[OpenSIPS-Users] SSL error

Ben Newlin Ben.Newlin at genesys.com
Fri Jun 14 18:29:31 UTC 2024


I think there is no more default server domain concept (I think there used to be). So for the server side you have to define either match_ip_address [1] or match_sip_domain [2] in order for the incoming connection to be matched to the correct TLS domain.

It seems in this case you probably want something like:

modparam("tls_mgm", "match_ip_address", "[server]<server_ip>:TLS_PORT")

Also, it is not shown but I assume you have also configured a TLS socket listening on the port? [3]

socket = tls:<server_ip>:TLS_PORT

[1] https://opensips.org/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address
[2] https://opensips.org/docs/modules/3.4.x/tls_mgm.html#param_match_sip_domain
[3] https://www.opensips.org/Documentation/Script-CoreParameters-3-4#socket

Ben Newlin

From: Users <users-bounces at lists.opensips.org> on behalf of Ihor Olkhovskyi <igorolhovskiy at gmail.com>
Date: Friday, June 14, 2024 at 2:15 PM
To: users at lists.opensips.org <users at lists.opensips.org>
Subject: Re: [OpenSIPS-Users] SSL error
 EXTERNAL EMAIL - Please use caution with links and attachments

________________________________

Hello,

I'll paste a working 3.4 config of TLS from my project, hope you can adopt this one

loadmodule "proto_tls.so"
modparam("proto_tls", "tls_port", TLS_PORT)
modparam("proto_tls", "tls_handshake_timeout", 3000)
modparam("proto_tls", "tls_send_timeout", 3000)
modparam("proto_tls", "tls_async_local_connect_timeout", 3000)
modparam("proto_tls", "tls_async_handshake_timeout", 3000)
# WebSocket part
loadmodule "proto_wss.so"
modparam("proto_wss", "wss_handshake_timeout", 3000)
modparam("proto_wss", "wss_tls_handshake_timeout", 3000)
modparam("proto_wss", "require_origin", no)

loadmodule "tls_openssl.so"
loadmodule "tls_mgm.so"

modparam("tls_mgm", "client_domain", "client")
modparam("tls_mgm", "certificate", "[client]/etc/ssl/certs/ssl-cert-snakeoil.pem")
modparam("tls_mgm", "private_key", "[client]/etc/ssl/private/ssl-cert-snakeoil.key")
modparam("tls_mgm", "ca_list", "[client]/etc/ssl/certs/ca-certificates.crt")
modparam("tls_mgm", "verify_cert", "[client]0")
modparam("tls_mgm", "require_cert", "[client]0")

modparam("tls_mgm", "server_domain", "server")
modparam("tls_mgm", "certificate", "[server]/etc/ssl/certs/ssl-cert-snakeoil.pem")
modparam("tls_mgm", "private_key", "[server]/etc/ssl/private/ssl-cert-snakeoil.key")
modparam("tls_mgm", "ca_list", "[server]/etc/ssl/certs/ca-certificates.crt")
modparam("tls_mgm", "verify_cert", "[server]0")
modparam("tls_mgm", "require_cert", "[server]0")
Le 13/06/2024 à 00:49, Pa Ka a écrit :
Hello Team, sorry to bother you again, opensips ssl certificate are not working on port 5061. I check with an SSL Checker and returns No SSL certificates were found on [server:5061]
I’m using version 3.2.18 (it was the same issue with 3.4.5)  certificate are generated with letsencrypt

This is the modparam

modparam("tls_mgm","tls_library", "openssl")
modparam("tls_mgm","server_domain", "dom")
modparam("tls_mgm","match_ip_address", "[dom]*")
modparam("tls_mgm","verify_cert", "[dom]1")
modparam("tls_mgm","require_cert", "[dom]1")
modparam("tls_mgm","tls_method", "[dom]-TLSv1_2")
modparam("tls_mgm","certificate", "[dom]/etc/opensips/tls/user/user-cert.pem")
modparam("tls_mgm","private_key", "[dom]/etc/opensips/tls/user/user-privkey.pem")
modparam("tls_mgm","ca_list", "[dom]/etc/opensips/tls/user/user-calist.pem")
modparam("tls_mgm", "require_cert", "1")
modparam("tls_mgm", "verify_cert", "1")


I tried this

modparam("tls_mgm","certificate", "[dom]/etc/letsencrypt/live/domain/fullchain.pem")
modparam("tls_mgm","private_key", "[dom]/etc/letsencrypt/live/domain/privkey.pem")
modparam("tls_mgm","ca_list", "[dom]/etc/letsencrypt/live/domain/chain.pem")

but returns permission error message and couldn’t start opensips (even if I set the permission of all files in etc/letsencryt to opensips user and group as well.)

Thank you. P.K



_______________________________________________

Users mailing list

Users at lists.opensips.org<mailto:Users at lists.opensips.org>

http://lists.opensips.org/cgi-bin/mailman/listinfo/users<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20240614/2b256ddb/attachment-0001.html>


More information about the Users mailing list