[OpenSIPS-Users] MS Teams and SBC integration

Thiago Lopes tlopes at unitedworldtelecom.com
Tue Mar 11 16:48:25 UTC 2025 

Hi Bogdan-Andrei,

I already did this too. The result in the log file was the same.

Actually, even with changing the tls_mgm module, or from openssl to
wolfssl, I saw that the module who answer with error is proto_tls:

 /usr/sbin/opensips[4634]: DBG:core:init_sock_keepalive: TCP keepalive
enabled on socket 5
 /usr/sbin/opensips[4634]: DBG:core:print_ip: tcpconn_new: new tcp
connection to: 52.114.76.76
 /usr/sbin/opensips[4634]: DBG:core:tcpconn_new: on port 5061, proto 3
* /usr/sbin/opensips[4634]: ERROR:proto_tls:proto_tls_conn_init: no TLS
client domain found*
 /usr/sbin/opensips[4634]: ERROR:core:tcp_conn_create: failed to do proto 3
specific init for conn 0x7f794a63d080
 /usr/sbin/opensips[4634]: DBG:core:tcpconn_destroy: delaying
(0x7f794a63d080, flags 0018) ref = -1 ...

My actual cfg file:

#loadmodule "tls_openssl.so"
loadmodule "tls_wolfssl.so"

####TLS module
loadmodule "tls_mgm.so"
 /*#first the  server domain */
modparam("tls_mgm", "server_domain", "default")
modparam("tls_mgm", "certificate", "[default]/etc/letsencrypt/live/
sbc.mydomain.com/fullchain.pem")
modparam("tls_mgm", "private_key", "[default]/etc/letsencrypt/live/
sbc.mydomain.com/privkey.pem")
modparam("tls_mgm", "ca_list", "[default]/etc/letsencrypt/live/
sbc.mydomain.com/inter.pem")
modparam("tls_mgm", "match_ip_address", "[default]x.x.x.x:5061")
modparam("tls_mgm", "match_sip_domain", "[default]sbc.mydomain.com")
#modparam("tls_mgm", "verify_cert", "[default]0")
#modparam("tls_mgm", "require_cert", "[default]1")
#modparam("tls_mgm", "ciphers_list", "[default]AES128-SHA256:AES256-SHA")
modparam("tls_mgm", "tls_method", "[default]SSLv23")


 # #and the client domain

modparam("tls_mgm", "client_domain", "client")
modparam("tls_mgm", "certificate", "[client]/etc/letsencrypt/live/
sbc.mydomain.com/fullchain.pem")
modparam("tls_mgm", "private_key", "[client]/etc/letsencrypt/live/
sbc.mydomain.com/privkey.pem")
modparam("tls_mgm", "ca_list", "[client]/etc/letsencrypt/live/
sbc.mydomain.com/inter.pem")
#modparam("tls_mgm", "ca_dir", "[client]/etc/letsencrypt/live/
sbc.mydomain.com/")
modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com")
modparam("tls_mgm", "match_ip_address", "[client]x.x.x.x:5061")

#modparam("tls_mgm", "verify_cert", "[client]0")
 # modparam("tls_mgm", "require_cert", "[client]1")
 # modparam("tls_mgm", "ciphers_list", "[client]AES128-SHA256:AES256-SHA")
modparam("tls_mgm", "tls_method", "[client]SSLv23")



modparam("tls_mgm", "tls_library", "wolfssl")
#modparam("tls_mgm", "tls_handshake_timeout", 300)
modparam("tls_mgm", "client_sip_domain_avp", "sbc.mydomain.com")
modparam("tls_mgm", "client_tls_domain_avp", "sbc.mydomain.com")

loadmodule "proto_tls.so"
#modparam("proto_tls", "tls_async", 0)
modparam("proto_tls", "tls_handshake_timeout", 300)
modparam("proto_tls", "tls_send_timeout", 2000)
modparam("proto_tls", "tls_max_msg_chunks", 8)
modparam("proto_tls", "cert_check_on_conn_reusage", 1)


Enable or no the client_sip_domain_avp, client_tls_domain_avp,
match_sip_domain and match_ip_address in any order do not show any
different results;

I thought maybe make a rollback, from 3.4.11 to another version where
someone did this connection with Teams successfully .

In past versions here in this list I read that some fellows passed to the
same error. But there was an error in the cfg file. I did several
alterations in this file, modules and certificates. The only change that I
didn't make was changing the version.

Regards,

On Tue, Mar 11, 2025 at 6:47 AM Bogdan-Andrei Iancu <bogdan at opensips.org>
wrote:

> Hi,
>
> OK, so your opensips is client from TLS pov. So, you need to help OpenSIPS
> to figure out which TLS client domain to use. The simplest ways to do it is
> by forcing directly the name of the TLS client domain (see [1]) or by
> setting a SIP domain (see [2]) that matches "match_sip_domain" in your TLS
> client domain
>
> [1]
> https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_client_tls_domain_avp
> [2]
> https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_client_sip_domain_avp
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com
>   https://www.siphub.com
>
> On 10.03.2025 18:49, Thiago Lopes wrote:
>
> Hello,
>
> I tried to change this option, change from self-signed to true
> certificate, change the listeners and even change the DRouting module to
> Dispatcher.
>
> Microsoft's documentation says that a SBC must send a packet to them, so
> they will answer back and will send an OPTIONS packet as soon as the TLS
> connection was made successfully.
>
> So, when I send the first packet, I will act as a client TLS user. I
> thought the 'client domain' part, in module configuration was the problem.
> But even changing the 'server' part too, the result was the same.
>
>  /usr/sbin/opensips[676690]: DBG:proto_tls:proto_tls_send: no open tcp
>> connection found, opening new one, async = 1
>>  /usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff: getsockopt:
>> snd is initially 16384
>>  /usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff: using snd
>> buffer of 416 kb
>>  /usr/sbin/opensips[676690]: DBG:core:init_sock_keepalive: TCP keepalive
>> enabled on socket 5
>>  /usr/sbin/opensips[676681]: WARNING:core:utimer_ticker: utimer task
>> <tm-utimer> already scheduled 100 ms ago (now 35900 ms), delaying execution
>>  /usr/sbin/opensips[676690]: DBG:core:tcp_async_connect: Polling is
>> overdue
>>  /usr/sbin/opensips[676690]: DBG:core:tcp_async_connect: Create
>> connection for async connect
>>  /usr/sbin/opensips[676690]: DBG:core:print_ip: tcpconn_new: new tcp
>> connection to: 52.114.32.169
>>  /usr/sbin/opensips[676690]: DBG:core:tcpconn_new: on port 5061, proto 3
>>  /usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_conn_init: no TLS
>> client domain found
>>  /usr/sbin/opensips[676690]: ERROR:core:tcp_conn_create: failed to do
>> proto 3 specific init for conn 0x7f027cb1d070
>> /usr/sbin/opensips[676690]: DBG:core:tcpconn_destroy: delaying
>> (0x7f027cb1d070, flags 0018) ref = -1 ...
>>  /usr/sbin/opensips[676690]: ERROR:core:tcp_async_connect:
>> tcp_conn_create failed
>>  /usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_send: async TCP
>> connect failed
>
>
> Thank you for your help.
>
> Regards,
>
> On Mon, Mar 10, 2025 at 4:33 AM Bogdan-Andrei Iancu <bogdan at opensips.org>
> wrote:
>
>> Hi,
>>
>> For the incoming TLS connections, the right TLS server domain is selected
>> based either on the IP address (of OpenSIPS's listener), either on the SIP
>> domain (if SNI is used).
>>
>> So, maybe SNI is not used in your case, so you should define a
>> match_ip_address:
>>
>> https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>   https://www.opensips-solutions.com
>>   https://www.siphub.com
>>
>> On 07.03.2025 23:10, Thiago Lopes via Users wrote:
>>
>> Hi everyone,
>>
>> I'm trying to integrate Ms Teams and Opensips and I'm having some
>> problems.
>>
>> I tried to use self signed and Letsencrypt certificates, with no success.
>> I always receive a ''no TLS client domain found'.
>>
>>  /usr/sbin/opensips[505412]: ERROR:proto_tls:proto_tls_conn_init: no TLS
>> client domain found
>>  /usr/sbin/opensips[505412]: ERROR:core:tcp_conn_create: failed to do
>> proto 3 specific init for conn 0x7f7220f343b0
>>  /usr/sbin/opensips[505412]: ERROR:core:tcp_async_connect:
>> tcp_conn_create failed
>>
>> Here my opensips.cfg:
>>
>> loadmodule "tls_mgm.so"
>>
>> /*#first the  server domain */
>> modparam("tls_mgm", "server_domain", "default")
>> modparam("tls_mgm", "certificate", "[default]/etc/letsencrypt/live/
>> sbc.mydomain.com/fullchain.pem")
>> modparam("tls_mgm", "private_key", "[default]/etc/letsencrypt/live/
>> sbc.mydomain.com/privkey.pem")
>> modparam("tls_mgm", "ca_list", "[default]/etc/letsencrypt/live/
>> sbc.mydomain.com/inter.pem")
>> modparam("tls_mgm", "match_sip_domain", "[default]sbc.mydomain.com")
>> modparam("tls_mgm", "verify_cert", "[default]0")
>> #modparam("tls_mgm", "require_cert", "[default]1")
>> #modparam("tls_mgm", "ciphers_list", "[default]AES128-SHA256:AES256-SHA")
>> modparam("tls_mgm", "tls_method", "[default]SSLv23")
>>
>>
>>  # #and the client domain
>>
>> modparam("tls_mgm", "client_domain", "client")
>> modparam("tls_mgm", "certificate", "[client]/etc/letsencrypt/live/
>> sbc.mydomain.com/fullchain.pem")
>> modparam("tls_mgm", "private_key", "[client]/etc/letsencrypt/live/
>> sbc.mydomain.com/privkey.pem")
>> modparam("tls_mgm", "ca_list", "[client]/etc/letsencrypt/live/
>> sbc.mydomain.com/inter.pem")
>> #modparam("tls_mgm", "ca_dir", "[client]/etc/letsencrypt/live/
>> sbc.mydomain.com/")
>> modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com")
>>
>> modparam("tls_mgm", "verify_cert", "[client]0")
>>  # modparam("tls_mgm", "require_cert", "[client]1")
>>  # modparam("tls_mgm", "ciphers_list", "[client]AES128-SHA256:AES256-SHA")
>> modparam("tls_mgm", "tls_method", "[client]SSLv23")
>>
>> I also changed the certificates, using self signed in "server domain"
>> only or "client domain" only. Same result.
>>
>> Using the openssl the verify the certificates, I receive a OK in console:
>>
>> fullchain.pem: OK
>>
>> The inter.pem is the file with the root and intermediate Letsencrypt
>> certificates.
>>
>> On the Ms Teams side, I checked the FQDN used, checked the firewall ports
>> etc.
>>
>> I followed this tutorial:
>> https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/  , so I'm
>> using the Dynamic Routing module to send the OPTIONS packet. The opensips
>> start the communication using TLS, I see the packets using TLS in 5061
>> port, but when Opensips will answer, this message appears on the console
>> and the connection is closed.
>>
>> /usr/sbin/opensips[505398]: ERROR:tm:t_uac: attempt to send to 'sip:
>> sip.pstnhub.microsoft.com' failed
>> /usr/sbin/opensips[505398]: ERROR:proto_tls:proto_tls_conn_init: no TLS
>> client domain found
>> /usr/sbin/opensips[505398]: ERROR:core:tcp_conn_create: failed to do
>> proto 3 specific init for conn 0x7f7220f4df40
>>
>> What I'm not seeing? Did someone pass through this problem?
>> Best regards
>>
>> _______________________________________________
>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20250311/e0dd376f/attachment-0001.html>

More information about the Users mailing list