[OpenSIPS-Users] tls_mgm domain database configuration
Callum Guy
callum.guy at x-on.co.uk
Fri Apr 7 13:43:48 UTC 2023
Hi James,
It could certainly be clearer!
Here's an extract from my script and some example inserts for a client and
server record.
https://gist.github.com/spacetourist/788ea722901e81d355850842e2b17cda
INSERT INTO opensips_dev.tls_mgm (id, domain, match_ip_address,
match_sip_domain, type, method, verify_cert, require_cert, certificate,
private_key, crl_check_all, crl_dir, ca_list, ca_dir, cipher_list,
dh_params, ec_curve) VALUES (5, 'default', '*', '*', 1, 'TLSv1_2', 0, 0,
0x2D2D2D2D2D424547494E20434...2D2D2D2D0A,
0x2D2D2D2D2D424547494...B45592D2D2D2D2D0A, 0, null, null, null,
'EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH,!RSA,!SHA',
0x2D2D2D2D2D4245...D2D2D0A, 'secp384r1');
INSERT INTO opensips_dev.tls_mgm (id, domain, match_ip_address,
match_sip_domain, type, method, verify_cert, require_cert, certificate,
private_key, crl_check_all, crl_dir, ca_list, ca_dir, cipher_list,
dh_params, ec_curve) VALUES (15, 'default', '*', '*', 2, 'TLSv1_2', 0, 0,
0x2D2D2D2...D2D0A, 0x2D2D2D2D2...D2D2D0A, 0, null, null, null,
'EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH,!RSA,!SHA',
0x2D2D2D2D2D42454...2D0A, 'secp384r1');
Hope that helps get you moving!
Callum
On Fri, 7 Apr 2023 at 09:12, James Nicholls via Users <
users at lists.opensips.org> wrote:
> Hi all,
>
> I have an existing opensips 3.3.4 setup that uses modparam to set tls_mgm
> certificates with separate server_domain and client_domain entries. This
> works fine for registration and calling using TLS but I want to be able to
> update certificates with tls_reload so I'm trying to move them to the
> database instead.
>
> The tls_mgm table schema added by opensips-cli has a domain and type
> column. Does "type" mean client/server or is it something else? I have
> tried having separate entries for client/server certs, or combining them
> into one row, but I can't get it to work. Everything seems to result in "no
> TLS client domain found" as below.
>
> Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]:
> ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
> Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]:
> ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn
> 0x7f3c9f1b5e98
> Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]:
> DBG:core:tcpconn_destroy: delaying (0x7f3c9f1b5e98, flags 0018) ref = -1 ...
> Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]:
> ERROR:core:tcp_async_connect: tcp_conn_create failed, closing the socket
> Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]:
> ERROR:proto_tls:proto_tls_send: async TCP connect failed
> Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:msg_send:
> send() to (PBX IP):5061 for proto tls/3 failed
> Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]:
> ERROR:tm:t_forward_nonack: sending request failed
>
> Example row in the tls_mgm table:
>
> domain: (SIP branded hostname)
> match_ip_address: (opensips IP):4003
> match_sip_domain: *
> type: 1
> method: TLSv1_2-
> verify_cert: 0
> require_cert: 0
> certificate: -----BEGIN CERTIFICATE----- [...]
> private_key: -----BEGIN RSA PRIVATE KEY----- [...]
> crl_check_all: 0
> crl_dir: NULL
> ca_list: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> ca_dir: NULL
> cipher_list: NULL
> dh_params: NULL
> ec_curve: NULL
>
> Is there any documentation for adding certificates to the tls_mgm table? I
> haven't found anything in the 3.3.x docs, the only examples use modparam.
> Hopefully I have got something really obvious wrong.
>
> Kind regards,
>
> James Nicholls
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
--
*0333 332 0000 | x-on.co.uk <https://www.x-on.co.uk> | **
<https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel>
<https://twitter.com/xonuk> ** | **Practice Index Reviews
<https://practiceindex.co.uk/gp/x-on>*
*Our new office address: 22 Riduna
Park, Melton IP12 1QT.*
X-on
is a trading name of Storacall Technology Ltd
a limited company registered in
England and Wales.
Registered Office :
Glebe Farm, Down Street, Dummer, Basingstoke, Hampshire, England RG25 2AD.
Company Registration No. 2578478.
The information in this e-mail is
confidential and for use by the addressee(s)
only. If you are not the
intended recipient, please notify X-on immediately on +44(0)333 332 0000
and delete the
message from your computer. If you are not a named addressee
you must not use,
disclose, disseminate, distribute, copy, print or reply
to this email. Views
or opinions expressed by an individual
within this
email may not necessarily
reflect the views of X-on or its associated
companies. Although X-on routinely
screens for viruses, addressees should
scan this email and any attachments
for
viruses. X-on makes no
representation or warranty as to the absence of viruses
in this email or
any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230407/8a5ce8d4/attachment.html>
More information about the Users
mailing list