[OpenSIPS-Users] mid_registrar TLS
Bogdan-Andrei Iancu
bogdan at opensips.org
Thu Feb 10 11:15:03 UTC 2022
Yes, doing a wildcard for SIP/IP matching in the TLS domain definition
is the correct approach if you plan to use only one certificate.
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS eBootcamp
https://www.opensips.org/Training/Bootcamp
On 2/10/22 1:09 PM, Alberto wrote:
> I was confused because I use a wildcard cert, so I only have one cert
> for server/client and any possible subdomain. I don't need to match
> server/client requests to different certs.
> So I ended up with this config and it seems to work fine.
> Thanks
>
> loadmodule "tls_mgm.so"
> modparam("tls_mgm", "tls_library", "wolfssl")
>
> modparam("tls_mgm", "server_domain", "sd_1")
> modparam("tls_mgm", "ca_list", "[sd_1]/etc/letsencrypt/fullchain.pem")
> modparam("tls_mgm", "certificate", "[sd_1]/etc/letsencrypt/cert.pem")
> modparam("tls_mgm", "private_key", "[sd_1]/etc/letsencrypt/privkey.pem")
> modparam("tls_mgm", "require_cert", "[sd_1]0")
> modparam("tls_mgm", "tls_method", "[sd_1]TLSv1-")
> modparam("tls_mgm", "verify_cert", "[sd_1]0")
> modparam("tls_mgm", "match_sip_domain", "[sd_1]*")
> modparam("tls_mgm", "match_ip_address", "[sd_1]*")
>
> modparam("tls_mgm", "client_domain", "cd_1")
> modparam("tls_mgm", "ca_list", "[cd_1]/etc/letsencrypt/fullchain.pem")
> modparam("tls_mgm", "certificate", "[cd_1]/etc/letsencrypt/cert.pem")
> modparam("tls_mgm", "private_key", "[cd_1]/etc/letsencrypt/privkey.pem")
> modparam("tls_mgm", "require_cert", "[cd_1]0")
> modparam("tls_mgm", "tls_method", "[cd_1]TLSv1-")
> modparam("tls_mgm", "verify_cert", "[cd_1]0")
> modparam("tls_mgm", "match_sip_domain", "[cd_1]*")
> modparam("tls_mgm", "match_ip_address", "[cd_1]*")
>
>
> On Thu, 10 Feb 2022 at 07:59, Bogdan-Andrei Iancu <bogdan at opensips.org
> <mailto:bogdan at opensips.org>> wrote:
>
> Hi Alberto,
>
> When OpenSIPS is about the create a new TLS connection, it has to
> know what TSL certificate (client) to use for it.
>
> There are 2 way of indicating that :
>
> * use "match_ip_address" [1] to map the TLS client domain to some
> IPs you want to connect to via TLS
>
> * use "client_tls_domain_avp" [2] to manually select from script
> which TLS domain to be used - set the AVP before the t_relay() to
> the TLS destination.
>
>
> [1]
> https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address
> <https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address>
>
> [2]
> https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp
> <https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp>
>
> Best regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
> https://www.opensips-solutions.com <https://www.opensips-solutions.com>
> OpenSIPS eBootcamp
> https://www.opensips.org/Training/Bootcamp <https://www.opensips.org/Training/Bootcamp>
>
> On 2/4/22 2:40 PM, Alberto wrote:
>> Hi,
>> I have a sip client connecting to opensips using tls, all
>> requests are then routed to an asterisk server using mid_registrar.
>>
>> UDP to UDP and TCP to TCP work fine, but TLS doesn't.
>>
>> This is the error, but I'm having a hard time understanding it.
>>
>> Feb 4 12:29:32 [3406] //etc/opensips/opensips.cfg:453 Forward
>> REGISTER for sip:tls-1001 at 10.0.0.252:5061
>> <http://sip:tls-1001@10.0.0.252:5061> to
>> 10.0.0.153:5061;transport=tls
>> Feb 4 12:29:32 [3406] ERROR:proto_tls:proto_tls_conn_init: no
>> TLS client domain found
>> Feb 4 12:29:32 [3406] ERROR:core:tcp_conn_create: failed to do
>> proto 3 specific init for conn 0x7ff9be1810f8
>> Feb 4 12:29:32 [3406] ERROR:core:tcp_async_connect:
>> tcp_conn_create failed, closing the socket
>> Feb 4 12:29:32 [3406] ERROR:proto_tls:proto_tls_send: async TCP
>> connect failed
>> Feb 4 12:29:32 [3406] ERROR:tm:msg_send: send() to
>> 10.0.0.153:5061 <http://10.0.0.153:5061> for proto tls/3 failed
>> Feb 4 12:29:32 [3406] ERROR:tm:t_forward_nonack: sending request
>> failed
>> Feb 4 12:29:32 [3406] ERROR:tm:w_t_relay: t_forward_nonack failed
>>
>>
>> My configuration:
>> #############
>> loadmodule "mid_registrar.so"
>> modparam("mid_registrar", "attr_avp", "$avp(avp_json)")
>> modparam("mid_registrar", "max_contacts", 1)
>> modparam("mid_registrar", "mode", 0)
>> modparam("mid_registrar", "tcp_persistent_flag",
>> "TCP_PERSIST_REGISTRATIONS")
>>
>> loadmodule "tls_mgm.so"
>> modparam("tls_mgm", "tls_library", "wolfssl")
>> modparam("tls_mgm", "server_domain", "dom1")
>> modparam("tls_mgm", "ca_list",
>> "[dom1]/etc/letsencrypt/fullchain.pem")
>> modparam("tls_mgm", "certificate", "[dom1]/etc/letsencrypt/cert.pem")
>> modparam("tls_mgm", "private_key",
>> "[dom1]/etc/letsencrypt/privkey.pem")
>> modparam("tls_mgm", "require_cert", "[dom1]0")
>> modparam("tls_mgm", "tls_method", "[dom1]TLSv1-")
>> modparam("tls_mgm", "verify_cert", "[dom1]0")
>>
>> loadmodule "proto_tls.so"
>>
>> ###############
>> $ru = "sip:10.0.0.153:5061;transport=tls";
>> setflag("TCP_PERSISTENT");
>> route(relay);
>>
>>
>> Thanks
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220210/65f16008/attachment.html>
More information about the Users
mailing list