[OpenSIPS-Users] help setting up TLS

Dominic wallnut.monkeys at gmail.com
Wed Sep 5 10:55:00 EDT 2018 

I got opensips to start by removing the "server_domain" part, following
that I had an issue where opensips was unable use the private key and had
this in the log:

Sep  5 09:25:14 opensips-test-mtl opensips[74857]:
ERROR:tls_mgm:load_private_key: unable to load private key file
'/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/private/cakey.pem'. #012Retry
(2 left) (check password case)
Sep  5 09:25:14 opensips-test-mtl opensips[74857]:
ERROR:tls_mgm:load_private_key: unable to load private key file
'/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/private/cakey.pem'. #012Retry
(1 left) (check password case)
Sep  5 09:25:14 opensips-test-mtl opensips[74857]:
ERROR:tls_mgm:load_private_key: unable to load private key file
'/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/private/cakey.pem'. #012Retry
(0 left) (check password case)

I then found this post: https://github.com/OpenSIPS/opensips/issues/987 and
tried the solution given (removing the passphrase from the key) which
worked. Thanks for your help, now I will need to play around with this a
bit more to get something more secure.


On Wed, Sep 5, 2018 at 5:59 AM Callum Guy <callum.guy at x-on.co.uk> wrote:

> Can you confirm the contents of  'something.com:/usr/src/
> opensips-2.4.1/tls_cnf/tls/rootCA/cacert.pem' and that opensips daemon
> user has access to the path?
>
> You don't need to setup client and server domains if you are just testing, *but
> you do need to be using tls_mgm* (
> http://www.opensips.org/html/docs/modules/devel/tls_mgm.html):
>
> Here is an example strong configuration which might get you started - put
> the certs where you have them, ensure they are accessible and perhaps
> comment out the strong ciphers etc while testing, as per the example:
>
> listen=tls:your_serv_IP:5061
> loadmodule "proto_tls.so"
> loadmodule "proto_udp.so"
> loadmodule "tls_mgm.so"
>
> # TLS: Default configuration
> modparam("tls_mgm", "certificate",
> "/etc/pki/tls/certs/this-domain.sip.crt")
> modparam("tls_mgm", "private_key",
> "/etc/pki/tls/private/this-domain.sip.key")
> modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt")
> modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/")
> # Define standards:
> #modparam("tls_mgm", "ciphers_list",
> "EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")
> #modparam("tls_mgm", "verify_cert", "1")
> #modparam("tls_mgm", "require_cert", "1")
> #modparam("tls_mgm", "tls_method", "TLSv1_2")
> #modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem")
> #modparam("tls_mgm", "ec_curve", "secp384r1")
>
>
>
> On Tue, Sep 4, 2018 at 6:57 PM Dominic <wallnut.monkeys at gmail.com> wrote:
>
>> Hi all, I'm currently trying to setup OpenSIPS to use tls. For this I am
>> following the steps described here:
>> http://www.opensips.org/Documentation/Tutorials-TLS-2-2
>>
>> This is a dev box, so for now I just want to get things working, my setup
>> is as follows:
>> UACs are registering to Opensips, which is setup as a mid-registrar in
>> front of asterisk. Rtpproxy is used on a different box to relay the rtp
>> between the UACs and Asterisk.
>>
>> I followed the steps described in the tutorial mentioned above but I
>> cannot get opensips to startup. So I have a few questions regarding the
>> tutorial:
>>
>> question 1:
>> If my opensips is only accepting connections (phones registering to it
>> from the internet), then I presume I only need the server domain part in
>> the following part of the tutorial?:
>>
>> #server domain
>>  modparam("proto_tls", "server_domain", "sv_dom=<your-ip-address>:<port>")
>>  modparam("proto_tls", "certificate", "sv_dom:$CERT_DIR/rootCA/cacert.pem")
>>  modparam("proto_tls", "private_key", "sv_dom:$CERT_DIR/rootCA/private/cakey.pem")
>>  modparam("proto_tls", "ca_list", "sv_dom:$CERT_DR/rootCA/cacert.pem")
>>
>>  #client domain
>>  modparam("proto_tls", "client_domain", "cl_dom=<UAS-ip-address>:<port>")
>>  modparam("proto_tls", "certificate", "cl_dom:$CERT_DIR/user/user-cert.pem")
>>  modparam("proto_tls", "private_key", "cl_dom:$CERT_DIR/user/user-privkey.pem")
>>  modparam("proto_tls", "ca_list", "cl_dom:$CERT_DR/user/user-calist.pem")
>>
>>
>> question 2:
>> in the above code, I need to replace sv_dom with what exactly something
>> like blablabla.com?
>>
>> question 3:
>> Do I need to edit the certificates conf files (ca.conf, request.conf,
>> user.conf), because I just copied the existing files as is, which may be
>> why I'm having issues.
>>
>> So far I tried using the ones generated by the opensipctl tls  command
>> and I am always getting the errors below upon startup. I also tried the
>> builtin certificaties and I get the same result:
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> INFO:tls_mgm:mod_init: initializing TLS management
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> INFO:tls_mgm:mod_init: openssl version: OpenSSL 1.0.2g  1 Mar 2016
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> INFO:tls_mgm:mod_init: disabling compression due ZLIB problems
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default'
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> DBG:tls_mgm:init_ssl_ctx_behavior: no DH params file for tls domain
>> 'default' defined, using default '(null)'
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> NOTICE:tls_mgm:init_ssl_ctx_behavior: No EC curve defined
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> NOTICE:tls_mgm:init_ssl_ctx_behavior: cipher list set to NULL
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> INFO:tls_mgm:init_ssl_ctx_behavior: client verification NOT activated.
>> Weaker security.
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> ERROR:tls_mgm:load_certificate: unable to load certificate file
>> 'something.com:/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/cacert.pem'
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> ERROR:core:init_mod: failed to initialize module tls_mgm
>> Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]:
>> ERROR:core:main: error while initializing modules
>>
>> If anyone sees something I don't feel free to let me know
>> Thanks
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
> --
> Callum Guy
> Head of Information Security
> X-on
>
>
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>   <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20180905/68bc3da1/attachment.html>

More information about the Users mailing list