<div dir="ltr">hi,<br><br>attached the lines from the cfg file:<br><br>root@XXXX:/usr/local/etc/opensips# cat opensips.cfg | grep tls<br>disable_tls = no<br>listen = tls:X.X.X.X:30100<br>tls_port_no = 30100<br>tls_verify_server = 0<br>
tls_verify_client = 0<br>tls_require_client_certificate = 0<br>tls_method = TLSv1<br>tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"<br>tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"<br>
tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"<br><br>thanks for the help,<br>nir<br><br><div class="gmail_quote">On Mon, Jan 18, 2010 at 3:41 PM, Bogdan-Andrei Iancu <span dir="ltr"><<a href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Nir,<br>
<br>
the last command does create (if not present) or adds to (if already<br>
present) the current CA to the CA list file.<br>
<br>
Also, have you properly set the TLS related parameters in the config file?<br>
<div class="im"><br>
Regards,<br>
Bogdan<br>
<br>
nir elkayam wrote:<br>
> hi,<br>
><br>
</div><div class="im">> i follow the script on :<br>
> <a href="http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html" target="_blank">http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html</a><br>
><br>
> mainly, generated root certificate with:<br>
> opensipsctl tls rootCA<br>
> and then generate user (i.e. sip server) certificate with:<br>
> opensipsctl tls userCERT user<br>
><br>
> about the file ca_list, the wiki say:<br>
><br>
> To add more CAs to your list, just do:<br>
><br>
> Â Â *<br>
><br>
> Â Â Â cat add_cacert.pem >> calist.pem<br>
><br>
> but not sure about that, doesn't the last command should have updated<br>
> the ca list? i see that the file isn't empty..<br>
><br>
> nir<br>
><br>
><br>
><br>
> On Fri, Jan 15, 2010 at 6:35 PM, Bogdan-Andrei Iancu<br>
</div><div><div></div><div class="h5">> <<a href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a> <mailto:<a href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a>>> wrote:<br>
><br>
> Â Â Hi Nir,<br>
><br>
> Â Â I see you manage to start opensips with TLS - what was your error?<br>
><br>
> Â Â for _tls_read -> that is very funny: SSL_read return err 5<br>
> Â Â (SSL_ERROR_SYSCALL) which means to look at error stack/return<br>
> Â Â value/errno for the real error (the error was geerated somewhere<br>
> Â Â deep in<br>
> Â Â the SSL underlayers), but the errno is Success and stack is empty<br>
> Â Â :P..... Looks like a ghost error...<br>
><br>
> Â Â for tls_accept -> the error is in the stack, and after googling a<br>
> Â Â bit -><br>
> Â Â "obviously the CA that signed your clients is not known to the server.<br>
> Â Â Take a look at"<br>
><br>
> Â Â <a href="http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6" target="_blank">http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6</a><br>
> Â Â <a href="http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14" target="_blank">http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14</a><br>
><br>
><br>
> Â Â Regards,<br>
> Â Â Bogdan<br>
><br>
> Â Â nir elkayam wrote:<br>
> Â Â > hi,<br>
> Â Â ><br>
> Â Â > i am using opensips/TLS,<br>
> Â Â ><br>
> Â Â > i get the following error<br>
> Â Â > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: SYSCALL error -> (0)<br>
> Â Â > <Success><br>
> Â Â > Jan 14 22:53:54 [19740] ERROR:core:_tls_read: something wrong in<br>
> Â Â SSL: 5<br>
> Â Â > Jan 14 22:53:54 [19740] ERROR:core:tcp_read_req: failed to read<br>
> Â Â > Jan 14 22:54:46 [19740] ERROR:core:tls_accept: some error in SSL<br>
> Â Â > (ret=0, err=1, errno=0/Success):<br>
> Â Â > Jan 14 22:54:46 [19740] ERROR:core:tls_print_errstack:<br>
> Â Â > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<br>
> Â Â ><br>
> Â Â > any hinst about these?<br>
> Â Â > actually the client works but error in encryption process is not<br>
> Â Â good,<br>
> Â Â > i think<br>
> Â Â ><br>
> Â Â > thanks<br>
> Â Â ><br>
> Â Â ------------------------------------------------------------------------<br>
> Â Â ><br>
> Â Â > _______________________________________________<br>
> Â Â > Users mailing list<br>
</div></div>> Â Â > <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>><br>
<div class="im">> Â Â > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
> Â Â ><br>
><br>
><br>
> Â Â --<br>
> Â Â Bogdan-Andrei Iancu<br>
</div>> Â Â <a href="http://www.voice-system.ro" target="_blank">www.voice-system.ro</a> <<a href="http://www.voice-system.ro" target="_blank">http://www.voice-system.ro</a>><br>
><br>
><br>
> Â Â _______________________________________________<br>
> Â Â Users mailing list<br>
> Â Â <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>><br>
<div class="im">> Â Â <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
><br>
><br>
><br>
> --<br>
> × ×™×¨ ×לקיי×<br>
> טל: 050-3930056<br>
</div>> <a href="mailto:nir.elkayam@gmail.com">nir.elkayam@gmail.com</a> <mailto:<a href="mailto:nir.elkayam@gmail.com">nir.elkayam@gmail.com</a>><br>
<div><div></div><div class="h5">><br>
> ------------------------------------------------------------------------<br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
<br>
<br>
--<br>
Bogdan-Andrei Iancu<br>
<a href="http://www.voice-system.ro" target="_blank">www.voice-system.ro</a><br>
<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>× ×™×¨ ×לקיי×<br>טל: 050-3930056<br><a href="mailto:nir.elkayam@gmail.com">nir.elkayam@gmail.com</a><br><br>
</div>