[OpenSIPS-Users] Teams TLS Error

Mark Farmer farmorg at gmail.com
Mon Nov 16 09:04:39 EST 2020 

Good morning all

Can anyone clarify whether the TLS domain in SAN is supported or not please?

Many thanks
Mark.


On Fri, 13 Nov 2020 at 15:59, Kevin Vines <kevin.vines at gmail.com> wrote:

> You got me there... the doc states
>
> OpenSIPS offers SIP service for multiple  219    domains, e.g. atlanta.com and biloxi.com. Altough both domains  220    will be hosted on a single SIP proxy, the SIP proxy needs 2  221    certificates: One for atlanta.com and one for biloxi.com. For  222    incoming TLS connections
>
>
> If you need one cert per domain, maybe it implies that you need to have the domain as the CN instead of a SAN?
>
>
> Kevin
>
> *From:* farmorg at gmail.com
> *Sent:* November 13, 2020 10:43 a.m.
> *To:* users at lists.opensips.org
> *Reply to:* users at lists.opensips.org
> *Subject:* Re: [OpenSIPS-Users] Teams TLS Error
>
> OK so now I have this:
>
> modparam("tls_mgm","certificate", "[my.domain.name
> ]/usr/local/etc/opensips/tls/myCert.pem")
> modparam("tls_mgm","private_key", "[my.domain.name
> ]/usr/local/etc/opensips/tls/myKey.key")
> modparam("tls_mgm","ca_dir", "/etc/ssl/certs")
> modparam("tls_mgm","verify_cert", "[my.domain.name]1")
> modparam("tls_mgm","require_cert", "[my.domain.name]1")
> modparam("tls_mgm","tls_method", "[my.domain.name]TLSv1_2")
> modparam("tls_mgm", "match_sip_domain", "my.domain.name")
>
> But now it claims that my.domain.name is not defined in myCert.pem
> I know it is - it is in a SAN within the certificate.
>
> Any suggestions?
> Many thanks
> Mark.
>
>
> On Fri, 13 Nov 2020 at 15:12, Kevin Vines <kevin.vines at gmail.com> wrote:
>
>> Hi Mark,
>>
>> Based on some googling it looks like you need to specify the domain eg:
>>
>> modparam("tls_mgm","verify_cert", "[domain.com]1")
>>
>> https://fossies.org/linux/opensips/modules/tls_mgm/README
>>
>> Kevin
>> *From:* farmorg at gmail.com
>> *Sent:* November 13, 2020 9:49 a.m.
>> *To:* users at lists.opensips.org
>> *Reply to:* users at lists.opensips.org
>> *Subject:* [OpenSIPS-Users] Teams TLS Error
>>
>> Hi everyone
>>
>> OpenSIPS 3.1.0
>>
>> I am following the OpenSIPS as Teams SBC guide and have added the TLS
>> config:
>>
>> modparam("tls_mgm","verify_cert", "1")
>> modparam("tls_mgm","require_cert", "1")
>> modparam("tls_mgm","tls_method", "TLSv1_2")
>> modparam("tls_mgm","certificate", "/usr/local/etc/opensips/tls/myCert.pem
>> ")
>> modparam("tls_mgm","private_key", "/usr/local/etc/opensips/tls/myKey.key
>> ")
>> modparam("tls_mgm", "ca_dir", "/etc/ssl/certs")
>>
>> But I am seeing a TLS domain error:
>>
>> Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS domain name
>> Nov 13 14:36:50 [175314] Traceback (last included file at the bottom):
>> Nov 13 14:36:50 [175314]  0. /usr/local//etc/opensips/opensips.cfg
>> Nov 13 14:36:50 [175314] CRITICAL:core:yyerror: parse error in
>> /usr/local//etc/opensips/opensips.cfg:191:19-20: Parameter <verify_cert>
>> not found in module <tls_mgm> - can't set
>> Nov 13 14:36:50 [175314] #modparam("tls_mgm", "require_cert", "[dom4]1")
>> Nov 13 14:36:50 [175314]
>> Nov 13 14:36:50 [175314] modparam("tls_mgm","verify_cert", "1")
>> Nov 13 14:36:50 [175314] ^~
>> Nov 13 14:36:50 [175314] modparam("tls_mgm","require_cert", "1")
>> Nov 13 14:36:50 [175314] modparam("tls_mgm","tls_method", "TLSv1_2")
>> Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: tls_mgm matches
>> module tls_mgm
>> Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: found
>> <require_cert> in module tls_mgm [/usr/local/lib64/opensips/modules/]
>> Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS domain name
>>
>> Can anyone tell me what I might be missing please?
>>
>> Many thanks
>> Mark.
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
>
> --
> Mark Farmer
> farmorg at gmail.com
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>


-- 
Mark Farmer
farmorg at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20201116/d59a1226/attachment.html>

More information about the Users mailing list