[OpenSIPS-Users] no TLS client domain found error
Bogdan-Andrei Iancu
bogdan at opensips.org
Wed May 25 07:52:23 UTC 2022
Hi Jehanzaib,
For now, to get rid of that issue, just disable the tls_async in your cfg:
https://opensips.org/html/docs/modules/3.2.x/proto_tls.html#param_tls_async
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 5/21/22 5:21 AM, Jehanzaib Younis wrote:
> Thank you, Ovidiu.
> I Just posted my logs on github.
>
> Regards,
> Jehanzaib
>
>
> On Fri, May 20, 2022 at 3:02 AM Ovidiu Sas <osas at voipembedded.com
> <mailto:osas at voipembedded.com>> wrote:
>
> Set the log_level parameter to 4 and restart opensips. Once the
> error occurs, collect all the logs from the start (from syslog)
> and send them to Razvan.
> There’s bug tracking this issue:
> https://github.com/OpenSIPS/opensips/issues/2724
> <https://github.com/OpenSIPS/opensips/issues/2724>
>
> For compiling tls_wolfssl, try from a clean clone.
>
> -ovidiu
>
> On Thu, May 19, 2022 at 08:08 Jehanzaib Younis
> <jehanzaib.kiani at gmail.com <mailto:jehanzaib.kiani at gmail.com>> wrote:
>
> Thanks Ovidiu,
> I just checked the source code, the same bug is also present
> in the opensips-3.2.6 branch. I have another issue with 3.2.6.
> I am not able to compile tls_wolfssl. No issue with 3.3 though.
> Now I need to check what is causing this.
> I am getting the following error:
>
> make[1]: Entering directory
> `/usr/src/opensips-3.2/modules/tls_wolfssl'
> configure: WARNING: unrecognized options: --disable-shared,
> --enable-static
> checking whether make supports nested variables... (cached) yes
> ./configure: line 5259: syntax error near unexpected token `2.4.2'
> ./configure: line 5259: `LT_PREREQ(2.4.2)'
> make[1]: *** [lib/lib/libwolfssl.a] Error 2
>
>
>
> Regards,
> Jehanzaib
>
>
> On Thu, May 19, 2022 at 1:35 AM Ovidiu Sas
> <osas at voipembedded.com <mailto:osas at voipembedded.com>> wrote:
>
> Please upgrade to the latest version and see if the error
> persists. If yes, please run the server in debug mode and
> save the logs so this issue can be investigated properly.
>
> Thanks,
> Ovidiu
>
> On Wed, May 18, 2022 at 09:02 Jehanzaib Younis
> <jehanzaib.kiani at gmail.com
> <mailto:jehanzaib.kiani at gmail.com>> wrote:
>
> Thank you Bogdan,
> That helped a lot. As you mentioned I need to start
> only with server_domain or client_domain.
> Now I changed my config a bit as shown below:
> #### (WebRTC) Client
> modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")
> modparam("tls_mgm", "certificate",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")
> modparam("tls_mgm", "private_key",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")
> modparam("tls_mgm", "ca_list",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")
> modparam("tls_mgm", "ca_dir",
> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")
> modparam("tls_mgm", "tls_method",
> "[sip.mywebphone.xx]SSLv23")
> modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")
> modparam("tls_mgm", "require_cert",
> "[sip.mywebphone.xx]1")
>
> ### This is for MS-Teams direct route
> modparam("tls_mgm", "client_domain",
> "dom1.formsteams.com <http://dom1.formsteams.com/>")
> modparam("tls_mgm", "certificate",
> "[dom1.formsteams.com
> <http://dom1.formsteams.com/>]/etc/letsencrypt/live/dom1.formsteams.com/cert.pem
> <http://dom1.formsteams.com/cert.pem>")
> modparam("tls_mgm", "private_key",
> "[dom1.formsteams.com
> <http://dom1.formsteams.com/>]/etc/letsencrypt/live/dom1.formsteams.com/privkey.pem
> <http://dom1.formsteams.com/privkey.pem>")
> modparam("tls_mgm", "ca_list", "[dom1.formsteams.com
> <http://dom1.formsteams.com/>]/etc/letsencrypt/live/dom1.formsteams.com/fullchain.pem
> <http://dom1.formsteams.com/fullchain.pem>")
> modparam("tls_mgm", "ca_dir", "[dom1.formsteams.com
> <http://dom1.formsteams.com/>]/etc/letsencrypt/live/dom1.formsteams.com
> <http://dom1.formsteams.com/>")
> modparam("tls_mgm", "tls_method",
> "[dom1.formsteams.com
> <http://dom1.formsteams.com/>]SSLv23")
> modparam("tls_mgm", "verify_cert",
> "[dom1.formsteams.com <http://dom1.formsteams.com/>]1")
> modparam("tls_mgm", "require_cert",
> "[dom1.formsteams.com <http://dom1.formsteams.com/>]1")
> modparam("tls_mgm", "client_sip_domain_avp",
> "tls_sip_dom")
>
> Looks like the initial handshake is fine when my
> server sends OPTIONS to MSTeams. There is a bug in the
> code according to the logs as shown below:
>
> opensips[10659]: CRITICAL:core:io_watch_add: #012>>>
> used fd map fd=142 is not present in fd_array
> (fd=142,type=19,flags=80000003,data=0x7f825805ceb8)#012#012It
> seems you have hit a programming bug.#012Please help
> us make OpenSIPS better by reporting it at
> https://github.com/OpenSIPS/opensips/issues
> <https://github.com/OpenSIPS/opensips/issues>
> opensips[10659]: CRITICAL:core:io_watch_add:
> [TCP_main] check failed after successful fd add
> (fd=141,type=19,data=0x7f825804fd98,flags=1) already=0
> opensips[23993]: NOTICE:tls_wolfssl:verify_callback:
> depth = 1, verify success
> opensips[23993]: NOTICE:tls_wolfssl:verify_callback:
> depth = 0, verify success
> opensips[23993]:
> INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS
> connection to 52.114.16.74:5061
> <http://52.114.16.74:5061> established
> opensips[23993]: NOTICE:tls_wolfssl:verify_callback:
> depth = 1, verify success
> opensips[23993]: NOTICE:tls_wolfssl:verify_callback:
> depth = 0, verify success
> opensips[23995]:
> INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS
> connection to 52.114.76.76:5061
> <http://52.114.76.76:5061> established
>
>
> Regards,
> Jehanzaib
>
>
> On Wed, May 18, 2022 at 6:15 PM Bogdan-Andrei Iancu
> <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>
> Hi Jehanzaib,
>
> The sequence for the MST TLS domains is wrong.
>
> For each TLS domain block, you need to start only
> with a server_domain or client_domain - of course,
> different names. And for each domain you need you
> set the matching conditions. See
> https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#domains-param
> <https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#domains-param>
>
> Basically something like:
>
> modparam("tls_mgm", "server_domain",
> "formsteams_server")
> modparam("tls_mgm", "match_ip_address",
> "[formsteams_server]....")
> modparam("tls_mgm", "match_sip_domain",
> "[formsteams_server]....")
> modparam("tls_mgm", "certificate",
> "[formsteams_server].....)
> ....
>
>
> modparam("tls_mgm", "client_domain",
> "formsteams_client")
> modparam("tls_mgm", "match_ip_address",
> "[formsteams_client]....")
> modparam("tls_mgm", "match_sip_domain",
> "[formsteams_client]....")
> modparam("tls_mgm", "certificate",
> "[formsteams_client].....)
> ....
>
>
> Best regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
> https://www.opensips-solutions.com <https://www.opensips-solutions.com>
> OpenSIPS eBootcamp 23rd May - 3rd June 2022
> https://opensips.org/training/OpenSIPS_eBootcamp_2022/ <https://opensips.org/training/OpenSIPS_eBootcamp_2022/>
>
> On 5/18/22 2:38 AM, Jehanzaib Younis wrote:
>> Hi Bogdan,
>> That's the problem, when I try to add the
>> client_domain I get an error. Actually, I have a
>> working config for webrtc but now I am adding a
>> new domain for MS teams direct route. In fact,
>> any other domain gives an error. If I disable MS
>> Teams domain, the opensips do not give an
>> error message and my webrtc client can connect
>> without any issue.
>>
>> loadmodule "tls_mgm.so"
>> modparam("tls_mgm", "tls_library", "wolfssl")
>>
>> #### (WebRTC) Client
>> modparam("tls_mgm", "server_domain",
>> "sip.mywebphone.xx")
>> modparam("tls_mgm", "certificate",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")
>> modparam("tls_mgm", "private_key",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")
>> modparam("tls_mgm", "ca_list",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")
>> modparam("tls_mgm", "ca_dir",
>> "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")
>> modparam("tls_mgm", "tls_method",
>> "[sip.mywebphone.xx]SSLv23")
>> modparam("tls_mgm", "verify_cert",
>> "[sip.mywebphone.xx]1")
>> modparam("tls_mgm", "require_cert",
>> "[sip.mywebphone.xx]1")
>>
>> ### This is for MS-Teams direct route
>> modparam("tls_mgm", "server_domain",
>> "dom1.formsteams.com <http://dom1.formsteams.com>")
>> modparam("tls_mgm", "client_domain",
>> "dom1.formsteams.com <http://dom1.formsteams.com>")
>> modparam("tls_mgm", "certificate",
>> "[dom1.formsteams.com
>> <http://dom1.formsteams.com>]/etc/letsencrypt/live/dom1.formsteams.com/cert.pem
>> <http://dom1.formsteams.com/cert.pem>")
>> modparam("tls_mgm", "private_key",
>> "[dom1.formsteams.com
>> <http://dom1.formsteams.com>]/etc/letsencrypt/live/dom1.formsteams.com/privkey.pem
>> <http://dom1.formsteams.com/privkey.pem>")
>> modparam("tls_mgm", "ca_list",
>> "[dom1.formsteams.com
>> <http://dom1.formsteams.com>]/etc/letsencrypt/live/dom1.formsteams.com/fullchain.pem
>> <http://dom1.formsteams.com/fullchain.pem>")
>> modparam("tls_mgm", "ca_dir",
>> "[dom1.formsteams.com
>> <http://dom1.formsteams.com>]/etc/letsencrypt/live/dom1.formsteams.com
>> <http://dom1.formsteams.com>")
>> modparam("tls_mgm", "tls_method",
>> "[dom1.formsteams.com
>> <http://dom1.formsteams.com>]SSLv23")
>> modparam("tls_mgm", "verify_cert",
>> "[dom1.formsteams.com
>> <http://dom1.formsteams.com>]1")
>> modparam("tls_mgm", "require_cert",
>> "[dom1.formsteams.com
>> <http://dom1.formsteams.com>]1")
>> modparam("tls_mgm", "client_sip_domain_avp",
>> "tls_sip_dom")
>>
>> When i enable the MS-Teams direct route domain i
>> get the below error:
>> no certificate for tls domain '
>> dom1.formsteams.com
>> <http://dom1.formsteams.com> ' defined
>>
>>
>> Regards,
>> Jehanzaib
>>
>>
>> On Wed, May 18, 2022 at 3:04 AM Bogdan-Andrei
>> Iancu <bogdan at opensips.org
>> <mailto:bogdan at opensips.org>> wrote:
>>
>> Hi Jehanzaib,
>>
>> What are the TLS client domains you have
>> defined in your tls_mgm module ?
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>> https://www.opensips-solutions.com <https://www.opensips-solutions.com>
>> OpenSIPS eBootcamp 23rd May - 3rd June 2022
>> https://opensips.org/training/OpenSIPS_eBootcamp_2022/ <https://opensips.org/training/OpenSIPS_eBootcamp_2022/>
>>
>> On 5/17/22 4:32 PM, Jehanzaib Younis wrote:
>>> Hi,
>>>
>>> I am having trouble to send/receive OPTIONS
>>> to ms teams.
>>> Using the dispatcher module. The socket is
>>> defined as tls:*mysbcip*:5061
>>> Looks like when my opensips (3.2.x) tries to
>>> send OPTIONS. it is giving me the following
>>> error
>>> *
>>> *
>>> ERROR:proto_tls:proto_tls_conn_init: no TLS
>>> client domain found
>>> ERROR:core:tcp_conn_create: failed to do
>>> proto 3 specific init for conn 0x7f00ef2a85a0
>>> ERROR:core:tcp_async_connect:
>>> tcp_conn_create failed
>>> ERROR:proto_tls:proto_tls_send: async TCP
>>> connect failed
>>> ERROR:tm:msg_send: send() to
>>> 52.114.76.76:5061 <http://52.114.76.76:5061>
>>> for proto tls/3 failed
>>> ERROR:tm:t_uac: attempt to send to
>>> 'sip:sip3.pstnhub.microsoft.com:5061;transport:tls'
>>> failed
>>>
>>> I am setting the Contact as
>>> <sip:mytlsdomain:5061;transport=tls>
>>>
>>> Looks like the client domain is used for
>>> outgoing TLS connection but no idea which
>>> domain i need to add here. The socket is my
>>> opensips ip address.
>>>
>>> Has anyone seen a similar kind of behaviour?
>>>
>>> Thank you.
>>>
>>> Regards,
>>> Jehanzaib
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
> --
> VoIP Embedded, Inc.
> http://www.voipembedded.com <http://www.voipembedded.com>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
> --
> VoIP Embedded, Inc.
> http://www.voipembedded.com <http://www.voipembedded.com>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220525/54d072e0/attachment-0001.html>
More information about the Users
mailing list