[OpenSIPS-Users] TLS - How exactly decide to use require_cert equals to 1 or 0 ? The SIP client must trust the SIP server, not vice-versa.

Rodrigo Pimenta Carvalho pimenta at inatel.br
Wed Jul 29 15:51:55 CEST 2015


Dear OpenSIPS-users,


I am configuring my OpenSIPS 2.2 to communicate to SIP clients using TLS.  The SIP client must trust the SIP server, but the inverse is not needed. I want to avoid a fake SIP server collecting data from the SIP clients, for example collecting login/ID and passwords.


For that, I suspect that I must to use the configuration:  modparam("proto_tls","require_cert", "X"). But, what does exactly mean 1 or 0 for X?


When I use X equals to 0 and run the test "openssl s_client -showcerts -debug -connect <OpenSIPS_IP>:5061  -no_ssl2 -bugs -CAfile ./cacert.pem", I can see the following OpenSIPS log:


--------------------------------------------------------------------------------------------------------------

Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: entered: Creating a whole new ssl connection
Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: looking up socket based TLS server domain [<OpenSIPS_IP>:5061]
Jul 29 10:02:27 [11929] DBG:proto_tls:tls_find_server_domain: virtual TLS server domain not found, Using default TLS server domain settings
Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: found socket based TLS server domain [0.0.0.0:0]

...

...

Jul 29 10:02:27 [11921] INFO:proto_tls:tls_accept: New TLS connection from <OpenSIPS_IP>:45457 accepted
Jul 29 10:02:27 [11921] DBG:proto_tls:tls_accept: new TLS connection from <OpenSIPS_IP>:45457 using TLSv1/SSLv3 AES256-SHA 256
Jul 29 10:02:27 [11921] DBG:proto_tls:tls_accept: local socket: <OpenSIPS_IP>:5061
Jul 29 10:02:27 [11921] INFO:proto_tls:tls_accept: Client did not present a TLS certificate

...

...

Jul 29 10:02:31 [11929] DBG:proto_tls:tls_conn_shutdown: first phase of 2-way handshake completed succesfuly

-----------------------------------------------------------------------------------------------------------------------




However, when I use X equals to 1, I get:


--------------------------------------------------------------------------------------------------------------------------

Jul 29 10:05:36 [11978] ERROR:proto_tls:tls_accept: New TLS connection from <OpenSIPS_IP>:45460 failed to accept: rejected by client
Jul 29 10:05:36 [11978] ERROR:proto_tls:tls_read_req: failed to do pre-tls reading

--------------------------------------------------------------------------------------------------------------------------


So, It seems that the client refuses the connection from the server. What is happening here? Is the client refusing some cert presented by the server?

I'm a bit confused because the TLS Module documentation says that  'require_cert' parameter is used for incoming TLS connections, where OpenSIPS acts as server. So, how could it affect the client side?


P.S.: the result of "openssl s_client ..." command is "Verify return code: 0 (ok)".


Any hint will be very helpful!


Best regards.



RODRIGO PIMENTA CARVALHO
Inatel Competence CenterVerify return code: 0 (ok)
Software
Ph: +55 35 3471 9200 RAMAL 979
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150729/7dc1d281/attachment-0001.htm>


More information about the Users mailing list