[OpenSIPS-Users] questions about tls_mgm DB provisioning

Carlos Oliva carlos.oliva at invoxcontact.com
Wed Jun 5 12:27:31 EDT 2019 

Hello OpenSips Users:

I'm trying to configure a OpenSips v2.4 proxy with TLS and certificate
validation but I do not understand how to provision TLS using DB.

With files everything works, the phone works well and validates the TLS
certificate using a certificate signed by one of my authorized CAs on my
ca_list file.

But when I try to provision using DB with the same contents (CA_list,
certificate, ciphers_list and private_key) I receive a "certificate verify
failed" error.

I counld not find any good documentation about using this in v2.4, and the
TLS_MGM module documentation does not explain in deep how to get this
working:
https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html

Is there any extended documentation about how to use DB provisioning in
TLS_MGM module? I'm trying to use only the default domain with the
following parameters (private data is obfuscated)

`id`,  `domain`,  `address`,  `type`,  `method`,  `verify_cert`,
 `require_cert`,  `certificate`,  `private_key`,  `crl_check_all`,
 `crl_dir`,  `ca_list`,  `ca_dir`, `cipher_list`, `dh_params`, `ec_curve`
"8" "default" "0.0.0.0:5061" "1" "SSLv23" "1" "0" "-MY_CERTIFICATE"
"MY_PRIVATE_KEY" "0" \N "MY_CA_LIST" \N "MY_CIPHER_LIST" \N \N
"12" "default" "0.0.0.0:5061" "2" "SSLv23" "1" "0" "-MY_CERTIFICATE"
"MY_PRIVATE_KEY" "0" \N "MY_CA_LIST" \N "MY_CIPHER_LIST" \N \N

The CA of the cisco-linksys phones is on MY_CA_LIST (works if using files)
but do not work if using DB. Only a note, as my ca_list is quite large, I
had to modify tls_mgm table structure and use VARCHAR(1024) instead
CHAR(255), but for my tests I think his is not the cause of the problem.

This is the complete SSL error when I try to use DB. The macs and serial
numbers are obfuscated.

 NOTICE:tls_mgm:verify_callback: depth = 0
NOTICE:tls_mgm:verify_callback: subject =
/C=US/ST=0000000000/L=CBTXXXXXXXX/O=Cisco Systems/OU=cisco.com/CN=SPA508G,
MAC: 0000000000, Serial: CBTXXXXXXXX/emailAddress=
linksys-certadmin at cisco.com
 NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local
issuer certificate
NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error
code is 20 (check x509_vfy.h)
 NOTICE:tls_mgm:verify_callback: verify return:0
ERROR:proto_tls:tls_accept: New TLS connection from 1.1.1.1:51757 failed to
accept
ERROR:proto_tls:tls_print_errstack: TLS errstack: error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
ERROR:proto_tls:tls_read_req: failed to do pre-tls reading

Somebody can explain more deeply how to make tls_mgm work with DB?

thanks and regrds,

Carlos Oliva
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190605/492d8fe8/attachment.html>

More information about the Users mailing list