[OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Jul 25 09:48:22 EDT 2017 

Hi Callum,

The error may indicate the fact that the TLS client does not present a 
TLS certificate while connection to your OpenSIPS. This has nothing to 
do with the TLS multi domain, which anyhow is supported. As the test, 
you can create a separate TLS domain (server) bound to the IP of that 
TLS client, TLS domain having the require_certificate option turned off.

Best Regards,

Bogdan-Andrei Iancu
   OpenSIPS Founder and Developer
   http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 03:26 PM, Callum Guy wrote:
> Hi All,
>
> *Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7
>
> I have been working with new TLS connection and have been having 
> problems validating their client certificate. My OpenSIPs 
> configuration works fine for other providers (i.e. Twilio) however I 
> am seeing the following error messages reported while verify_cert is 
> enabled:
>
> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]: 
> NOTICE:tls_mgm:verify_callback: depth = 0
> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]: 
> NOTICE:tls_mgm:verify_callback: subject = 
> /serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private 
> Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture 
> Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain 
> SSL/CN=simwood.com <http://simwood.com>
> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]: 
> NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get 
> local issuer certificate
> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]: 
> NOTICE:tls_mgm:verify_callback: something wrong with the cert ... 
> error code is 20 (check x509_vfy.h)
> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]: 
> NOTICE:tls_mgm:verify_callback: verify return:0
> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]: 
> ERROR:proto_tls:tls_accept: New TLS connection from 
> 178.22.140.34:34281 <http://178.22.140.34:34281> failed to accept
> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]: 
> ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL 
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]: 
> ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
>
> Part of my reason for resorting to the mailing list are old mailing 
> list emails discussing that multi-domain certificates are not 
> supported by OpenSIPs - is anyone able to confirm if this remains a 
> problem?
>
> The openssl error code 20 is translated as 
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>
> I have seen other reports that this issue may be related to an 
> improperly chained certificate - does this sound at all likely?
>
> Any tips on debugging would be greatly appreciated, thanks.
>
> Callum
> -- 
> Callum Guy
> Head of Information Security
> X-on
>
>
> *^0333 332 0000  | www.x-on.co.uk <http://www.x-on.co.uk>  | 
> _**_^<https://www.linkedin.com/company/x-on> 
> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company 
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the 
> addressee(s) only. If you are not the intended recipient, please 
> notify X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must 
> not use, disclose, disseminate, distribute, copy, print or reply to 
> this email. Views or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its 
> associated companies. Although X-on routinely screens for viruses, 
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the 
> absence of viruses in this email or any attachments.
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170725/a7c02f52/attachment-0001.html>

More information about the Users mailing list