<div dir="ltr"><div>Those were wildcard certificates, but I also tried with specific name certificates (<a href="http://server0.domain.com">server0.domain.com</a>) and got the same handshake failure error:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">loadmodule "proto_tls.so"<br>modparam("proto_tls", "verify_cert", "0")<br>modparam("proto_tls", "require_cert", "0")<br>modparam("proto_tls", "ciphers_list", "NULL")<br>modparam("proto_tls", "tls_method", "SSLv23")<br>modparam("proto_tls", "certificate", "/etc/ssl/public/server0.glowcall.com.pem")<br>modparam("proto_tls", "private_key", "/etc/ssl/private/server0.glowcall.com-key.pem")<br>modparam("proto_tls", "ca_list", "/etc/ssl/public/server0.glowcall.com.pem") <br>modparam("proto_tls", "ca_dir", "/etc/ssl/public/")</blockquote></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"># openssl s_client -connect <a href="http://server0.domain.com:5061">server0.domain.com:5061</a> -showcerts -CAfile /etc/ssl/public/cacert.org.pem<br>CONNECTED(00000003)<br>140697936070288:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:<br>---<br>no peer certificate available<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 7 bytes and written 324 bytes<br>---<br>New, (NONE), Cipher is (NONE)<br>Secure Renegotiation IS NOT supported<br>Compression: NONE<br>Expansion: NONE<br>---</blockquote><div><br></div><div><br></div><div>The same error if I use the IP address in the above command:</div><div><br></div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"># openssl s_client -connect 87.xx.xxx.42:5061 -showcerts -CAfile /etc/ssl/public/cacert.org.pem<br>CONNECTED(00000003)<br>140347232945808:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:<br>---<br>no peer certificate available<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 7 bytes and written 295 bytes<br>---<br>New, (NONE), Cipher is (NONE)<br>Secure Renegotiation IS NOT supported<br>Compression: NONE<br>Expansion: NONE<br>---</blockquote></div><div><br></div><div><br></div>I see the following error in OpenSIPS log when a client fails to connect:<div><br><div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]: DBG:core:io_watch_add: [TCP_worker] io_watch_add op (16 on 6) (0x8874c0, 16, 19, 0x7f5cc27ce1a0,1), fd_no=2/2077</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]: DBG:proto_tls:tls_read_req: Using the global ( per process ) buff</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]: DBG:proto_tls:tls_update_fd: New fd is 16</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]: ERROR:proto_tls:tls_accept: New TLS connection from <a href="http://87.81.230.42:45098">87.81.230.42:45098</a> failed to accept: rejected by client</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]: ERROR:proto_tls:tls_read_req: failed to do pre-tls reading</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]: DBG:core:io_watch_del: [TCP_worker] io_watch_del op on index 0 16 (0x8874c0, 16, 0, 0x10,0x3) fd_no=3 called</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]: DBG:core:tcpconn_release: releasing con 0x7f5cc27ce1a0, state -2, fd=-1, id=3</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]: DBG:core:tcpconn_release: extra_data 0x7f5cc27dae98</blockquote><div><br></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 22 June 2015 at 08:37, Răzvan Crainea <span dir="ltr"><<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<tt>Hi, Nabeel!<br>
<br>
Are you using wildcards in your certificate name, or you just
can't make the names public? Note that wildcards are not supported
in OpenSIPS certificate/key's name.<br>
Are there any errors in OpenSIPS's logs?<br>
<br>
Best regards,<br>
</tt>
<pre cols="72">Răzvan Crainea
OpenSIPS Solutions
<a href="http://www.opensips-solutions.com" target="_blank">www.opensips-solutions.com</a></pre><div><div class="h5">
<div>On 06/22/2015 07:26 AM, Nabeel wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>I'm trying to set up OpenSIPS with TLS support and
connecting to my server with an SIP client (Lumicall - <a href="http://lumicall.org/" target="_blank"></a><a href="http://lumicall.org/" target="_blank">http://lumicall.org/</a>).</div>
<div><br>
</div>
<div>The settings in my opensips.cfg file are as follows:<br>
</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">listen=tls:87.xx.xxx.42:5061
as <a href="http://server0.domain.com:5061" target="_blank">server0.domain.com:5061</a><br>
</blockquote>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">loadmodule
"proto_tls.so"<br>
modparam("proto_tls", "verify_cert", "0")<br>
modparam("proto_tls", "require_cert", "0")<br>
modparam("proto_tls", "ciphers_list", "NULL")<br>
modparam("proto_tls", "tls_method", "SSLv23")<br>
modparam("proto_tls", "certificate",
"/etc/ssl/public/*.domain.com.pem")<br>
modparam("proto_tls", "private_key",
"/etc/ssl/private/*.domain.com-key.pem")<br>
modparam("proto_tls", "ca_list",
"/etc/ssl/public/*.domain.com.pem")<br>
modparam("proto_tls", "ca_dir", "/etc/ssl/public/")</blockquote>
<div><br>
</div>
<div>The certificates are from CAcert.org and the SIP client has
built in support CAcert.org root certificates. <br>
</div>
<div><br>
</div>
<div>
<div>OpenSIPS starts successfully without errors and the
following command shows listening on the correct port:</div>
<div><br>
</div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">#
netstat -tapen | grep ":5061 "<br>
tcp 0 0 <a href="http://87.81.230.42:5061" target="_blank">87.81.230.42:5061</a>
0.0.0.0:* LISTEN 0 94449
6850/opensips</blockquote>
</div>
<div><br>
</div>
<div>The command "netstat -tlp | grep 5061" returns no
result. Testing the port through remote services and with
nmap shows the port is open:</div>
<div><br>
</div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">nmap
-p 5061 <a href="http://server0.domain.com" target="_blank">server0.domain.com</a><br>
Starting Nmap 6.47 ( <a href="http://nmap.org" target="_blank">http://nmap.org</a> ) at
2015-06-22 04:40 BST<br>
Nmap scan report for <a href="http://server0.domain.com" target="_blank">server0.domain.com</a>
(87.81.230.42)<br>
Host is up (0.000090s latency).<br>
PORT STATE SERVICE<br>
5061/tcp open sip-tls</blockquote>
</div>
</div>
<div><br>
</div>
<div>However, checking the connection with s_client shows a
handshake failure:</div>
<div><br>
</div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">#
openssl s_client -connect <a href="http://server0.domain.com:5061" target="_blank">server0.domain.com:5061</a>
-showcerts -CAfile /etc/ssl/public/cacert.org.pem<br>
CONNECTED(00000003)<br>
139762069984912:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:770:<br>
---<br>
no peer certificate available<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 7 bytes and written 295 bytes<br>
---<br>
New, (NONE), Cipher is (NONE)<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
---</blockquote>
</div>
<div><br>
</div>
<div>Adding -servername <a href="http://server0.domain.com" target="_blank">server0.domain.com</a>
shows the same error.</div>
<div><br>
</div>
<div>Trying to connect to the server using the SIP client, with
<a href="mailto:username@server0.domain.com" target="_blank">username@server0.domain.com</a>,
also shows a handshake failure in Logcat:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">06-21
18:33:31.790 20121-31973/com.domain I/IntegratedSipProvider﹕
no active connection found matching tls:87.xx.xxx.xx:5061<br>
06-21 18:33:31.790 20121-31973/com.domain
I/IntegratedSipProvider﹕ open tls connection to
87.xx.xxx.42:5061<br>
06-21 18:33:31.790 20121-31973/com.domain
I/org.zoolu.net.TcpSocket﹕ Initializing SSLContext for first
use<br>
06-21 18:33:31.790 20121-31973/com.domain
I/org.zoolu.net.TcpSocket﹕ Adding the customKeyStore to trust
manager for SSLContext<br>
06-21 18:33:31.790 20121-31973/com.domain
I/org.zoolu.net.TcpSocket﹕ Connecting socket to 87.xx.xxx.42,
port 5061<br>
06-21 18:33:31.870 20121-31973/com.domain
I/org.zoolu.net.TcpSocket﹕ Local address is: /<a href="http://10.155.115.36:47549" target="_blank">10.155.115.36:47549</a><br>
06-21 18:33:31.870 20121-31973/com.domain
I/org.zoolu.net.TcpSocket﹕ Starting SSL handshake<br>
06-21 18:33:31.980 20121-31973/com.domain
W/org.zoolu.net.TcpSocket﹕ Exception while getting
session/starting handshake<br>
06-21 18:36:23.210 20121-1693/com.domain
E/IntegratedSipProvider﹕ java.io.IOException: Failed to
handshake SSLjavax.net.ssl.SSLHandshakeException: Handshake
failed, Handshake failed<br>
at
org.zoolu.net.TcpSocket.<init>(TcpSocket.java:199)<br>
at
org.zoolu.sip.provider.TcpTransport.<init>(TcpTransport.java:152)<br>
at
org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1367)<br>
at
org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1297)<br>
at
org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1628)<br>
at
org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1608)<br>
at
java.util.concurrent.FutureTask.run(FutureTask.java:237)<br>
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)<br>
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)<br>
at java.lang.Thread.run(Thread.java:818)</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>I tried setting TLSv1 as 'tls_method' in opensips config
(instead of SSLv23) but the same error occured. Please advise
how to resolve this SSL handshake failure.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>