
<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix"><tt>Hi Martin,<br>

        <br>

        The relevant log is:<br>

      </tt><br>

      <tt>Feb  3 06:18:36 [3626] ERROR:core:tls_accept: New TLS

        connection from 123.12.28.14(my_ip):50761 failed to accept:

        rejected by client<br>

        <br>

        So, the client opens a connection to OpenSIPS, OpenSIPS accepts

        the connection, but the connection setup fails as the client

        rejects the certificate sent by OpenSIPS.<br>

        <br>

        Regards,<br>

      </tt>

      <pre class="moz-signature" cols="72">Bogdan-Andrei Iancu

OpenSIPS Founder and Developer

<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>

      On 03.02.2015 05:24, martin-n martin-n wrote:<br>

    </div>

    <blockquote cite="mid:1422933849.395754.18400.39315@mail.rambler.ru"

      type="cite">

      <p>Hello. I'am pretty new with opensips, so installed the latest

        opensips version <strong>opensips 2.1.1dev-tls (x86_64/linux),

        </strong>to make a sip server.</p>

      <p>I configured it to use tls. I generated the certificates

        according to this tutorial: 

<a class="moz-txt-link-freetext" href="https://github.com/antonraharja/book-opensips-101/blob/master/content/3.2.%20SIP%20TLS%20Secure%20Calling.mediawiki">https://github.com/antonraharja/book-opensips-101/blob/master/content/3.2.%20SIP%20TLS%20Secure%20Calling.mediawiki</a></p>

      <p>Then i did setup the blink. I took <strong>cacert.pem</strong>

        from rootCA folder and set it up as a <strong>Certificate

          Authority File. </strong>In the account options i did setup

        the certificate file, <strong>server-calist.pem</strong>. I

        also did add the private key to the client version of <strong>server-calist.pem</strong>

        file.</p>

      <p>But when i try to log-in to my server i get:</p>

      <p style="text-align: left;">Feb  3 06:18:36 [3630]

        DBG:core:probe_max_sock_buff: getsockopt: snd is initially

        425984<br>

        Feb  3 06:18:36 [3630] <a class="moz-txt-link-freetext" href="INFO:core:probe_max_sock_buff">INFO:core:probe_max_sock_buff</a>: using snd

        buffer of 416 kb<br>

        Feb  3 06:18:36 [3630] <a class="moz-txt-link-freetext" href="INFO:core:init_sock_keepalive">INFO:core:init_sock_keepalive</a>: -- TCP

        keepalive enabled on socket<br>

        Feb  3 06:18:36 [3630] DBG:core:print_ip: tcpconn_new: new tcp

        connection to: 123.12.28.14(my_ip)<br>

        Feb  3 06:18:36 [3630] DBG:core:tcpconn_new: on port 50761, type

        3<br>

        Feb  3 06:18:36 [3630] DBG:core:tls_tcpconn_init: entered:

        Creating a whole new ssl connection<br>

        Feb  3 06:18:36 [3630] DBG:core:tls_tcpconn_init: looking up

        socket based TLS server domain [my_server_ip:7061]<br>

        Feb  3 06:18:36 [3630] DBG:core:tls_find_server_domain: virtual

        TLS server domain not found, Using default TLS server domain

        settings<br>

        Feb  3 06:18:36 [3630] DBG:core:tls_tcpconn_init: found socket

        based TLS server domain [0.0.0.0:0]<br>

        Feb  3 06:18:36 [3630] DBG:core:tls_tcpconn_init: Setting in

        ACCEPT mode (server)<br>

        Feb  3 06:18:36 [3630] DBG:core:tcpconn_add: hashes: 795, 1<br>

        Feb  3 06:18:36 [3630] DBG:core:handle_new_connect: new

        connection: 0x7fb5b3e82170 25 flags: 0002<br>

        Feb  3 06:18:36 [3630] DBG:core:send2child: to tcp child 0

        0(3626), 0x7fb5b3e82170 rw 1<br>

        Feb  3 06:18:36 [3626] DBG:core:handle_io: We have received conn

        0x7fb5b3e82170 with rw 1<br>

        Feb  3 06:18:36 [3626] DBG:core:io_watch_add: [TCP_worker]

        io_watch_add op on 21 (0x89a400, 21, 8, 0x7fb5b3e82170,1),

        fd_no=2<br>

        Feb  3 06:18:36 [3626] DBG:core:tcp_read_req: Using the global (

        per process ) buff<br>

        Feb  3 06:18:36 [3626] DBG:core:tls_update_fd: New fd is 21<br>

        Feb  3 06:18:36 [3626] ERROR:core:tls_accept: New TLS connection

        from 123.12.28.14(my_ip):50761 failed to accept: rejected by

        client<br>

        Feb  3 06:18:36 [3626] DBG:core:io_watch_del: [TCP_worker]

        io_watch_del op on index 1 21 (0x89a400, 21, 1, 0x10,0x3)

        fd_no=3 called<br>

        Feb  3 06:18:36 [3626] <a class="moz-txt-link-freetext" href="INFO:core:io_watch_del">INFO:core:io_watch_del</a>: [TCP_worker]

        size=3, fd array is 17 21 3<br>

        Feb  3 06:18:36 [3626] <a class="moz-txt-link-freetext" href="INFO:core:io_watch_del">INFO:core:io_watch_del</a>: [TCP_worker]

        size=3, prio array is 2 2 3<br>

        Feb  3 06:18:36 [3626] <a class="moz-txt-link-freetext" href="INFO:core:io_watch_del">INFO:core:io_watch_del</a>: [TCP_worker]

        size=2, fd array is 17 3<br>

        Feb  3 06:18:36 [3626] <a class="moz-txt-link-freetext" href="INFO:core:io_watch_del">INFO:core:io_watch_del</a>: [TCP_worker]

        size=3, prio array is 1 1 2<br>

        Feb  3 06:18:36 [3626] DBG:core:release_tcpconn:  releasing con

        0x7fb5b3e82170, state -2, fd=21, id=1<br>

        Feb  3 06:18:36 [3626] DBG:core:release_tcpconn:  extra_data

        0x7fb5b3e822f0<br>

        Feb  3 06:18:36 [3630] DBG:core:handle_tcp_child: reader

        response= 7fb5b3e82170, -2 from 0<br>

        Feb  3 06:18:36 [3630] DBG:core:tcpconn_destroy: destroying

        connection 0x7fb5b3e82170, flags 0002<br>

        Feb  3 06:18:36 [3630] DBG:core:tls_close: closing TLS

        connection<br>

        Feb  3 06:18:36 [3630] DBG:core:tls_update_fd: New fd is 25<br>

        Feb  3 06:18:36 [3630] DBG:core:tls_shutdown: shutdown

        successful<br>

        Feb  3 06:18:36 [3630] DBG:core:tls_tcpconn_clean: entered</p>

      <p style="text-align: left;">My config looks like so:</p>

      <p style="text-align: left;">auto_aliases=no<br>

        <br>

        <br>

        listen=udp:my_server_ip:7060   # CUSTOMIZE ME<br>

        <br>

        <br>

        disable_tcp=no<br>

        <br>

        <br>

        disable_tls=no<br>

        listen=tls:my_server_ip:7061   # CUSTOMIZE ME<br>

        tls_verify_server= 0<br>

        tls_verify_client = 1<br>

        tls_require_client_certificate = 1<br>

        #tls_method = TLSv1<br>

        tls_method = SSLv23<br>

        tls_certificate =

        "/usr/local/etc/opensips/tls/server/server-cert.pem"<br>

        tls_private_key =

        "/usr/local/etc/opensips/tls/server/server-privkey.pem"<br>

        tls_ca_list =

        "/usr/local/etc/opensips/tls/server/server-calist.pem"</p>

      <p style="text-align: left;">Basically i want to verify if the

        client has right certificate. Can you help me?</p>

      <p style="text-align: left;">Thanks.</p>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

Users mailing list

<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>

<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>