
<div dir="ltr">hi,<br><br>attached the lines from the cfg file:<br><br>root@XXXX:/usr/local/etc/opensips# cat opensips.cfg | grep tls<br>disable_tls = no<br>listen = tls:X.X.X.X:30100<br>tls_port_no = 30100<br>tls_verify_server = 0<br>

tls_verify_client = 0<br>tls_require_client_certificate = 0<br>tls_method = TLSv1<br>tls_certificate = &quot;/usr/local/etc/opensips/tls/user/user-cert.pem&quot;<br>tls_private_key = &quot;/usr/local/etc/opensips/tls/user/user-privkey.pem&quot;<br>

tls_ca_list = &quot;/usr/local/etc/opensips/tls/user/user-calist.pem&quot;<br><br>thanks for the help,<br>nir<br><br><div class="gmail_quote">On Mon, Jan 18, 2010 at 3:41 PM, Bogdan-Andrei Iancu <span dir="ltr">&lt;<a href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Nir,<br>

<br>

the last command does create (if not present) or adds to (if already<br>

present) the current CA to the CA list file.<br>

<br>

Also, have you properly set the TLS related parameters in the config file?<br>

<div class="im"><br>

Regards,<br>

Bogdan<br>

<br>

nir elkayam wrote:<br>

&gt; hi,<br>

&gt;<br>

</div><div class="im">&gt; i follow the script on :<br>

&gt; <a href="http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html" target="_blank">http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html</a><br>

&gt;<br>

&gt; mainly, generated root certificate with:<br>

&gt; opensipsctl tls rootCA<br>

&gt; and then generate user (i.e. sip server) certificate with:<br>

&gt; opensipsctl tls userCERT user<br>

&gt;<br>

&gt; about the file ca_list, the wiki say:<br>

&gt;<br>

&gt; To add more CAs to your list, just do:<br>

&gt;<br>

&gt;    *<br>

&gt;<br>

&gt;       cat add_cacert.pem &gt;&gt; calist.pem<br>

&gt;<br>

&gt; but not sure about that, doesn&#39;t the last command should have updated<br>

&gt; the ca list? i see that the file isn&#39;t empty..<br>

&gt;<br>

&gt; nir<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; On Fri, Jan 15, 2010 at 6:35 PM, Bogdan-Andrei Iancu<br>

</div><div><div></div><div class="h5">&gt; &lt;<a href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a> &lt;mailto:<a href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a>&gt;&gt; wrote:<br>

&gt;<br>

&gt;     Hi Nir,<br>

&gt;<br>

&gt;     I see you manage to start opensips with TLS - what was your error?<br>

&gt;<br>

&gt;     for _tls_read -&gt; that is very funny: SSL_read return err 5<br>

&gt;     (SSL_ERROR_SYSCALL) which means to look at error stack/return<br>

&gt;     value/errno for the real error (the error was geerated somewhere<br>

&gt;     deep in<br>

&gt;     the SSL underlayers), but the errno is Success and stack is empty<br>

&gt;     :P..... Looks like a ghost error...<br>

&gt;<br>

&gt;     for tls_accept -&gt; the error is in the stack, and after googling a<br>

&gt;     bit -&gt;<br>

&gt;     &quot;obviously the CA that signed your clients is not known to the server.<br>

&gt;     Take a look at&quot;<br>

&gt;<br>

&gt;     <a href="http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6" target="_blank">http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6</a><br>

&gt;     <a href="http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14" target="_blank">http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14</a><br>

&gt;<br>

&gt;<br>

&gt;     Regards,<br>

&gt;     Bogdan<br>

&gt;<br>

&gt;     nir elkayam wrote:<br>

&gt;     &gt; hi,<br>

&gt;     &gt;<br>

&gt;     &gt; i am using opensips/TLS,<br>

&gt;     &gt;<br>

&gt;     &gt; i get the following error<br>

&gt;     &gt; Jan 14 22:53:54 [19740] ERROR:core:_tls_read: SYSCALL error -&gt; (0)<br>

&gt;     &gt; &lt;Success&gt;<br>

&gt;     &gt; Jan 14 22:53:54 [19740] ERROR:core:_tls_read: something wrong in<br>

&gt;     SSL: 5<br>

&gt;     &gt; Jan 14 22:53:54 [19740] ERROR:core:tcp_read_req: failed to read<br>

&gt;     &gt; Jan 14 22:54:46 [19740] ERROR:core:tls_accept: some error in SSL<br>

&gt;     &gt; (ret=0, err=1, errno=0/Success):<br>

&gt;     &gt; Jan 14 22:54:46 [19740] ERROR:core:tls_print_errstack:<br>

&gt;     &gt; error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<br>

&gt;     &gt;<br>

&gt;     &gt; any hinst about these?<br>

&gt;     &gt; actually the client works but error in encryption process is not<br>

&gt;     good,<br>

&gt;     &gt; i think<br>

&gt;     &gt;<br>

&gt;     &gt; thanks<br>

&gt;     &gt;<br>

&gt;     ------------------------------------------------------------------------<br>

&gt;     &gt;<br>

&gt;     &gt; _______________________________________________<br>

&gt;     &gt; Users mailing list<br>

</div></div>&gt;     &gt; <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a> &lt;mailto:<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>&gt;<br>

<div class="im">&gt;     &gt; <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>

&gt;     &gt;<br>

&gt;<br>

&gt;<br>

&gt;     --<br>

&gt;     Bogdan-Andrei Iancu<br>

</div>&gt;     <a href="http://www.voice-system.ro" target="_blank">www.voice-system.ro</a> &lt;<a href="http://www.voice-system.ro" target="_blank">http://www.voice-system.ro</a>&gt;<br>

&gt;<br>

&gt;<br>

&gt;     _______________________________________________<br>

&gt;     Users mailing list<br>

&gt;     <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a> &lt;mailto:<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>&gt;<br>

<div class="im">&gt;     <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; --<br>

&gt; ניר אלקיים<br>

&gt; טל: 050-3930056<br>

</div>&gt; <a href="mailto:nir.elkayam@gmail.com">nir.elkayam@gmail.com</a> &lt;mailto:<a href="mailto:nir.elkayam@gmail.com">nir.elkayam@gmail.com</a>&gt;<br>

<div><div></div><div class="h5">&gt;<br>

&gt; ------------------------------------------------------------------------<br>

&gt;<br>

&gt; _______________________________________________<br>

&gt; Users mailing list<br>

&gt; <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>

&gt; <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>

&gt;<br>

<br>

<br>

--<br>

Bogdan-Andrei Iancu<br>

<a href="http://www.voice-system.ro" target="_blank">www.voice-system.ro</a><br>

<br>

<br>

_______________________________________________<br>

Users mailing list<br>

<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>

<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>

</div></div></blockquote></div><br><br clear="all"><br>-- <br>ניר אלקיים<br>טל: 050-3930056<br><a href="mailto:nir.elkayam@gmail.com">nir.elkayam@gmail.com</a><br><br>

</div>