[OpenSIPS-Users] Need some clarification on TLS configuration on opensips 3.2

Sasmita Panda spanda at 3clogic.com
Tue Sep 3 05:28:10 UTC 2024 

Is there any update here ?


*Thanks & Regards*
*Sasmita Panda*
*Senior Network Testing and Software Engineer*
*3CLogic , ph:07827611765*


On Fri, Aug 30, 2024 at 5:27 PM Sasmita Panda <spanda at 3clogic.com> wrote:

> Hi ,
>
>
> for outbound call to a tls gateway I have below configuration for
> client_domain
>
>
> modparam("tls_mgm", "client_domain", "dom1")
> modparam("tls_mgm", "match_ip_address", "[dom1]*")
> modparam("tls_mgm", "tls_method", "[dom1]-TLSv1_2")
> modparam("tls_mgm", "certificate", "[dom1]/etc/opensips/tls/3cdomain.crt")
> modparam("tls_mgm", "private_key", "[dom1]/etc/opensips/tls/3cdomain.key")
> modparam("tls_mgm", "require_cert", "[dom1]0")
> modparam("tls_mgm", "verify_cert", "[dom1]0")
>
>          With this configuration when I place an outbound call I am
> getting below error in the logs  .  I don't have the certificate and key of
> the next party . How can I authorized this certificate the
> provide on opensips end ?
>
>
>
>
>
>
>
>
>
>
> *  NOTICE:tls_openssl:verify_callback: depth = 1, verify failure
> NOTICE:tls_openssl:verify_callback: subject =
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http:\/\/certs.godaddy.com
> <http://certs.godaddy.com>\/repository\//CN=Go Daddy Secure Certificate
> Authority - G2  NOTICE:tls_openssl:verify_callback: issuer  =
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root
> Certificate Authority - G2  NOTICE:tls_openssl:verify_callback: verify
> error: unable to get local issuer certificate [error=20]
> INFO:tls_openssl:openssl_tls_connect: New TLS connection to 18.169.x.y:5065
> established  INFO:tls_openssl:tls_dump_cert_info: tls_connect: server TLS
> certificate subject: /CN=*.sftel.yyy.cloud, issuer:
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http:\/\/certs.godaddy.com
> <http://certs.godaddy.com>\/repository\//CN=Go Daddy Secure Certificate
> Authority - G2  WARNING:tls_openssl:openssl_tls_connect: TLS server
> certificate verification failed
> ERROR:tls_openssl:tls_dump_verification_failure: unable to get local issuer
> certificate  INFO:tls_openssl:tls_dump_cert_info: tls_connect: local TLS
> client certificate subject: /CN=*.xxx.com <http://xxx.com>, issuer:
> /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=xyz RSA Domain
> Validation Secure Server CA*
>
> *What should I do here ? *
>
> *Thanks & Regards*
> *Sasmita Panda*
> *Senior Network Testing and Software Engineer*
> *3CLogic , ph:07827611765*
>
>
> On Thu, Aug 29, 2024 at 12:52 PM Sasmita Panda <spanda at 3clogic.com> wrote:
>
>> Hi All ,
>>
>> I am using opensips 3.2 from very long time . For TLS connection I was
>> using our domain specific certificate and private key which was authorized
>> by some verified organization . With that my TLS connection with the server
>> is getting established and also I am able to get REGISTER and INVITE
>> request on the connection .
>>
>>
>> Rather than this , when I build opensips with TLS=1 opensips itself
>> creates its own rootCA . If I am using those crt and private key file for
>> TLS connection the connection get established but I am not getting any
>> request . What can be the reason .
>>
>> My configuration is like below .
>>
>> modparam("tls_mgm", "server_domain", "dom3")
>> modparam("tls_mgm", "match_ip_address", "[dom3]20.1.x.y:5061")
>> modparam("tls_mgm", "match_sip_domain", "[dom3]none")
>> # 20.1.x.y this is my servers private IP on which I have configured TLS
>> socket .
>> modparam("tls_mgm", "tls_method", "[dom3]-TLSv1_2")
>>
>> modparam("tls_mgm", "certificate",
>> "[dom3]/etc/opensips/tls/rootCA/cacert.pem")
>> modparam("tls_mgm", "private_key",
>> "[dom3]/etc/opensips/tls/rootCA/private/cakey.pem")
>> modparam("tls_mgm", "ca_list",
>> "[dom3]/etc/opensips/tls/rootCA/certs/01.pem")
>>
>> modparam("tls_mgm", "require_cert", "[dom3]0")
>> modparam("tls_mgm", "verify_cert", "[dom3]1")
>>
>> In the logs I am getting below message
>>
>>
>>
>> *2024-08-29T07:14:59.213460+00:00 ip-20-1-205-63 /sbin/opensips[22895]:
>> INFO:tls_openssl:openssl_tls_accept: New TLS connection from x.x.x.x:20219
>> accepted2024-08-29T07:14:59.213866+00:00 ip-20-1-205-63
>> /sbin/opensips[22895]: INFO:tls_openssl:openssl_tls_accept: Client did not
>> present a TLS certificate2024-08-29T07:14:59.214064+00:00 ip-20-1-205-63
>> /sbin/opensips[22895]: INFO:tls_openssl:tls_dump_cert_info: tls_accept:
>> local TLS server certificate subject:
>> /CN=OpenSIPS/ST=opensips.org/C=IP/emailAddress=team at opensips.org/O=opensips.org
>> <http://opensips.org/C=IP/emailAddress=team@opensips.org/O=opensips.org>,
>> issuer:
>> /CN=OpenSIPS/ST=opensips.org/C=IP/emailAddress=team at opensips.org/O=opensips.org
>> <http://opensips.org/C=IP/emailAddress=team@opensips.org/O=opensips.org>*
>>
>> I have added siptrace and tracing to the DB as well . I am not getting
>> any SIP messages on the 2nd case . What can be the reason for this ?  This
>> is quite critical to me . Please do help.
>>
>>
>> *Thanks & Regards*
>> *Sasmita Panda*
>> *Senior Network Testing and Software Engineer*
>> *3CLogic , ph:07827611765*
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20240903/55488b02/attachment-0001.html>

More information about the Users mailing list