[OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5

Rodrigo Pimenta Carvalho pimenta at inatel.br
Fri Apr 8 16:48:40 CEST 2016


Hi.


I got the same problem in softphone ZOIPER.

I just let my ZOIPER ignore the file received from OpenSIPS and then the problem was solved. Otherwise I should had to install the client party on the phone. It was possible for me because in my project I didn't have to use certificates, just cryptographic messages with TLS.


See below the configuration in my OpenSIPS.cfg file (my proxy is version 2.2 from 2015):


loadmodule "proto_tls.so"

 modparam("proto_tls","verify_cert", "0")
 modparam("proto_tls","require_cert", "0")  #0 means  *do not* force the client to present a certificate where as 1 means *do* ask the client to present a cert.
 modparam("proto_tls","tls_method", "TLSv1")  #If you want RFC3261 conformance and all your clients support TLSv1 (or you are planning to use encrypted "tunnels" only between differe


modparam("proto_tls", "certificate",  "/usr/local/etc/opensips/tls/rootCA/certs/cert.pem")
modparam("proto_tls", "private_key", "/usr/local/etc/opensips/tls/rootCA/private/key.pem")
modparam("proto_tls", "ca_list", "/usr/local/etc/opensips/tls/rootCA/cacert.pem")
modparam("proto_tls", "ca_dir", "/usr/local/etc/opensips/tls/rootCA/")


# Sets the TLS protocol. The first parameter, if set, represents the id of the domain. TLS method which can be:
#
#    TLSv1_2 - means OpenSIPS will accept only TLSv1.2 connections (rfc3261 conformant).
#
#    TLSv1 - means OpenSIPS will accept only TLSv1 connections (rfc3261 conformant).
#
#    SSLv3 - means OpenSIPS will accept only SSLv3 connections
#
#    SSLv2 - means OpenSIPS will accept only SSLv2 connections (almost all old clients support this).
#
#    SSLv23 - means OpenSIPS will accept any of the above methods, but the initial SSL hello must be v2 (in the initial hello all the supported protocols are advertised enabling swit
#
#Default value is SSLv23.


Tell me if I'm wrongly, please.


Best regards.



RODRIGO PIMENTA CARVALHO
Inatel Competence Center
Software
Ph: +55 35 3471 9200 RAMAL 979


________________________________
De: users-bounces at lists.opensips.org <users-bounces at lists.opensips.org> em nome de Ali Pey <alipey at gmail.com>
Enviado: sexta-feira, 8 de abril de 2016 10:25
Para: OpenSIPS users mailling list
Assunto: Re: [OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5

Hello Hamid,

The parameters below don't have any effects. In my scenario, the sip phones are rejecting the tls connection by saying "Certificate Validation Failure".

Neither of parameters below had any effects.


Anyone else has any idea what I need to look for?

Regards,
Ali Pey


On Fri, Apr 8, 2016 at 4:00 AM, Hamid Hashmi <hamid2kviii at hotmail.com<mailto:hamid2kviii at hotmail.com>> wrote:
Please define  following values

tls_ca_list     = "/path/to/file"
tls_method      = tlsv1

for details please consult http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html<https://contactmonkey.com/api/v1/tracker?cm_session=fe1ad39b-b209-487a-ae7d-5dc3874a3f4b&cm_type=link&cm_link=4c658b68-ff08-42fc-abc9-b28ade77429a&cm_destination=http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html>

Regards
Hamid R. Hashmi

________________________________
Date: Thu, 7 Apr 2016 13:14:28 -0400
From: alipey at gmail.com<mailto:alipey at gmail.com>
To: users at lists.opensips.org<mailto:users at lists.opensips.org>
Subject: [OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5


Hello,

My opensips server is just a registrar server and I have enabled tls with the following settings:

listen=tls:xx.xx.xx.xx:5061
disable_tls=no
tls_certificate="/etc/opensips/pbx-bundle.crt"
tls_private_key="/etc/opensips/pbx.key"


When my sip phones try to open tls connection, they reject the connection saying "Certificate Validation Failure". My certificate is valid and works fine on the https website.

What am I missing? What should I look for?

Regards,
Ali Pey



_______________________________________________ Users mailing list Users at lists.opensips.org<mailto:Users at lists.opensips.org> http://lists.opensips.org/cgi-bin/mailman/listinfo/users<https://contactmonkey.com/api/v1/tracker?cm_session=fe1ad39b-b209-487a-ae7d-5dc3874a3f4b&cm_type=link&cm_link=00f9206d-5114-4ccd-8119-2069b0340470&cm_destination=http://lists.opensips.org/cgi-bin/mailman/listinfo/users>

_______________________________________________
Users mailing list
Users at lists.opensips.org<mailto:Users at lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users<https://contactmonkey.com/api/v1/tracker?cm_session=fe1ad39b-b209-487a-ae7d-5dc3874a3f4b&cm_type=link&cm_link=1103e740-0d3e-425d-950a-182c7bbe3a6e&cm_destination=http://lists.opensips.org/cgi-bin/mailman/listinfo/users>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20160408/f75d76cf/attachment-0001.htm>


More information about the Users mailing list