[OpenSIPS-Users] MS Teams and SBC integration

Ben Newlin Ben.Newlin at genesys.com
Tue Mar 11 18:09:02 UTC 2025 

The configuration values for the “client_sip_domain_avp” and “client_tls_domain_avp” modparams are supposed to be the names of AVP variables, not domain names. They also represent 2 different ways to specify the desired client. The “match_ip_address” modparam is a third way to specify the client, or can be used in conjunction with SIP domain for additional flexibility.

First, if you only have one client as in your config example then both IP and domain matching are unnecessary. You can simply specify the client to match everything and all outbound TLS will use that client:

src/main/config/forward/module.cfg:45:modparam("tls_mgm", "match_ip_address", "[ client]*")
src/main/config/forward/module.cfg:46:modparam("tls_mgm", "match_sip_domain", "[ client]*")

If you do have multiple clients or you just want to directly specify the client anyway, then you can choose one of the methods to do so.

A. SIP Domain/IP Matching (see [1], [2], [3], [4])

1. Specify the SIP domain and/or IP which matches the client uses the respective modparams:

modparam("tls_mgm", "match_ip_address", "[client]x.x.x.x:5061")
modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com")

2. Specify the name of the AVP which your config script will populate with the SIP domain value to be used for matching against the client. This is only required if you want SIP Domain matching; it’s not required for IP matching.

modparam("tls_mgm", "client_sip_domain_avp", "tls_client_sip")

3. In your config script, set the named AVP to the appropriate domain for the message currently being processed. This could be the Request-URI domain ($rd), Destination URI domain ($dd), or anything else you like.

$avp(tls_client_sip) := “sbc.mydomain.com”; // or $rd or $dd or whatever

B. TLS Client Name Matching (see [5])

1. Specify the TLS client domain name via the modparam:

modparam("tls_mgm", "client_domain", "client")

2. Specify the name of the AVP which your config script will populate with the TLS client name to be used:

modparam("tls_mgm", "client_tls_domain_avp",  “tls_client_name")

3. In your config script, set the named AVP to the name of the TLS client you wish to use for the message currently being processed.

$avp(tls_client_name) := “client”;

[1] - https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_match_sip_domain
[2] - https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_match_ip_address
[3] - https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_client_sip_domain_avp
[4] - https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#domains-param
[5] - https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_client_tls_domain_avp


Ben Newlin

From: Users <users-bounces at lists.opensips.org> on behalf of Thiago Lopes via Users <users at lists.opensips.org>
Date: Tuesday, March 11, 2025 at 12:49 PM
To: Bogdan-Andrei Iancu <bogdan at opensips.org>
Cc: OpenSIPS users mailling list <users at lists.opensips.org>
Subject: Re: [OpenSIPS-Users] MS Teams and SBC integration
 EXTERNAL EMAIL - Please use caution with links and attachments

________________________________
Hi Bogdan-Andrei,

I already did this too. The result in the log file was the same.

Actually, even with changing the tls_mgm module, or from openssl to wolfssl, I saw that the module who answer with error is proto_tls:

 /usr/sbin/opensips[4634]: DBG:core:init_sock_keepalive: TCP keepalive enabled on socket 5
 /usr/sbin/opensips[4634]: DBG:core:print_ip: tcpconn_new: new tcp connection to: 52.114.76.76
 /usr/sbin/opensips[4634]: DBG:core:tcpconn_new: on port 5061, proto 3
 /usr/sbin/opensips[4634]: ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
 /usr/sbin/opensips[4634]: ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn 0x7f794a63d080
 /usr/sbin/opensips[4634]: DBG:core:tcpconn_destroy: delaying (0x7f794a63d080, flags 0018) ref = -1 ...

My actual cfg file:

#loadmodule "tls_openssl.so"
loadmodule "tls_wolfssl.so"

####TLS module
loadmodule "tls_mgm.so"
 /*#first the  server domain */
modparam("tls_mgm", "server_domain", "default")
modparam("tls_mgm", "certificate", "[default]/etc/letsencrypt/live/sbc.mydomain.com/fullchain.pem<http://sbc.mydomain.com/fullchain.pem>")
modparam("tls_mgm", "private_key", "[default]/etc/letsencrypt/live/sbc.mydomain.com/privkey.pem<http://sbc.mydomain.com/privkey.pem>")
modparam("tls_mgm", "ca_list", "[default]/etc/letsencrypt/live/sbc.mydomain.com/inter.pem<http://sbc.mydomain.com/inter.pem>")
modparam("tls_mgm", "match_ip_address", "[default]x.x.x.x:5061")
modparam("tls_mgm", "match_sip_domain", "[default]sbc.mydomain.com<http://sbc.mydomain.com>")
#modparam("tls_mgm", "verify_cert", "[default]0")
#modparam("tls_mgm", "require_cert", "[default]1")
#modparam("tls_mgm", "ciphers_list", "[default]AES128-SHA256:AES256-SHA")
modparam("tls_mgm", "tls_method", "[default]SSLv23")


 # #and the client domain
modparam("tls_mgm", "client_domain", "client")
modparam("tls_mgm", "certificate", "[client]/etc/letsencrypt/live/sbc.mydomain.com/fullchain.pem<http://sbc.mydomain.com/fullchain.pem>")
modparam("tls_mgm", "private_key", "[client]/etc/letsencrypt/live/sbc.mydomain.com/privkey.pem<http://sbc.mydomain.com/privkey.pem>")
modparam("tls_mgm", "ca_list", "[client]/etc/letsencrypt/live/sbc.mydomain.com/inter.pem<http://sbc.mydomain.com/inter.pem>")
#modparam("tls_mgm", "ca_dir", "[client]/etc/letsencrypt/live/sbc.mydomain.com/<http://sbc.mydomain.com/>")
modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com<http://sbc.mydomain.com>")
modparam("tls_mgm", "match_ip_address", "[client]x.x.x.x:5061")

#modparam("tls_mgm", "verify_cert", "[client]0")
 # modparam("tls_mgm", "require_cert", "[client]1")
 # modparam("tls_mgm", "ciphers_list", "[client]AES128-SHA256:AES256-SHA")
modparam("tls_mgm", "tls_method", "[client]SSLv23")



modparam("tls_mgm", "tls_library", "wolfssl")
#modparam("tls_mgm", "tls_handshake_timeout", 300)
modparam("tls_mgm", "client_sip_domain_avp", "sbc.mydomain.com<http://sbc.mydomain.com>")
modparam("tls_mgm", "client_tls_domain_avp", "sbc.mydomain.com<http://sbc.mydomain.com>")

loadmodule "proto_tls.so"
#modparam("proto_tls", "tls_async", 0)
modparam("proto_tls", "tls_handshake_timeout", 300)
modparam("proto_tls", "tls_send_timeout", 2000)
modparam("proto_tls", "tls_max_msg_chunks", 8)
modparam("proto_tls", "cert_check_on_conn_reusage", 1)


Enable or no the client_sip_domain_avp, client_tls_domain_avp, match_sip_domain and match_ip_address in any order do not show any different results;

I thought maybe make a rollback, from 3.4.11 to another version where someone did this connection with Teams successfully .

In past versions here in this list I read that some fellows passed to the same error. But there was an error in the cfg file. I did several alterations in this file, modules and certificates. The only change that I didn't make was changing the version.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20250311/1345d9c6/attachment-0001.html>

More information about the Users mailing list