<div>Since there seems to be many variables that could be wrong in my setup let me explain what I am hoping to accomplish.<br><br>I have two OpenSIPS Proxies running in a redundant fashion with HA.<br>Proxy 1 = SIPProxy01 <--- Hostname<br>
Proxy 2 = SIPProxy02 <--- Hostname<br><br>Both servers share an IP address of AAA.BBB.CCC.DDD<br><br>I am hosting multiple domains with this setup. The clients log in by using their domain credentials (example - <a href="mailto:9012XX2XX9@abc.com" target="_blank">9012XX2XX9@abc.com</a>), but all clients are configured to point to <a href="http://sip.ae.com:5060" target="_blank">sip.ae.com:5060</a> as their outbound proxy in order to register and call out. I have a DNS record that points <a href="http://sip.ae.com" target="_blank">sip.ae.com</a> to the IP address AAA.BBB.CCC.DDD which is the SIPProxy HA IP address.<br>
<br>So from reading the TLS support page (<a href="http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html#AEN345" target="_blank">http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html#AEN345</a>) it sounds like I need to do a "Virtual hosting scenario". It says to do<br>
<br>"As the SIP proxy
does not have received a SIP message yet (this is done after the TLS handshake), the SIP
proxy can not retrieve the target domain (which will be usually retrieved from the domain in
the request URI). Thus, distinction for these domains must be done by using multiple sockets.
The socket on which the TLS connection is received, identifies the respective domain. Thus
the SIP proxy is able to present the proper certificate."<br><br>So I think I need to do the following<br><br>disable_tls = no<br>listen=tls:50.XX.YY.45:5061<br>listen=tls:50.XX.YY.45:5063 ### For Domain <a href="http://abc.com" target="_blank">abc.com</a><br>
listen=tls:50.XX.YY.45:5064 ### For Domain <a href="http://xyz.com" target="_blank">xyz.com</a><br>tls_method=tlsv1<br>tls_verify_client = 1<br>tls_require_client_certificate = 1<br>tls_ca_list = "/usr/local/etc/opensips/certs/CA/cert.pem"<br>
<br>tls_server_domain[50.XX.YY.45:5063] {<br> tls_certificate = "/usr/local/etc/opensips/certs/<a href="http://abc.com/cert.pem" target="_blank">abc.com/cert.pem</a>"<br> tls_private_key = "/usr/local/etc/opensips/certs/<a href="http://abc.com/privkey.pem" target="_blank">abc.com/privkey.pem</a>"<br>
tls_ca_list = "/usr/local/etc/opensips/certs/CA/cert.pem"<br>}<br>tls_server_domain[50.XX.YY.45:5064] {<br> tls_certificate = "/usr/local/etc/opensips/certs/<a href="http://xyz.com/cert.pem" target="_blank">xyz.com/cert.pem</a>"<br>
tls_private_key = "/usr/local/etc/opensips/certs/<a href="http://xyz.com/privkey.pem" target="_blank">xyz.com/privkey.pem</a>"<br> tls_ca_list = "/usr/local/etc/opensips/certs/CA/cert.pem"<br>
<br>}<br><br>Does this sound right? So for my clients at <a href="http://abc.com" target="_blank">abc.com</a> would I need to configure them to point to the outbound proxy of <a href="http://sip.ae.com:5063" target="_blank">sip.ae.com:5063</a>?<br>
<br>If <a href="http://abc.com" target="_blank">abc.com</a> calls <a href="http://xyz.com" target="_blank">xyz.com</a> and both are on the same sipproxy will there be a cert issue or does OpenSIPS know how to handle this? The TLS doc says to do<br>
tls_client_domain_avp=400<br>
# calls to other SIP domains<br># set the proper SSL context (certificate) for local hosted domains<br>avp_write("$fd","$avp(400)");<br>t_relay(); # uses NAPTR and SRV lookups<br>exit;<br><br><br>I thought with some certificates the name of the server mattered. I know when working with wireless certs this is an issue. Does the name of the server when creating the CA cert and individual domain certs matter?<br>
</div><div> </div><div>I can't seem to get this to work. I just see the following on the server and no reply</div><div> </div><div>New TCP connection #51: <a href="http://99-67-237-217.lightspeed.austtx.sbcglobal.net">99-67-237-217.lightspeed.austtx.sbcglobal.net</a>(58638) <-> <a href="http://50-XX-XX-156.static.cloud-ips.com">50-XX-XX-156.static.cloud-ips.com</a>(5063)<br>
51 1 0.0547 (0.0547) C>S Handshake<br> ClientHello<br> Version 3.1 <br> cipher suites<br> Unknown value 0xc014<br> TLS_DHE_RSA_WITH_AES_256_CBC_SHA<br> TLS_RSA_WITH_AES_256_CBC_SHA<br>
TLS_DHE_DSS_WITH_AES_256_CBC_SHA<br> Unknown value 0xc013<br> TLS_DHE_RSA_WITH_AES_128_CBC_SHA<br> TLS_RSA_WITH_AES_128_CBC_SHA<br> TLS_DHE_DSS_WITH_AES_128_CBC_SHA<br> Unknown value 0xc012<br>
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA<br> TLS_RSA_WITH_3DES_EDE_CBC_SHA<br> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA<br> TLS_DHE_RSA_WITH_DES_CBC_SHA<br> TLS_RSA_WITH_DES_CBC_SHA<br> TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA<br>
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA<br> TLS_DHE_DSS_WITH_DES_CBC_SHA<br> TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA<br> Unknown value 0xff<br> compression methods<br> NULL</div>
<div> </div><div><br>Sorry for all the questions but TLS is new for me.<br><br><br><br></div><div class="gmail_quote">On Mon, Apr 30, 2012 at 12:48 AM, Duane Larson <span dir="ltr"><<a href="mailto:duane.larson@gmail.com" target="_blank">duane.larson@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">I've read the TLS tutorial<br><a href="http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html" target="_blank">http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html</a><br>
<br><br>I can't get a snom or counterpath phone to register at all over TLS. I'm not sure what is wrong. The only errors I see when I start OpenSIPS are<br>
Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_tls: disabling compression due ZLIB problems<br>
Apr 30 00:08:27 SIPProxy01 opensips: INFO:core:init_tls_domains: Processing TLS domain [<a href="http://0.0.0.0:0" target="_blank">0.0.0.0:0</a>]<br>
Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_ssl_ctx_behavior: client verification NOT activated. Weaker security.<br>
Apr 30 00:08:27 SIPProxy01 opensips: INFO:core:init_tls_domains: Processing TLS domain [<a href="http://0.0.0.0:0" target="_blank">0.0.0.0:0</a>]<br>
Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_ssl_ctx_behavior: server verification NOT activated. Weaker security.<br>
Apr 30 00:08:27 SIPProxy01 /usr/local/sbin/opensips[11060]: NOTICE:core:main: version: opensips 1.8.0-dev0-tls (x86_64/linux)<br><br><br>To get the client cert to work with Snom I had to change the cacert.pem to a .der file. So I did<br>
sudo openssl x509 -in cacert.pem -out cacert.der -outform DER <br><br><br>For my config I have the following.<br><br>disable_tls = no<br>listen = tls:50.XX.XX.156:5061<br>tls_verify_server = 0<br>tls_verify_client = 0<br>
tls_require_client_certificate = 0<br>tls_method = TLSv1<br>#tls_method = SSLv23<br>tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"<br>tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"<br>
tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"<br><br><br><br>From the Snom phone I can see the Register sent to the server<br><br><p>Sent to tls:50.XX.XX.156:5061 at 30/4/2012 00:09:11:335 (683 bytes):</p>
REGISTER sip:<a href="http://i.com" target="_blank">i.com</a> SIP/2.0<br>
Via: SIP/2.0/TLS 192.168.1.70:3636;branch=z9hG4bK-brbd3nfa0aao;rport<br>
From: "1000 - 6XX-6XX4" <<a href="mailto:sip%3A9016XX6XX4@i.com" target="_blank">sip:9016XX6XX4@i.com</a>>;tag=luco4y7th3<br>
To: "1000 - 6XX-6XX4" <<a href="mailto:sip%3A9016XX6XX4@i.com" target="_blank">sip:9016XX6XX4@i.com</a>><br>
Call-ID: 3070263c3b8a-l2a7wl7yrrox<br>
CSeq: 44 REGISTER<br>
Max-Forwards: 70<br>
Contact:
<sip:9016XX6XX4@192.168.1.70:3636;transport=tls;line=2c34lho2>;reg-id=1;q=1.0;audio;mobility="fixed";duplex="full";description="snom821";actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"<br>
User-Agent: snom821/8.4.35<br>
Allow-Events: dialog<br>
X-Real-IP: 192.168.1.70<br>
Supported: path<br>
Expires: 3600<br>
Content-Length: 0<br><br>I don't see anything at all in the syslog. I did a debug 4 too. If I do a ssldump I only see the following<br><br><br><br>New TCP connection #101: <a href="http://99-67-237-217.lightspeed.austtx.sbcglobal.net" target="_blank">99-67-237-217.lightspeed.austtx.sbcglobal.net</a>(4801) <-> <a href="http://50-XX-XX-156.static.cloud-ips.com" target="_blank">50-XX-XX-156.static.cloud-ips.com</a>(5061)<br>
101 1 0.0562 (0.0562) C>S Handshake<br> ClientHello<br> Version 3.1 <br> cipher suites<br> TLS_RSA_WITH_RC4_128_MD5<br> TLS_RSA_WITH_RC4_128_SHA<br> TLS_RSA_WITH_NULL_MD5<br>
TLS_RSA_WITH_NULL_SHA<br>
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA<br> TLS_DH_anon_WITH_RC4_128_MD5<br> TLS_RSA_WITH_DES_CBC_SHA<br> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br> TLS_DH_anon_WITH_DES_CBC_SHA<br>
compression methods<br> NULL<br><br>So it looks like there is no S>C<br><br><br>Any ideas?<br>
</blockquote></div><br><br clear="all"><br>-- <br>--<br>*--*--*--*--*--*<br>Duane<br>*--*--*--*--*--*<br>--<br>