[OpenSIPS-Users] Need some clarification on TLS configuration on opensips 3.2

Sasmita Panda spanda at 3clogic.com
Fri Aug 30 11:57:58 UTC 2024 

Hi ,


for outbound call to a tls gateway I have below configuration for
client_domain


modparam("tls_mgm", "client_domain", "dom1")
modparam("tls_mgm", "match_ip_address", "[dom1]*")
modparam("tls_mgm", "tls_method", "[dom1]-TLSv1_2")
modparam("tls_mgm", "certificate", "[dom1]/etc/opensips/tls/3cdomain.crt")
modparam("tls_mgm", "private_key", "[dom1]/etc/opensips/tls/3cdomain.key")
modparam("tls_mgm", "require_cert", "[dom1]0")
modparam("tls_mgm", "verify_cert", "[dom1]0")

         With this configuration when I place an outbound call I am getting
below error in the logs  .  I don't have the certificate and key of the
next party . How can I authorized this certificate the
provide on opensips end ?










*  NOTICE:tls_openssl:verify_callback: depth = 1, verify failure
NOTICE:tls_openssl:verify_callback: subject =
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http:\/\/certs.godaddy.com
<http://certs.godaddy.com>\/repository\//CN=Go Daddy Secure Certificate
Authority - G2  NOTICE:tls_openssl:verify_callback: issuer  =
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root
Certificate Authority - G2  NOTICE:tls_openssl:verify_callback: verify
error: unable to get local issuer certificate [error=20]
INFO:tls_openssl:openssl_tls_connect: New TLS connection to 18.169.x.y:5065
established  INFO:tls_openssl:tls_dump_cert_info: tls_connect: server TLS
certificate subject: /CN=*.sftel.yyy.cloud, issuer:
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http:\/\/certs.godaddy.com
<http://certs.godaddy.com>\/repository\//CN=Go Daddy Secure Certificate
Authority - G2  WARNING:tls_openssl:openssl_tls_connect: TLS server
certificate verification failed
ERROR:tls_openssl:tls_dump_verification_failure: unable to get local issuer
certificate  INFO:tls_openssl:tls_dump_cert_info: tls_connect: local TLS
client certificate subject: /CN=*.xxx.com <http://xxx.com>, issuer:
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=xyz RSA Domain
Validation Secure Server CA*

*What should I do here ? *

*Thanks & Regards*
*Sasmita Panda*
*Senior Network Testing and Software Engineer*
*3CLogic , ph:07827611765*


On Thu, Aug 29, 2024 at 12:52 PM Sasmita Panda <spanda at 3clogic.com> wrote:

> Hi All ,
>
> I am using opensips 3.2 from very long time . For TLS connection I was
> using our domain specific certificate and private key which was authorized
> by some verified organization . With that my TLS connection with the server
> is getting established and also I am able to get REGISTER and INVITE
> request on the connection .
>
>
> Rather than this , when I build opensips with TLS=1 opensips itself
> creates its own rootCA . If I am using those crt and private key file for
> TLS connection the connection get established but I am not getting any
> request . What can be the reason .
>
> My configuration is like below .
>
> modparam("tls_mgm", "server_domain", "dom3")
> modparam("tls_mgm", "match_ip_address", "[dom3]20.1.x.y:5061")
> modparam("tls_mgm", "match_sip_domain", "[dom3]none")
> # 20.1.x.y this is my servers private IP on which I have configured TLS
> socket .
> modparam("tls_mgm", "tls_method", "[dom3]-TLSv1_2")
>
> modparam("tls_mgm", "certificate",
> "[dom3]/etc/opensips/tls/rootCA/cacert.pem")
> modparam("tls_mgm", "private_key",
> "[dom3]/etc/opensips/tls/rootCA/private/cakey.pem")
> modparam("tls_mgm", "ca_list",
> "[dom3]/etc/opensips/tls/rootCA/certs/01.pem")
>
> modparam("tls_mgm", "require_cert", "[dom3]0")
> modparam("tls_mgm", "verify_cert", "[dom3]1")
>
> In the logs I am getting below message
>
>
>
> *2024-08-29T07:14:59.213460+00:00 ip-20-1-205-63 /sbin/opensips[22895]:
> INFO:tls_openssl:openssl_tls_accept: New TLS connection from x.x.x.x:20219
> accepted2024-08-29T07:14:59.213866+00:00 ip-20-1-205-63
> /sbin/opensips[22895]: INFO:tls_openssl:openssl_tls_accept: Client did not
> present a TLS certificate2024-08-29T07:14:59.214064+00:00 ip-20-1-205-63
> /sbin/opensips[22895]: INFO:tls_openssl:tls_dump_cert_info: tls_accept:
> local TLS server certificate subject:
> /CN=OpenSIPS/ST=opensips.org/C=IP/emailAddress=team at opensips.org/O=opensips.org
> <http://opensips.org/C=IP/emailAddress=team@opensips.org/O=opensips.org>,
> issuer:
> /CN=OpenSIPS/ST=opensips.org/C=IP/emailAddress=team at opensips.org/O=opensips.org
> <http://opensips.org/C=IP/emailAddress=team@opensips.org/O=opensips.org>*
>
> I have added siptrace and tracing to the DB as well . I am not getting any
> SIP messages on the 2nd case . What can be the reason for this ?  This is
> quite critical to me . Please do help.
>
>
> *Thanks & Regards*
> *Sasmita Panda*
> *Senior Network Testing and Software Engineer*
> *3CLogic , ph:07827611765*
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20240830/844f97a0/attachment.html>

More information about the Users mailing list