = 1
> #tls_method = TLSv1
> tls_method = SSLv23
> tls_certificate = "/usr/local/etc/opensips/tls/server/server-cert.pem"
> tls_private_key = "/usr/local/etc/opensips/tls/server/server-privkey.pem"
> tls_ca_list = "/usr/local/etc/opensips/tls/server/server-calist.pem"
>
> Basically i want to verify if the client has right certificate. Can 
> you help me?
>
> Thanks.
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150203/9d348429/attachment.htm>

More information about the Users mailing list