<div dir="ltr"><div>Hi,</div><div><br></div><div>I&#39;m trying to set up OpenSIPS with TLS support and connecting to my server with an SIP client (Lumicall - <a href="http://lumicall.org/">http://lumicall.org/</a>).</div><div><br></div><div>The settings in my opensips.cfg file are as follows:<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">listen=tls:87.xx.xxx.42:5061 as <a href="http://server0.domain.com:5061">server0.domain.com:5061</a><br></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">loadmodule &quot;proto_tls.so&quot;<br>modparam(&quot;proto_tls&quot;, &quot;verify_cert&quot;, &quot;0&quot;)<br>modparam(&quot;proto_tls&quot;, &quot;require_cert&quot;, &quot;0&quot;)<br>modparam(&quot;proto_tls&quot;, &quot;ciphers_list&quot;, &quot;NULL&quot;)<br>modparam(&quot;proto_tls&quot;, &quot;tls_method&quot;, &quot;SSLv23&quot;)<br>modparam(&quot;proto_tls&quot;, &quot;certificate&quot;, &quot;/etc/ssl/public/*.domain.com.pem&quot;)<br>modparam(&quot;proto_tls&quot;, &quot;private_key&quot;, &quot;/etc/ssl/private/*.domain.com-key.pem&quot;)<br>modparam(&quot;proto_tls&quot;, &quot;ca_list&quot;, &quot;/etc/ssl/public/*.domain.com.pem&quot;)<br>modparam(&quot;proto_tls&quot;, &quot;ca_dir&quot;, &quot;/etc/ssl/public/&quot;)</blockquote><div><br></div><div>The certificates are from CAcert.org and the SIP client has built in support CAcert.org root certificates. <br></div><div><br></div><div><div>OpenSIPS starts successfully without errors and the following command shows listening on the correct port:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"># netstat -tapen | grep &quot;:5061 &quot;<br>tcp        0      0 <a href="http://87.81.230.42:5061">87.81.230.42:5061</a>       0.0.0.0:*               LISTEN      0          94449       6850/opensips</blockquote></div><div><br></div><div>The command &quot;netstat -tlp | grep 5061&quot; returns no result.  Testing the port through remote services and with nmap shows the port is open:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">nmap -p 5061 <a href="http://server0.domain.com">server0.domain.com</a><br>Starting Nmap 6.47 ( <a href="http://nmap.org">http://nmap.org</a> ) at 2015-06-22 04:40 BST<br>Nmap scan report for <a href="http://server0.domain.com">server0.domain.com</a> (87.81.230.42)<br>Host is up (0.000090s latency).<br>PORT     STATE SERVICE<br>5061/tcp open  sip-tls</blockquote></div></div><div><br></div><div>However, checking the connection with s_client shows a handshake failure:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"># openssl s_client -connect <a href="http://server0.domain.com:5061">server0.domain.com:5061</a> -showcerts -CAfile /etc/ssl/public/cacert.org.pem<br>CONNECTED(00000003)<br>139762069984912:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:<br>---<br>no peer certificate available<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 7 bytes and written 295 bytes<br>---<br>New, (NONE), Cipher is (NONE)<br>Secure Renegotiation IS NOT supported<br>Compression: NONE<br>Expansion: NONE<br>---</blockquote></div><div><br></div><div>Adding -servername <a href="http://server0.domain.com">server0.domain.com</a> shows the same error.</div><div><br></div><div>Trying to connect to the server using the SIP client, with <a href="mailto:username@server0.domain.com">username@server0.domain.com</a>, also shows a handshake failure in Logcat:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">06-21 18:33:31.790  20121-31973/com.domain I/IntegratedSipProvider﹕ no active connection found matching tls:87.xx.xxx.xx:5061<br>06-21 18:33:31.790  20121-31973/com.domain I/IntegratedSipProvider﹕ open tls connection to 87.xx.xxx.42:5061<br>06-21 18:33:31.790  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕ Initializing SSLContext for first use<br>06-21 18:33:31.790  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕ Adding the customKeyStore to trust manager for SSLContext<br>06-21 18:33:31.790  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕ Connecting socket to 87.xx.xxx.42, port 5061<br>06-21 18:33:31.870  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕ Local address is: /<a href="http://10.155.115.36:47549">10.155.115.36:47549</a><br>06-21 18:33:31.870  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕ Starting SSL handshake<br>06-21 18:33:31.980  20121-31973/com.domain W/org.zoolu.net.TcpSocket﹕ Exception while getting session/starting handshake<br>06-21 18:36:23.210   20121-1693/com.domain E/IntegratedSipProvider﹕ java.io.IOException: Failed to handshake SSLjavax.net.ssl.SSLHandshakeException: Handshake failed, Handshake failed<br>            at org.zoolu.net.TcpSocket.&lt;init&gt;(TcpSocket.java:199)<br>            at org.zoolu.sip.provider.TcpTransport.&lt;init&gt;(TcpTransport.java:152)<br>            at org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1367)<br>            at org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1297)<br>            at org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1628)<br>            at org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1608)<br>            at java.util.concurrent.FutureTask.run(FutureTask.java:237)<br>            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)<br>            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)<br>            at java.lang.Thread.run(Thread.java:818)</blockquote><div><br></div><div><br></div><div>I tried setting TLSv1 as &#39;tls_method&#39; in opensips config (instead of SSLv23) but the same error occured.  Please advise how to resolve this SSL handshake failure.</div></div>