[OpenSIPS-Users] opensips 2.4.4: bug in tls_mgm

johan de clercq johan at democon.be
Tue Mar 12 13:34:35 EDT 2019 

Having pulled the lates 3.0-devel version, I have the following error when
trying to compile proto-tls 

 

../tls_mgm/tls_conn_ops.h:118:29: error: dereferencing pointer to incomplete
type 'SSL {aka struct ssl_st}'

  if ( ((SSL *)c->extra_data)->kssl_ctx ) {

 

Can you please correct ? 

 

From: Users <users-bounces at lists.opensips.org> On Behalf Of Vlad Patrascu
Sent: Thursday, March 7, 2019 11:46 AM
To: users at lists.opensips.org
Subject: Re: [OpenSIPS-Users] opensips 2.4.4: bug in tls_mgm

 

Hi Johan,

The issue is probably caused by the fact that OpenSIPS tries to initialize a
'default' client and server domain and the certificate file is inexistent at
the default path ('/usr/local/opensips//etc/opensips/tls/cert.pem'). So even
if you define your "sv_dom" custom server domain, OpenSIPS still tries to
create default domains for fallback purposes. When you omit the '[sv_dom]'
prefix for the domain settings in your second test, you overwrite the
default ones (with a valid path for the certificate this time).

In conclusion, either specify your custom domain _and_ default domains
separately (set the modparams multiple times) or make sure the certificate
is found at the default path. Also, note that it's not necessary to define a
custom server domain if you only intend to use a single one, as the default
will match any socket.

Regards,

Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com

On 02/17/2019 01:35 PM, johan de clercq wrote:

Hi, 

 

I believe that I have found a bug in tls_mgm: 

 

Using opensips default certificates:

/usr/local/opensips/etc/opensips/tls# ls -lu

total 24

-rw-r--r-- 1 root staff 2049 Feb 17 12:13 ca.conf

-rw-r--r-- 1 root staff 1048 Feb 17 12:13 README

-rw-r--r-- 1 root staff 1127 Feb 17 12:13 request.conf

drwxr-sr-x 4 root staff 4096 Feb 17 12:16 rootCA

drwxr-sr-x 2 root staff 4096 Feb 17 12:13 user

-rw-r--r-- 1 root staff  591 Feb 17 12:13 user.conf

 

/usr/local/opensips/etc/opensips/tls/rootCA# ls

cacert.pem  certs  index.txt  private  serial

 

Tls params: 

loadmodule "tls_mgm.so"

modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061") 

modparam("tls_mgm", "require_cert", "[sv_dom]0")

modparam("tls_mgm", "verify_cert", "[sv_dom]0")

modparam("tls_mgm", "tls_method", "[sv_dom]SSLv23")

modparam("tls_mgm", "certificate",
"[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")           

modparam("tls_mgm", "private_key",
"[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")    

modparam("tls_mgm", "ca_list",
"[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")  

#### PROTO_TLS module 

loadmodule "proto_tls.so"

modparam("proto_tls", "trace_destination", "hep_dest")

modparam("proto_tls", "trace_on", 1)

 

I removed the passphrase: 

 

mv etc/tls/rootCA/private/cakey.pem
etc/tls/rootCA/private/cakey.pem.protected

openssl rsa -in etc/tls/rootCA/private/cakey.pem.protected -out
etc/tls/rootCA/private/cakey.pem

 

and then tried to run opensips from cmdline : ./opensips -f
/usr/local/opensips/etc/opensips/opensips.cfg

 

syslog output:

 

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:tls_mgm:load_certificate:
unable to load certificate file
'/usr/local/opensips//etc/opensips/tls/cert.pem'

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:tls_mgm:init_tls_domains:
Failed to init TLS domain 'default'

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:init_mod: failed to
initialize module tls_mgm

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:main: error while
initializing modules

Feb 17 12:22:01 ns3012072 ./opensips[28673]: CRITICAL:core:sig_usr: segfault
in attendant (starter) process!

Feb 17 12:22:01 ns3012072 kernel: [ 4024.678398] opensips[28673]: segfault
at 7fcb76dbf850 ip 00007fcb76546f69 sp 00007ffe803ac150 error 4 in
libcrypto.so.1.1[7fcb763df000+265000]

 

Next I tried with: 

loadmodule "tls_mgm.so"

#modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061") 

modparam("tls_mgm", "require_cert", "0")

modparam("tls_mgm", "verify_cert", "0")

modparam("tls_mgm", "tls_method", "SSLv23")

modparam("tls_mgm", "certificate",
"/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")           

modparam("tls_mgm", "private_key",
"/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")    

modparam("tls_mgm", "ca_list",
"/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")  

#### PROTO_TLS module 

loadmodule "proto_tls.so"

modparam("proto_tls", "trace_destination", "hep_dest")

modparam("proto_tls", "trace_on", 1)

 

and then opensips starts. 

 

Can you please explain what I am doing wrong ?

 

 

 



Johan De Clercq, Managing Director
Democon bvba - Ooigemstraat 41 - 8780 Oostrozebeke

Tel +3256980990 - GSM +32478720104

 






_______________________________________________
Users mailing list
Users at lists.opensips.org <mailto:Users at lists.opensips.org> 
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190312/3743aafd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 15602 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20190312/3743aafd/attachment-0001.png>

More information about the Users mailing list