[OpenSIPS-Users] MS Teams and SBC integration

Thiago Lopes tlopes at unitedworldtelecom.com
Wed Mar 12 11:43:57 UTC 2025 

Hey Ben,

Thank you for your email. I really misunderstood this topic and wrote it
wrong.

Now finally I have a new error. It's about the local issuer certificate.
I'm using Letsencrypt and Microsoft's using Digicert as CA

 /usr/sbin/opensips[24021]: NOTICE:tls_openssl:verify_callback: depth = 1,
verify failure
 /usr/sbin/opensips[24021]: NOTICE:tls_openssl:verify_callback: subject =
/C=US/O=Microsoft Corporation/CN=Microsoft Azure RSA TLS Issuing CA 03
 /usr/sbin/opensips[24021]: NOTICE:tls_openssl:verify_callback: issuer  =
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
 /usr/sbin/opensips[24021]: NOTICE:tls_openssl:verify_callback: verify
error: unable to get local issuer certificate [error=20]
 /usr/sbin/opensips[24021]: ERROR:tls_openssl:openssl_tls_async_connect:
New TLS connection to 52.114.132.46:5061 failed

I'll troubleshoot this error, and make some tests using openssl to see what
happens here.

Thank you for your help.

Regards,

On Tue, Mar 11, 2025 at 3:09 PM Ben Newlin <Ben.Newlin at genesys.com> wrote:

> The configuration values for the “client_sip_domain_avp” and
> “client_tls_domain_avp” modparams are supposed to be the names of AVP
> variables, not domain names. They also represent 2 different ways to
> specify the desired client. The “match_ip_address” modparam is a third way
> to specify the client, or can be used in conjunction with SIP domain for
> additional flexibility.
>
>
>
> First, if you only have one client as in your config example then both IP
> and domain matching are unnecessary. You can simply specify the client to
> match everything and all outbound TLS will use that client:
>
>
>
> src/main/config/forward/module.cfg:45:modparam("tls_mgm",
> "match_ip_address", "[ client]*")
>
> src/main/config/forward/module.cfg:46:modparam("tls_mgm",
> "match_sip_domain", "[ client]*")
>
>
>
> If you do have multiple clients or you just want to directly specify the
> client anyway, then you can choose one of the methods to do so.
>
>
>
> A. SIP Domain/IP Matching (see [1], [2], [3], [4])
>
>
>
> 1. Specify the SIP domain and/or IP which matches the client uses the
> respective modparams:
>
>
>
> modparam("tls_mgm", "match_ip_address", "[client]x.x.x.x:5061")
>
> modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com")
>
>
>
> 2. Specify the name of the AVP which your config script will populate with
> the SIP domain value to be used for matching against the client. This is
> only required if you want SIP Domain matching; it’s not required for IP
> matching.
>
>
>
> modparam("tls_mgm", "client_sip_domain_avp", "tls_client_sip")
>
>
>
> 3. In your config script, set the named AVP to the appropriate domain for
> the message currently being processed. This could be the Request-URI domain
> ($rd), Destination URI domain ($dd), or anything else you like.
>
>
>
> $avp(tls_client_sip) := “sbc.mydomain.com”; // or $rd or $dd or whatever
>
>
>
> B. TLS Client Name Matching (see [5])
>
>
>
> 1. Specify the TLS client domain name via the modparam:
>
>
>
> modparam("tls_mgm", "client_domain", "client")
>
>
>
> 2. Specify the name of the AVP which your config script will populate with
> the TLS client name to be used:
>
>
>
> modparam("tls_mgm", "client_tls_domain_avp",  “tls_client_name")
>
>
>
> 3. In your config script, set the named AVP to the name of the TLS client
> you wish to use for the message currently being processed.
>
>
>
> $avp(tls_client_name) := “client”;
>
> [1] -
> https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_match_sip_domain
>
> [2] -
> https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_match_ip_address
>
> [3] -
> https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_client_sip_domain_avp
>
> [4] -
> https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#domains-param
>
> [5] -
> https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_client_tls_domain_avp
>
>
>
>
>
> Ben Newlin
>
>
>
> *From: *Users <users-bounces at lists.opensips.org> on behalf of Thiago
> Lopes via Users <users at lists.opensips.org>
> *Date: *Tuesday, March 11, 2025 at 12:49 PM
> *To: *Bogdan-Andrei Iancu <bogdan at opensips.org>
> *Cc: *OpenSIPS users mailling list <users at lists.opensips.org>
> *Subject: *Re: [OpenSIPS-Users] MS Teams and SBC integration
>
> * EXTERNAL EMAIL - Please use caution with links and attachments *
>
>
> ------------------------------
>
> Hi Bogdan-Andrei,
>
>
>
> I already did this too. The result in the log file was the same.
>
>
>
> Actually, even with changing the tls_mgm module, or from openssl to
> wolfssl, I saw that the module who answer with error is proto_tls:
>
>
>
>  /usr/sbin/opensips[4634]: DBG:core:init_sock_keepalive: TCP keepalive
> enabled on socket 5
>  /usr/sbin/opensips[4634]: DBG:core:print_ip: tcpconn_new: new tcp
> connection to: 52.114.76.76
>  /usr/sbin/opensips[4634]: DBG:core:tcpconn_new: on port 5061, proto 3
> * /usr/sbin/opensips[4634]: ERROR:proto_tls:proto_tls_conn_init: no TLS
> client domain found*
>  /usr/sbin/opensips[4634]: ERROR:core:tcp_conn_create: failed to do proto
> 3 specific init for conn 0x7f794a63d080
>  /usr/sbin/opensips[4634]: DBG:core:tcpconn_destroy: delaying
> (0x7f794a63d080, flags 0018) ref = -1 ...
>
>
>
> My actual cfg file:
>
>
>
> #loadmodule "tls_openssl.so"
> loadmodule "tls_wolfssl.so"
>
> ####TLS module
> loadmodule "tls_mgm.so"
>  /*#first the  server domain */
> modparam("tls_mgm", "server_domain", "default")
> modparam("tls_mgm", "certificate", "[default]/etc/letsencrypt/live/
> sbc.mydomain.com/fullchain.pem")
> modparam("tls_mgm", "private_key", "[default]/etc/letsencrypt/live/
> sbc.mydomain.com/privkey.pem")
> modparam("tls_mgm", "ca_list", "[default]/etc/letsencrypt/live/
> sbc.mydomain.com/inter.pem")
> modparam("tls_mgm", "match_ip_address", "[default]x.x.x.x:5061")
> modparam("tls_mgm", "match_sip_domain", "[default]sbc.mydomain.com")
> #modparam("tls_mgm", "verify_cert", "[default]0")
> #modparam("tls_mgm", "require_cert", "[default]1")
> #modparam("tls_mgm", "ciphers_list", "[default]AES128-SHA256:AES256-SHA")
> modparam("tls_mgm", "tls_method", "[default]SSLv23")
>
>
>  # #and the client domain
>
> modparam("tls_mgm", "client_domain", "client")
> modparam("tls_mgm", "certificate", "[client]/etc/letsencrypt/live/
> sbc.mydomain.com/fullchain.pem")
> modparam("tls_mgm", "private_key", "[client]/etc/letsencrypt/live/
> sbc.mydomain.com/privkey.pem")
> modparam("tls_mgm", "ca_list", "[client]/etc/letsencrypt/live/
> sbc.mydomain.com/inter.pem")
> #modparam("tls_mgm", "ca_dir", "[client]/etc/letsencrypt/live/
> sbc.mydomain.com/")
> modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com")
> modparam("tls_mgm", "match_ip_address", "[client]x.x.x.x:5061")
>
> #modparam("tls_mgm", "verify_cert", "[client]0")
>  # modparam("tls_mgm", "require_cert", "[client]1")
>  # modparam("tls_mgm", "ciphers_list", "[client]AES128-SHA256:AES256-SHA")
> modparam("tls_mgm", "tls_method", "[client]SSLv23")
>
>
>
> modparam("tls_mgm", "tls_library", "wolfssl")
> #modparam("tls_mgm", "tls_handshake_timeout", 300)
> modparam("tls_mgm", "client_sip_domain_avp", "sbc.mydomain.com")
> modparam("tls_mgm", "client_tls_domain_avp", "sbc.mydomain.com")
>
> loadmodule "proto_tls.so"
> #modparam("proto_tls", "tls_async", 0)
> modparam("proto_tls", "tls_handshake_timeout", 300)
> modparam("proto_tls", "tls_send_timeout", 2000)
> modparam("proto_tls", "tls_max_msg_chunks", 8)
> modparam("proto_tls", "cert_check_on_conn_reusage", 1)
>
>
>
>
>
> Enable or no the client_sip_domain_avp, client_tls_domain_avp,
> match_sip_domain and match_ip_address in any order do not show any
> different results;
>
>
>
> I thought maybe make a rollback, from 3.4.11 to another version where
> someone did this connection with Teams successfully .
>
>
>
> In past versions here in this list I read that some fellows passed to the
> same error. But there was an error in the cfg file. I did several
> alterations in this file, modules and certificates. The only change that I
> didn't make was changing the version.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20250312/328edf06/attachment-0001.html>

More information about the Users mailing list