[OpenSIPS-Users] help setting up TLS
Dominic
wallnut.monkeys at gmail.com
Tue Sep 4 13:54:25 EDT 2018
Hi all, I'm currently trying to setup OpenSIPS to use tls. For this I am
following the steps described here:
http://www.opensips.org/Documentation/Tutorials-TLS-2-2
This is a dev box, so for now I just want to get things working, my setup
is as follows:
UACs are registering to Opensips, which is setup as a mid-registrar in
front of asterisk. Rtpproxy is used on a different box to relay the rtp
between the UACs and Asterisk.
I followed the steps described in the tutorial mentioned above but I cannot
get opensips to startup. So I have a few questions regarding the tutorial:
question 1:
If my opensips is only accepting connections (phones registering to it from
the internet), then I presume I only need the server domain part in the
following part of the tutorial?:
#server domain
modparam("proto_tls", "server_domain", "sv_dom=<your-ip-address>:<port>")
modparam("proto_tls", "certificate", "sv_dom:$CERT_DIR/rootCA/cacert.pem")
modparam("proto_tls", "private_key",
"sv_dom:$CERT_DIR/rootCA/private/cakey.pem")
modparam("proto_tls", "ca_list", "sv_dom:$CERT_DR/rootCA/cacert.pem")
#client domain
modparam("proto_tls", "client_domain", "cl_dom=<UAS-ip-address>:<port>")
modparam("proto_tls", "certificate", "cl_dom:$CERT_DIR/user/user-cert.pem")
modparam("proto_tls", "private_key", "cl_dom:$CERT_DIR/user/user-privkey.pem")
modparam("proto_tls", "ca_list", "cl_dom:$CERT_DR/user/user-calist.pem")
question 2:
in the above code, I need to replace sv_dom with what exactly something
like blablabla.com?
question 3:
Do I need to edit the certificates conf files (ca.conf, request.conf,
user.conf), because I just copied the existing files as is, which may be
why I'm having issues.
So far I tried using the ones generated by the opensipctl tls command and
I am always getting the errors below upon startup. I also tried the builtin
certificaties and I get the same result:
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
INFO:tls_mgm:mod_init: initializing TLS management
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
INFO:tls_mgm:mod_init: openssl version: OpenSSL 1.0.2g 1 Mar 2016
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
INFO:tls_mgm:mod_init: disabling compression due ZLIB problems
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default'
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
DBG:tls_mgm:init_ssl_ctx_behavior: no DH params file for tls domain
'default' defined, using default '(null)'
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
NOTICE:tls_mgm:init_ssl_ctx_behavior: No EC curve defined
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
NOTICE:tls_mgm:init_ssl_ctx_behavior: cipher list set to NULL
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
INFO:tls_mgm:init_ssl_ctx_behavior: client verification NOT activated.
Weaker security.
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
ERROR:tls_mgm:load_certificate: unable to load certificate file
'something.com:/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/cacert.pem'
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
ERROR:core:init_mod: failed to initialize module tls_mgm
Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
ERROR:core:main: error while initializing modules
If anyone sees something I don't feel free to let me know
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20180904/7474d86a/attachment.html>
More information about the Users
mailing list