[OpenSIPS-Users] MS Teams and SBC integration
Bogdan-Andrei Iancu
bogdan at opensips.org
Tue Mar 11 09:47:42 UTC 2025
Hi,
OK, so your opensips is client from TLS pov. So, you need to help
OpenSIPS to figure out which TLS client domain to use. The simplest ways
to do it is by forcing directly the name of the TLS client domain (see
[1]) or by setting a SIP domain (see [2]) that matches
"match_sip_domain" in your TLS client domain
[1]
https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_client_tls_domain_avp
[2]
https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_client_sip_domain_avp
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
https://www.siphub.com
On 10.03.2025 18:49, Thiago Lopes wrote:
> Hello,
>
> I tried to change this option, change from self-signed to true
> certificate, change the listeners and even change the DRouting module
> to Dispatcher.
>
> Microsoft's documentation says that a SBC must send a packet to them,
> so they will answer back and will send an OPTIONS packet as soon as
> the TLS connection was made successfully.
>
> So, when I send the first packet, I will act as a client TLS user. I
> thought the 'client domain' part, in module configuration was the
> problem. But even changing the 'server' part too, the result was the
> same.
>
> /usr/sbin/opensips[676690]: DBG:proto_tls:proto_tls_send: no open
> tcp connection found, opening new one, async = 1
> /usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff:
> getsockopt: snd is initially 16384
> /usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff: using
> snd buffer of 416 kb
> /usr/sbin/opensips[676690]: DBG:core:init_sock_keepalive: TCP
> keepalive enabled on socket 5
> /usr/sbin/opensips[676681]: WARNING:core:utimer_ticker: utimer
> task <tm-utimer> already scheduled 100 ms ago (now 35900 ms),
> delaying execution
> /usr/sbin/opensips[676690]: DBG:core:tcp_async_connect: Polling
> is overdue
> /usr/sbin/opensips[676690]: DBG:core:tcp_async_connect: Create
> connection for async connect
> /usr/sbin/opensips[676690]: DBG:core:print_ip: tcpconn_new: new
> tcp connection to: 52.114.32.169
> /usr/sbin/opensips[676690]: DBG:core:tcpconn_new: on port 5061,
> proto 3
> /usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_conn_init:
> no TLS client domain found
> /usr/sbin/opensips[676690]: ERROR:core:tcp_conn_create: failed to
> do proto 3 specific init for conn 0x7f027cb1d070
> /usr/sbin/opensips[676690]: DBG:core:tcpconn_destroy: delaying
> (0x7f027cb1d070, flags 0018) ref = -1 ...
> /usr/sbin/opensips[676690]: ERROR:core:tcp_async_connect:
> tcp_conn_create failed
> /usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_send: async
> TCP connect failed
>
>
> Thank you for your help.
>
> Regards,
>
> On Mon, Mar 10, 2025 at 4:33 AM Bogdan-Andrei Iancu
> <bogdan at opensips.org> wrote:
>
> Hi,
>
> For the incoming TLS connections, the right TLS server domain is
> selected based either on the IP address (of OpenSIPS's listener),
> either on the SIP domain (if SNI is used).
>
> So, maybe SNI is not used in your case, so you should define a
> match_ip_address:
> https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
> https://www.opensips-solutions.com
> https://www.siphub.com
>
> On 07.03.2025 23:10, Thiago Lopes via Users wrote:
>> Hi everyone,
>>
>> I'm trying to integrate Ms Teams and Opensips and I'm having some
>> problems.
>>
>> I tried to use self signed and Letsencrypt certificates, with no
>> success. I always receive a ''no TLS client domain found'.
>>
>> /usr/sbin/opensips[505412]: ERROR:proto_tls:proto_tls_conn_init:
>> no TLS client domain found
>> /usr/sbin/opensips[505412]: ERROR:core:tcp_conn_create: failed
>> to do proto 3 specific init for conn 0x7f7220f343b0
>> /usr/sbin/opensips[505412]: ERROR:core:tcp_async_connect:
>> tcp_conn_create failed
>>
>> Here my opensips.cfg:
>>
>> loadmodule "tls_mgm.so"
>>
>> /*#first the server domain */
>> modparam("tls_mgm", "server_domain", "default")
>> modparam("tls_mgm", "certificate",
>> "[default]/etc/letsencrypt/live/sbc.mydomain.com/fullchain.pem
>> <http://sbc.mydomain.com/fullchain.pem>")
>> modparam("tls_mgm", "private_key",
>> "[default]/etc/letsencrypt/live/sbc.mydomain.com/privkey.pem
>> <http://sbc.mydomain.com/privkey.pem>")
>> modparam("tls_mgm", "ca_list",
>> "[default]/etc/letsencrypt/live/sbc.mydomain.com/inter.pem
>> <http://sbc.mydomain.com/inter.pem>")
>> modparam("tls_mgm", "match_sip_domain",
>> "[default]sbc.mydomain.com <http://sbc.mydomain.com>")
>> modparam("tls_mgm", "verify_cert", "[default]0")
>> #modparam("tls_mgm", "require_cert", "[default]1")
>> #modparam("tls_mgm", "ciphers_list",
>> "[default]AES128-SHA256:AES256-SHA")
>> modparam("tls_mgm", "tls_method", "[default]SSLv23")
>>
>>
>> # #and the client domain
>> modparam("tls_mgm", "client_domain", "client")
>> modparam("tls_mgm", "certificate",
>> "[client]/etc/letsencrypt/live/sbc.mydomain.com/fullchain.pem
>> <http://sbc.mydomain.com/fullchain.pem>")
>> modparam("tls_mgm", "private_key",
>> "[client]/etc/letsencrypt/live/sbc.mydomain.com/privkey.pem
>> <http://sbc.mydomain.com/privkey.pem>")
>> modparam("tls_mgm", "ca_list",
>> "[client]/etc/letsencrypt/live/sbc.mydomain.com/inter.pem
>> <http://sbc.mydomain.com/inter.pem>")
>> #modparam("tls_mgm", "ca_dir",
>> "[client]/etc/letsencrypt/live/sbc.mydomain.com/
>> <http://sbc.mydomain.com/>")
>> modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com
>> <http://sbc.mydomain.com>")
>>
>> modparam("tls_mgm", "verify_cert", "[client]0")
>> # modparam("tls_mgm", "require_cert", "[client]1")
>> # modparam("tls_mgm", "ciphers_list",
>> "[client]AES128-SHA256:AES256-SHA")
>> modparam("tls_mgm", "tls_method", "[client]SSLv23")
>>
>> I also changed the certificates, using self signed in "server
>> domain" only or "client domain" only. Same result.
>>
>> Using the openssl the verify the certificates, I receive a OK in
>> console:
>>
>> fullchain.pem: OK
>>
>> The inter.pem is the file with the root and
>> intermediate Letsencrypt certificates.
>>
>> On the Ms Teams side, I checked the FQDN used, checked the
>> firewall ports etc.
>>
>> I followed this tutorial:
>> https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/ ,
>> so I'm using the Dynamic Routing module to send the OPTIONS
>> packet. The opensips start the communication using TLS, I see the
>> packets using TLS in 5061 port, but when Opensips will answer,
>> this message appears on the console and the connection is closed.
>>
>> /usr/sbin/opensips[505398]: ERROR:tm:t_uac: attempt to send to
>> 'sip:sip.pstnhub.microsoft.com
>> <http://sip.pstnhub.microsoft.com>' failed
>> /usr/sbin/opensips[505398]: ERROR:proto_tls:proto_tls_conn_init:
>> no TLS client domain found
>> /usr/sbin/opensips[505398]: ERROR:core:tcp_conn_create: failed to
>> do proto 3 specific init for conn 0x7f7220f4df40
>>
>> What I'm not seeing? Did someone pass through this problem?
>> Best regards
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20250311/ae8cb229/attachment-0001.html>
More information about the Users
mailing list