[OpenSIPS-Users] MS Teams and SBC integration

Thiago Lopes tlopes at unitedworldtelecom.com
Mon Mar 10 16:49:49 UTC 2025 

Hello,

I tried to change this option, change from self-signed to true certificate,
change the listeners and even change the DRouting module to Dispatcher.

Microsoft's documentation says that a SBC must send a packet to them, so
they will answer back and will send an OPTIONS packet as soon as the TLS
connection was made successfully.

So, when I send the first packet, I will act as a client TLS user. I
thought the 'client domain' part, in module configuration was the problem.
But even changing the 'server' part too, the result was the same.

 /usr/sbin/opensips[676690]: DBG:proto_tls:proto_tls_send: no open tcp
> connection found, opening new one, async = 1
>  /usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff: getsockopt: snd
> is initially 16384
>  /usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff: using snd
> buffer of 416 kb
>  /usr/sbin/opensips[676690]: DBG:core:init_sock_keepalive: TCP keepalive
> enabled on socket 5
>  /usr/sbin/opensips[676681]: WARNING:core:utimer_ticker: utimer task
> <tm-utimer> already scheduled 100 ms ago (now 35900 ms), delaying execution
>  /usr/sbin/opensips[676690]: DBG:core:tcp_async_connect: Polling is overdue
>  /usr/sbin/opensips[676690]: DBG:core:tcp_async_connect: Create connection
> for async connect
>  /usr/sbin/opensips[676690]: DBG:core:print_ip: tcpconn_new: new tcp
> connection to: 52.114.32.169
>  /usr/sbin/opensips[676690]: DBG:core:tcpconn_new: on port 5061, proto 3
>  /usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_conn_init: no TLS
> client domain found
>  /usr/sbin/opensips[676690]: ERROR:core:tcp_conn_create: failed to do
> proto 3 specific init for conn 0x7f027cb1d070
> /usr/sbin/opensips[676690]: DBG:core:tcpconn_destroy: delaying
> (0x7f027cb1d070, flags 0018) ref = -1 ...
>  /usr/sbin/opensips[676690]: ERROR:core:tcp_async_connect: tcp_conn_create
> failed
>  /usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_send: async TCP
> connect failed


Thank you for your help.

Regards,

On Mon, Mar 10, 2025 at 4:33 AM Bogdan-Andrei Iancu <bogdan at opensips.org>
wrote:

> Hi,
>
> For the incoming TLS connections, the right TLS server domain is selected
> based either on the IP address (of OpenSIPS's listener), either on the SIP
> domain (if SNI is used).
>
> So, maybe SNI is not used in your case, so you should define a
> match_ip_address:
>
> https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com
>   https://www.siphub.com
>
> On 07.03.2025 23:10, Thiago Lopes via Users wrote:
>
> Hi everyone,
>
> I'm trying to integrate Ms Teams and Opensips and I'm having some
> problems.
>
> I tried to use self signed and Letsencrypt certificates, with no success.
> I always receive a ''no TLS client domain found'.
>
>  /usr/sbin/opensips[505412]: ERROR:proto_tls:proto_tls_conn_init: no TLS
> client domain found
>  /usr/sbin/opensips[505412]: ERROR:core:tcp_conn_create: failed to do
> proto 3 specific init for conn 0x7f7220f343b0
>  /usr/sbin/opensips[505412]: ERROR:core:tcp_async_connect: tcp_conn_create
> failed
>
> Here my opensips.cfg:
>
> loadmodule "tls_mgm.so"
>
> /*#first the  server domain */
> modparam("tls_mgm", "server_domain", "default")
> modparam("tls_mgm", "certificate", "[default]/etc/letsencrypt/live/
> sbc.mydomain.com/fullchain.pem")
> modparam("tls_mgm", "private_key", "[default]/etc/letsencrypt/live/
> sbc.mydomain.com/privkey.pem")
> modparam("tls_mgm", "ca_list", "[default]/etc/letsencrypt/live/
> sbc.mydomain.com/inter.pem")
> modparam("tls_mgm", "match_sip_domain", "[default]sbc.mydomain.com")
> modparam("tls_mgm", "verify_cert", "[default]0")
> #modparam("tls_mgm", "require_cert", "[default]1")
> #modparam("tls_mgm", "ciphers_list", "[default]AES128-SHA256:AES256-SHA")
> modparam("tls_mgm", "tls_method", "[default]SSLv23")
>
>
>  # #and the client domain
>
> modparam("tls_mgm", "client_domain", "client")
> modparam("tls_mgm", "certificate", "[client]/etc/letsencrypt/live/
> sbc.mydomain.com/fullchain.pem")
> modparam("tls_mgm", "private_key", "[client]/etc/letsencrypt/live/
> sbc.mydomain.com/privkey.pem")
> modparam("tls_mgm", "ca_list", "[client]/etc/letsencrypt/live/
> sbc.mydomain.com/inter.pem")
> #modparam("tls_mgm", "ca_dir", "[client]/etc/letsencrypt/live/
> sbc.mydomain.com/")
> modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com")
>
> modparam("tls_mgm", "verify_cert", "[client]0")
>  # modparam("tls_mgm", "require_cert", "[client]1")
>  # modparam("tls_mgm", "ciphers_list", "[client]AES128-SHA256:AES256-SHA")
> modparam("tls_mgm", "tls_method", "[client]SSLv23")
>
> I also changed the certificates, using self signed in "server domain" only
> or "client domain" only. Same result.
>
> Using the openssl the verify the certificates, I receive a OK in console:
>
> fullchain.pem: OK
>
> The inter.pem is the file with the root and intermediate Letsencrypt
> certificates.
>
> On the Ms Teams side, I checked the FQDN used, checked the firewall ports
> etc.
>
> I followed this tutorial:
> https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/  , so I'm
> using the Dynamic Routing module to send the OPTIONS packet. The opensips
> start the communication using TLS, I see the packets using TLS in 5061
> port, but when Opensips will answer, this message appears on the console
> and the connection is closed.
>
> /usr/sbin/opensips[505398]: ERROR:tm:t_uac: attempt to send to 'sip:
> sip.pstnhub.microsoft.com' failed
> /usr/sbin/opensips[505398]: ERROR:proto_tls:proto_tls_conn_init: no TLS
> client domain found
> /usr/sbin/opensips[505398]: ERROR:core:tcp_conn_create: failed to do proto
> 3 specific init for conn 0x7f7220f4df40
>
> What I'm not seeing? Did someone pass through this problem?
> Best regards
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20250310/7f4f2b65/attachment-0001.html>

More information about the Users mailing list