<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>Hi, Nabeel!<br>
<br>
Are you using wildcards in your certificate name, or you just
can't make the names public? Note that wildcards are not supported
in OpenSIPS certificate/key's name.<br>
Are there any errors in OpenSIPS's logs?<br>
<br>
Best regards,<br>
</tt>
<pre class="moz-signature" cols="72">Răzvan Crainea
OpenSIPS Solutions
<a class="moz-txt-link-abbreviated" href="http://www.opensips-solutions.com">www.opensips-solutions.com</a></pre>
<div class="moz-cite-prefix">On 06/22/2015 07:26 AM, Nabeel wrote:<br>
</div>
<blockquote
cite="mid:CA+vx6KLwW2apbqCbDq68wGORvQbSHugtfjKPFf-eF5ELrFz9QQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>I'm trying to set up OpenSIPS with TLS support and
connecting to my server with an SIP client (Lumicall - <a
moz-do-not-send="true" href="http://lumicall.org/"><a class="moz-txt-link-freetext" href="http://lumicall.org/">http://lumicall.org/</a></a>).</div>
<div><br>
</div>
<div>The settings in my opensips.cfg file are as follows:<br>
</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">listen=tls:87.xx.xxx.42:5061
as <a moz-do-not-send="true"
href="http://server0.domain.com:5061">server0.domain.com:5061</a><br>
</blockquote>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">loadmodule
"proto_tls.so"<br>
modparam("proto_tls", "verify_cert", "0")<br>
modparam("proto_tls", "require_cert", "0")<br>
modparam("proto_tls", "ciphers_list", "NULL")<br>
modparam("proto_tls", "tls_method", "SSLv23")<br>
modparam("proto_tls", "certificate",
"/etc/ssl/public/*.domain.com.pem")<br>
modparam("proto_tls", "private_key",
"/etc/ssl/private/*.domain.com-key.pem")<br>
modparam("proto_tls", "ca_list",
"/etc/ssl/public/*.domain.com.pem")<br>
modparam("proto_tls", "ca_dir", "/etc/ssl/public/")</blockquote>
<div><br>
</div>
<div>The certificates are from CAcert.org and the SIP client has
built in support CAcert.org root certificates. <br>
</div>
<div><br>
</div>
<div>
<div>OpenSIPS starts successfully without errors and the
following command shows listening on the correct port:</div>
<div><br>
</div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">#
netstat -tapen | grep ":5061 "<br>
tcp 0 0 <a moz-do-not-send="true"
href="http://87.81.230.42:5061">87.81.230.42:5061</a>
0.0.0.0:* LISTEN 0 94449
6850/opensips</blockquote>
</div>
<div><br>
</div>
<div>The command "netstat -tlp | grep 5061" returns no
result. Testing the port through remote services and with
nmap shows the port is open:</div>
<div><br>
</div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">nmap
-p 5061 <a moz-do-not-send="true"
href="http://server0.domain.com">server0.domain.com</a><br>
Starting Nmap 6.47 ( <a moz-do-not-send="true"
href="http://nmap.org">http://nmap.org</a> ) at
2015-06-22 04:40 BST<br>
Nmap scan report for <a moz-do-not-send="true"
href="http://server0.domain.com">server0.domain.com</a>
(87.81.230.42)<br>
Host is up (0.000090s latency).<br>
PORT STATE SERVICE<br>
5061/tcp open sip-tls</blockquote>
</div>
</div>
<div><br>
</div>
<div>However, checking the connection with s_client shows a
handshake failure:</div>
<div><br>
</div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">#
openssl s_client -connect <a moz-do-not-send="true"
href="http://server0.domain.com:5061">server0.domain.com:5061</a>
-showcerts -CAfile /etc/ssl/public/cacert.org.pem<br>
CONNECTED(00000003)<br>
139762069984912:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:770:<br>
---<br>
no peer certificate available<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 7 bytes and written 295 bytes<br>
---<br>
New, (NONE), Cipher is (NONE)<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
---</blockquote>
</div>
<div><br>
</div>
<div>Adding -servername <a moz-do-not-send="true"
href="http://server0.domain.com">server0.domain.com</a>
shows the same error.</div>
<div><br>
</div>
<div>Trying to connect to the server using the SIP client, with
<a moz-do-not-send="true"
href="mailto:username@server0.domain.com">username@server0.domain.com</a>,
also shows a handshake failure in Logcat:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">06-21
18:33:31.790 20121-31973/com.domain I/IntegratedSipProvider﹕
no active connection found matching tls:87.xx.xxx.xx:5061<br>
06-21 18:33:31.790 20121-31973/com.domain
I/IntegratedSipProvider﹕ open tls connection to
87.xx.xxx.42:5061<br>
06-21 18:33:31.790 20121-31973/com.domain
I/org.zoolu.net.TcpSocket﹕ Initializing SSLContext for first
use<br>
06-21 18:33:31.790 20121-31973/com.domain
I/org.zoolu.net.TcpSocket﹕ Adding the customKeyStore to trust
manager for SSLContext<br>
06-21 18:33:31.790 20121-31973/com.domain
I/org.zoolu.net.TcpSocket﹕ Connecting socket to 87.xx.xxx.42,
port 5061<br>
06-21 18:33:31.870 20121-31973/com.domain
I/org.zoolu.net.TcpSocket﹕ Local address is: /<a
moz-do-not-send="true" href="http://10.155.115.36:47549">10.155.115.36:47549</a><br>
06-21 18:33:31.870 20121-31973/com.domain
I/org.zoolu.net.TcpSocket﹕ Starting SSL handshake<br>
06-21 18:33:31.980 20121-31973/com.domain
W/org.zoolu.net.TcpSocket﹕ Exception while getting
session/starting handshake<br>
06-21 18:36:23.210 20121-1693/com.domain
E/IntegratedSipProvider﹕ java.io.IOException: Failed to
handshake SSLjavax.net.ssl.SSLHandshakeException: Handshake
failed, Handshake failed<br>
at
org.zoolu.net.TcpSocket.<init>(TcpSocket.java:199)<br>
at
org.zoolu.sip.provider.TcpTransport.<init>(TcpTransport.java:152)<br>
at
org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1367)<br>
at
org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1297)<br>
at
org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1628)<br>
at
org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1608)<br>
at
java.util.concurrent.FutureTask.run(FutureTask.java:237)<br>
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)<br>
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)<br>
at java.lang.Thread.run(Thread.java:818)</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>I tried setting TLSv1 as 'tls_method' in opensips config
(instead of SSLv23) but the same error occured. Please advise
how to resolve this SSL handshake failure.</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>