<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
We have reproduced the problem, the issue appears when the opensips as client send the certificate to the EDGE (server) we have to avoid this client certificate invoce.<BR>
<BR>
Best regards<BR>
Gianluca<BR><BR>> Date: Tue, 20 Jan 2009 17:21:43 +0200<BR>> From: bogdan@voice-system.ro<BR>> To: gianluca.moretti@hotmail.it<BR>> CC: users@lists.opensips.org; devel@lists.opensips.org<BR>> Subject: Re: [OpenSIPS-Users] OCS Opensisp certificate issues using TLS<BR>> <BR>> Probably we should try to get more info about the error at runtime . Let <BR>> me do some checks to see how we can squize more info about the error and <BR>> to print it.<BR>> <BR>> Regards,<BR>> Bogdan<BR>> <BR>> gianluca moretti wrote:<BR>> > Bogdan, the error is ok, how can i solve the problem.<BR>> > The update to this issue is if the client send the his certificate to <BR>> > the server and this cause the problem.<BR>> > <BR>> > Ciao <BR>> > <BR>> > Best regards<BR>> ><BR>> > > Date: Tue, 20 Jan 2009 15:04:48 +0200<BR>> > > From: bogdan@voice-system.ro<BR>> > > To: gianluca.moretti@hotmail.it<BR>> > > CC: users@lists.opensips.org; devel@lists.opensips.org<BR>> > > Subject: Re: [OpenSIPS-Users] OCS Opensisp certificate issues using TLS<BR>> > ><BR>> > > Hi Gianluca,<BR>> > ><BR>> > > You get this:<BR>> > ><BR>> > > Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in SSL: 5<BR>> > ><BR>> > > 5 is SSL_ERROR_SYSCALL . See:<BR>> > > http://openssl.org/docs/ssl/SSL_get_error.html<BR>> > ><BR>> > > Regards,<BR>> > > Bogdan<BR>> > ><BR>> > > gianluca moretti wrote:<BR>> > > > We try to integrate OCS 2007 and opensisps using TLS<BR>> > > ><BR>> > > > SCENARIO:<BR>> > > ><BR>> > > > [wesip] Sending register to OCS<BR>> > > > Seas ------------------------------------> EDGE --> OCS<BR>> > > > [Opensips]<BR>> > > ><BR>> > > ><BR>> > > > Issue: Opensisps cannot connect to EDGE server and in details<BR>> > > > opensisps send always a the certificate to the client<BR>> > > > any idea to avoid to opensisps to send the always certificate.<BR>> > > > EDGE: CertVerifyCertificateChainPolicy retuned a failure in<BR>> > > > CERT_CHAIN_POLICY_STATUS<BR>> > > > OPENSIPS:<BR>> > > > Jan 17 16:06:12 [30303] DBG:core:tls_dump_cert_info: tls_connect:<BR>> > > > local (client) certificate issuer: /CN=Your_NAME/ST=Your_ST<BR>> > > > ATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME<BR>> > > > Jan 17 16:06:12 [30303] DBG:core:tls_write: write was successful (791<BR>> > > > bytes)<BR>> > > > Jan 17 16:06:12 [30303] DBG:core:tcp_send: after write: c= 0xb612fcf8<BR>> > > > n=791 fd=23<BR>> > > > Jan 17 16:06:12 [30303] DBG:core:tcp_send: buf=<BR>> > > > REGISTER sip:hmcint.local:5060;transport=tcp SIP/2.0<BR>> > > > Via: SIP/2.0/TLS 192.168.5.59:5061;branch=z9hG4bKd863.89657825.0;i=2<BR>> > > > Via: SIP/2.0/TCP 192.168.5.59;branch=z9hG4bKd863.79657825.0<BR>> > > > To: sip:max.ambrogi@hmcint.local;transport=tcp<BR>> > > > From:<BR>> > > > <BR>> > sip:max.ambrogi@hmcint.local;transport=tcp;tag=BB479256370FF64C226AA6220F2364DD<BR>> > > > CSeq: 1 REGISTER<BR>> > > > Call-ID: 24D8315A8EBB948A4DD4F1A3518E4029@192.168.5.59<BR>> > > > <mailto:24D8315A8EBB948A4DD4F1A3518E4029@192.168.5.59><BR>> > > > Content-Length: 0<BR>> > > > Max-Forwards: 70<BR>> > > > Contact:<BR>> > > > <BR>> > <sip:192.168.5.59:5060;transport=tcp;AppId=.sip2msipGW>;methods="INVITE,<BR>> > > > MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY<BR>> > > > , ACK,<BR>> > > > <BR>> > REFER";proxy=replace;+sip.instance="<urn:uuid:787C69C1-2A21-441f-B792-A908ABFF5010>"<BR>> > > > Supported: gruu-10,adhoclist,msrtc-event-categories,ms-forking<BR>> > > > ms-keep-alive: UAC;hop-hop=yes<BR>> > > > Event: registration<BR>> > > > X-WeSIP-SPIRAL: true<BR>> > > ><BR>> > > > Jan 17 16:06:12 [30303] DBG:tm:set_timer: relative timeout is 30<BR>> > > > Jan 17 16:06:12 [30303] DBG:tm:insert_timer_unsafe: [0]: <BR>> > 0xb610d020 (300)<BR>> > > > Jan 17 16:06:12 [30303] DBG:tm:t_relay_to: new transaction fwd'ed<BR>> > > > Jan 17 16:06:12 [30303] DBG:tm:t_unref: UNREF_UNSAFE: after is 0<BR>> > > > Jan 17 16:06:12 [30303] DBG:core:destroy_avp_list: destroying list <BR>> > (nil)<BR>> > > > Jan 17 16:06:12 [30303] DBG:core:receive_msg: cleaning up<BR>> > > > Jan 17 16:06:12 [30304] DBG:core:tls_update_fd: New fd is 23<BR>> > > > Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in <BR>> > SSL: 5<BR>> > > > Jan 17 16:06:12 [30304] ERROR:core:tcp_read_req: failed to read<BR>> > > > Jan 17 16:06:12 [30304] DBG:core:io_watch_del: io_watch_del<BR>> > > > (0x8164160, 23, -1, 0x10) fd_no=2 called<BR>> > > > Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: releasing con<BR>> > > > 0xb612fcf8, state -2, fd=23, id=9<BR>> > > > Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: extra_data <BR>> > 0xb613fe10<BR>> > > > Jan 17 16:06:12 [30311] DBG:core:handle_tcp_child: reader response=<BR>> > > > b612fcf8, -2 from 1<BR>> > > > Jan 17 16:06:12 [30311] DBG:core:tcpconn_destroy: destroying<BR>> > > > connection 0xb612fcf8, flags 0002<BR>> > > > Jan 17 16:06:12 [30311] DBG:core:tls_close: closing SSL connection<BR>> > > ><BR>> > > ><BR>> > > > The opensips.cfg is configured as following:<BR>> > > > disable_tls = no<BR>> > > > listen = tls:##OPENSIPSIP##:5061<BR>> > > > tls_verify_server = 0<BR>> > > > tls_verify_client = 0<BR>> > > > tls_require_client_certificate = 0<BR>> > > > tls_method = TLSv1<BR>> > > > tls_ca_list = <BR>> > "/product/opensips//etc/opensips/tls/dario/dario-calist.pem"<BR>> > > > tls_certificate = <BR>> > "/product/opensips//etc/opensips/tls/user/user-cert.pem"<BR>> > > > tls_private_key =<BR>> > > > "/product/opensips//etc/opensips/tls/user/user-privkey.pem"<BR>> > > > tls_ciphers_list="RC4-MD5"<BR>> > > ><BR>> > > > route{<BR>> > > ><BR>> > > > if(is_present_hf("X-WeSIP-SPIRAL")){<BR>> > > > log("\nSPIRAL!!!\n");<BR>> > > > t_relay("tls:EDGEIP:5061");<BR>> > > > exit;}<BR>> > > > (on WESIP SPIRAL is equal TRUE)<BR>> > > ><BR>> > > > OPENSIPSIP is the CLIENT e EDGEIP is the SERVER<BR>> > > ><BR>> > > ><BR>> > > > Using Open SSL the connection is OK<BR>> > > > openssl s_client -connect EDGEIP:5061 -ssl2 -CAfile<BR>> > > > /product/opensips_dev/etc/opensips/tls/user/user-calist.pem -cipher<BR>> > > > RC4-MD5<BR>> > > ><BR>> > > > New, TLSv1/SSLv3, Cipher is RC4-MD5<BR>> > > > Server public key is 1024 bit<BR>> > > > SSL-Session:<BR>> > > > Protocol : TLSv1<BR>> > > > Cipher : RC4-MD5<BR>> > > > Session-ID:<BR>> > > > E708000007E4CC591AA8982939C17298FBEDF72E749C010EFFC39FBEB2D143A6<BR>> > > > Session-ID-ctx:<BR>> > > > Master-Key:<BR>> > > > <BR>> > 5835CA1877799D4B507AA31DB8DEA5F11D27DD077FE43F52DC9606ABF296AF6043402938E384FFF7B1485DC77D4D13D7<BR>> > > > Key-Arg : None<BR>> > > > Krb5 Principal: None<BR>> > > > Start Time: 1232205185<BR>> > > > Timeout : 7200 (sec)<BR>> > > > Verify return code: 0 (ok)<BR>> > > ><BR>> > > > Regards<BR>> > > ><BR>> > > ><BR>> > > ><BR>> > > > <BR>> > ------------------------------------------------------------------------<BR>> > > > Scoprilo insieme ai nuovi servizi Windows Live! Messenger 9: oltre le<BR>> > > > parole. <http://download.live.com/messenger/?mkt=it-it><BR>> > > > <BR>> > ------------------------------------------------------------------------<BR>> > > ><BR>> > > > _______________________________________________<BR>> > > > Users mailing list<BR>> > > > Users@lists.opensips.org<BR>> > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users<BR>> > > ><BR>> > ><BR>> ><BR>> ><BR>> > ------------------------------------------------------------------------<BR>> > Scopri le novitą! Pił veloce, pił tua, pił Hotmail. <BR>> > <http://www.messenger.it/hotmail.aspx><BR>> <BR><BR><br /><hr />Scoprilo insieme ai nuovi servizi Windows Live! <a href='http://download.live.com/messenger/?mkt=it-it' target='_new'>Messenger 9: oltre le parole.</a></body>
</html>