I've read the TLS tutorial<br><a href="http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html">http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html</a><br><br><br>I can't get a snom or counterpath phone to register at all over TLS. I'm not sure what is wrong. The only errors I see when I start OpenSIPS are<br>
Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_tls: disabling compression due ZLIB problems<br>
Apr 30 00:08:27 SIPProxy01 opensips: INFO:core:init_tls_domains: Processing TLS domain [<a href="http://0.0.0.0:0">0.0.0.0:0</a>]<br>
Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_ssl_ctx_behavior: client verification NOT activated. Weaker security.<br>
Apr 30 00:08:27 SIPProxy01 opensips: INFO:core:init_tls_domains: Processing TLS domain [<a href="http://0.0.0.0:0">0.0.0.0:0</a>]<br>
Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_ssl_ctx_behavior: server verification NOT activated. Weaker security.<br>
Apr 30 00:08:27 SIPProxy01 /usr/local/sbin/opensips[11060]: NOTICE:core:main: version: opensips 1.8.0-dev0-tls (x86_64/linux)<br><br><br>To get the client cert to work with Snom I had to change the cacert.pem to a .der file. So I did<br>
sudo openssl x509 -in cacert.pem -out cacert.der -outform DER <br><br><br>For my config I have the following.<br><br>disable_tls = no<br>listen = tls:50.XX.XX.156:5061<br>tls_verify_server = 0<br>tls_verify_client = 0<br>
tls_require_client_certificate = 0<br>tls_method = TLSv1<br>#tls_method = SSLv23<br>tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"<br>tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"<br>
tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"<br><br><br><br>From the Snom phone I can see the Register sent to the server<br><br><p>Sent to tls:50.XX.XX.156:5061 at 30/4/2012 00:09:11:335 (683 bytes):</p>
REGISTER sip:<a href="http://i.com">i.com</a> SIP/2.0<br>
Via: SIP/2.0/TLS 192.168.1.70:3636;branch=z9hG4bK-brbd3nfa0aao;rport<br>
From: "1000 - 6XX-6XX4" <<a href="mailto:sip%3A9016XX6XX4@i.com">sip:9016XX6XX4@i.com</a>>;tag=luco4y7th3<br>
To: "1000 - 6XX-6XX4" <<a href="mailto:sip%3A9016XX6XX4@i.com">sip:9016XX6XX4@i.com</a>><br>
Call-ID: 3070263c3b8a-l2a7wl7yrrox<br>
CSeq: 44 REGISTER<br>
Max-Forwards: 70<br>
Contact:
<sip:9016XX6XX4@192.168.1.70:3636;transport=tls;line=2c34lho2>;reg-id=1;q=1.0;audio;mobility="fixed";duplex="full";description="snom821";actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"<br>
User-Agent: snom821/8.4.35<br>
Allow-Events: dialog<br>
X-Real-IP: 192.168.1.70<br>
Supported: path<br>
Expires: 3600<br>
Content-Length: 0<br><br>I don't see anything at all in the syslog. I did a debug 4 too. If I do a ssldump I only see the following<br><br><br><br>New TCP connection #101: <a href="http://99-67-237-217.lightspeed.austtx.sbcglobal.net">99-67-237-217.lightspeed.austtx.sbcglobal.net</a>(4801) <-> <a href="http://50-XX-XX-156.static.cloud-ips.com">50-XX-XX-156.static.cloud-ips.com</a>(5061)<br>
101 1 0.0562 (0.0562) C>S Handshake<br> ClientHello<br> Version 3.1 <br> cipher suites<br> TLS_RSA_WITH_RC4_128_MD5<br> TLS_RSA_WITH_RC4_128_SHA<br> TLS_RSA_WITH_NULL_MD5<br> TLS_RSA_WITH_NULL_SHA<br>
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA<br> TLS_DH_anon_WITH_RC4_128_MD5<br> TLS_RSA_WITH_DES_CBC_SHA<br> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br> TLS_DH_anon_WITH_DES_CBC_SHA<br>
compression methods<br> NULL<br><br>So it looks like there is no S>C<br><br><br>Any ideas?<br>