<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Dear OpenSIPS-users,</p>
<p><br>
</p>
<p>I am configuring my OpenSIPS 2.2 to communicate to SIP clients using TLS. The SIP client must trust the SIP server, but the inverse is not needed. I want to avoid a fake SIP server collecting data from the SIP clients, for example collecting login/ID and
passwords.</p>
<p><br>
</p>
<p>For that, I suspect that I must to use the configuration: modparam("proto_tls","require_cert", "X"). But, what does exactly mean 1 or 0 for X?</p>
<p><br>
</p>
<p>When I use X equals to 0 and run the test "openssl s_client -showcerts -debug -connect <OpenSIPS_IP>:5061 -no_ssl2 -bugs -CAfile ./cacert.pem", I can see the following OpenSIPS log:</p>
<p><br>
</p>
<p>--------------------------------------------------------------------------------------------------------------</p>
<p>Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: entered: Creating a whole new ssl connection<br>
Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: looking up socket based TLS server domain [<OpenSIPS_IP>:5061]<br>
Jul 29 10:02:27 [11929] DBG:proto_tls:tls_find_server_domain: virtual TLS server domain not found, Using default TLS server domain settings<br>
Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: found socket based TLS server domain [0.0.0.0:0]</p>
<p>...</p>
<p>...</p>
<p>Jul 29 10:02:27 [11921] INFO:proto_tls:tls_accept: New TLS connection from <OpenSIPS_IP>:45457 accepted<br>
Jul 29 10:02:27 [11921] DBG:proto_tls:tls_accept: new TLS connection from <OpenSIPS_IP>:45457 using TLSv1/SSLv3 AES256-SHA 256<br>
Jul 29 10:02:27 [11921] DBG:proto_tls:tls_accept: local socket: <OpenSIPS_IP>:5061<br>
Jul 29 10:02:27 [11921] INFO:proto_tls:tls_accept: Client did not present a TLS certificate</p>
<p>...</p>
<p>...</p>
<p>Jul 29 10:02:31 [11929] DBG:proto_tls:tls_conn_shutdown: first phase of 2-way handshake completed succesfuly</p>
<p>-----------------------------------------------------------------------------------------------------------------------<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>However, when I use X equals to 1, I get:</p>
<p><br>
</p>
<p>--------------------------------------------------------------------------------------------------------------------------<br>
</p>
<p>Jul 29 10:05:36 [11978] ERROR:proto_tls:tls_accept: New TLS connection from <OpenSIPS_IP>:45460 failed to accept: rejected by client<br>
Jul 29 10:05:36 [11978] ERROR:proto_tls:tls_read_req: failed to do pre-tls reading</p>
<p>--------------------------------------------------------------------------------------------------------------------------<br>
</p>
<p><br>
</p>
<p>So, It seems that the client refuses the connection from the server. What is happening here? Is the client refusing some cert presented by the server?</p>
<p>I'm a bit confused because the TLS Module documentation says that 'require_cert' parameter is used for incoming TLS connections, where OpenSIPS acts as server. So, how could it affect the client side?</p>
<p><br>
</p>
<p>P.S.: the result of "openssl s_client ..." command is "Verify return code: 0 (ok)".</p>
<p><br>
</p>
<p>Any hint will be very helpful!</p>
<p><br>
</p>
<p>Best regards.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0">
<div class="BodyFragment"><font size="2">
<div class="PlainText">RODRIGO PIMENTA CARVALHO<br>
Inatel Competence CenterVerify return code: 0 (ok)<br>
Software<br>
Ph: +55 35 3471 9200 RAMAL 979<br>
</div>
</font></div>
</div>
</div>
</body>
</html>