<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Great!</p>
<p>Thank you.<br>
</p>
<p><br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0">
<div class="BodyFragment"><font size="2">
<div class="PlainText">RODRIGO PIMENTA CARVALHO<br>
Inatel Competence Center<br>
Software<br>
Ph: +55 35 3471 9200 RAMAL 979<br>
</div>
</font></div>
</div>
</div>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>De:</b> users-bounces@lists.opensips.org <users-bounces@lists.opensips.org> em nome de Podrigal, Aron <aronp@guaranteedplus.com><br>
<b>Enviado:</b> quarta-feira, 29 de julho de 2015 11:25<br>
<b>Para:</b> OpenSIPS users mailling list<br>
<b>Assunto:</b> Re: [OpenSIPS-Users] TLS - How exactly decide to use require_cert equals to 1 or 0 ? The SIP client must trust the SIP server, not vice-versa.</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div><font face="Calibri, Arial, Helvetica, sans-serif" color="#000000"><span style="font-size:16px">0 means *do not* force the client to present a certificate where as 1 means *do* ask the client to present a cert.</span></font></div>
<span style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; font-size:16px">
<div><span style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; font-size:16px"><br>
</span></div>
rejected by client interprets as so, Opensips asks the client I need you to present a certificate and the client rejects that request.</span><br>
<div><span style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; font-size:16px"><br>
</span></div>
<div><span style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; font-size:16px">Cheers.</span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Jul 29, 2015 at 9:51 AM, Rodrigo Pimenta Carvalho
<span dir="ltr"><<a href="mailto:pimenta@inatel.br" target="_blank">pimenta@inatel.br</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr" style="font-size:12pt; color:#000000; background-color:#ffffff; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Dear OpenSIPS-users,</p>
<p><br>
</p>
<p>I am configuring my OpenSIPS 2.2 to communicate to SIP clients using TLS. The SIP client must trust the SIP server, but the inverse is not needed. I want to avoid a fake SIP server collecting data from the SIP clients, for example collecting login/ID and
passwords.</p>
<p><br>
</p>
<p>For that, I suspect that I must to use the configuration: modparam("proto_tls","require_cert", "X"). But, what does exactly mean 1 or 0 for X?</p>
<p><br>
</p>
<p>When I use X equals to 0 and run the test "openssl s_client -showcerts -debug -connect <OpenSIPS_IP>:5061 -no_ssl2 -bugs -CAfile ./cacert.pem", I can see the following OpenSIPS log:</p>
<p><br>
</p>
<p>--------------------------------------------------------------------------------------------------------------</p>
<p>Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: entered: Creating a whole new ssl connection<br>
Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: looking up socket based TLS server domain [<OpenSIPS_IP>:5061]<br>
Jul 29 10:02:27 [11929] DBG:proto_tls:tls_find_server_domain: virtual TLS server domain not found, Using default TLS server domain settings<br>
Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: found socket based TLS server domain [<a href="http://0.0.0.0:0" target="_blank">0.0.0.0:0</a>]</p>
<p>...</p>
<p>...</p>
<p>Jul 29 10:02:27 [11921] INFO:proto_tls:tls_accept: New TLS connection from <OpenSIPS_IP>:45457 accepted<br>
Jul 29 10:02:27 [11921] DBG:proto_tls:tls_accept: new TLS connection from <OpenSIPS_IP>:45457 using TLSv1/SSLv3 AES256-SHA 256<br>
Jul 29 10:02:27 [11921] DBG:proto_tls:tls_accept: local socket: <OpenSIPS_IP>:5061<br>
Jul 29 10:02:27 [11921] INFO:proto_tls:tls_accept: Client did not present a TLS certificate</p>
<p>...</p>
<p>...</p>
<p>Jul 29 10:02:31 [11929] DBG:proto_tls:tls_conn_shutdown: first phase of 2-way handshake completed succesfuly</p>
<p>-----------------------------------------------------------------------------------------------------------------------<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>However, when I use X equals to 1, I get:</p>
<p><br>
</p>
<p>--------------------------------------------------------------------------------------------------------------------------<br>
</p>
<p>Jul 29 10:05:36 [11978] ERROR:proto_tls:tls_accept: New TLS connection from <OpenSIPS_IP>:45460 failed to accept: rejected by client<br>
Jul 29 10:05:36 [11978] ERROR:proto_tls:tls_read_req: failed to do pre-tls reading</p>
<p>--------------------------------------------------------------------------------------------------------------------------<br>
</p>
<p><br>
</p>
<p>So, It seems that the client refuses the connection from the server. What is happening here? Is the client refusing some cert presented by the server?</p>
<p>I'm a bit confused because the TLS Module documentation says that 'require_cert' parameter is used for incoming TLS connections, where OpenSIPS acts as server. So, how could it affect the client side?</p>
<p><br>
</p>
<p>P.S.: the result of "openssl s_client ..." command is "Verify return code: 0 (ok)".</p>
<p><br>
</p>
<p>Any hint will be very helpful!</p>
<p><br>
</p>
<p>Best regards.<span class="HOEnZb"><font color="#888888"><br>
</font></span></p>
<span class="HOEnZb"><font color="#888888">
<p><br>
</p>
<p><br>
</p>
<div>
<div name="divtagdefaultwrapper">
<div><font size="2">
<div>RODRIGO PIMENTA CARVALHO<br>
Inatel Competence CenterVerify return code: 0 (ok)<br>
Software<br>
Ph: <a href="tel:%2B55%2035%203471%209200" value="+553534719200" target="_blank">
+55 35 3471 9200</a> RAMAL 979<br>
</div>
</font></div>
</div>
</div>
</font></span></div>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">Aron Podrigal
<div>-</div>
<div>'1000001', '1110010', '1101111', '1101110' '1010000', '1101111', '1100100', '1110010', '1101001', '1100111', '1100001', '1101100'</div>
<div><br>
</div>
<div>P: '2b', '31', '33', '34', '37', '34', '35', '38', '36', '30', '39', '39'<br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>