<div dir="ltr"><div class="gmail_extra">Hello Rodrigo,</div><div class="gmail_extra"><br></div><div class="gmail_extra">Thank you for your response. I set verify_cert and require_cert to zero and that fixes my problem. After that I was getting "Certificate Name Mismatch" error on the eyeBeam and Zoiper phones and after some investigation, I realized that it was due to wild cards in my certificate. Apparently, eyeBeam and Zoiper cannot or do not handle wild cards (*) in a certificate.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Best regards,</div><div class="gmail_extra">Ali Pey</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 8, 2016 at 10:48 AM, Rodrigo Pimenta Carvalho <span dir="ltr"><<a href="mailto:pimenta@inatel.br" target="_blank">pimenta@inatel.br</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;background-color:rgb(255,255,255)">
<p>Hi.</p>
<p><br>
</p>
<p>I got the same problem in softphone ZOIPER.</p>
<p>I just let my ZOIPER ignore the file received from OpenSIPS and then the problem was solved. Otherwise I should had to install the client party on the phone. It was possible for me because in my project I didn't have to use certificates, just cryptographic
messages with TLS.</p>
<p><br>
</p>
<p>See below the configuration in my OpenSIPS.cfg file (my proxy is version 2.2 from 2015):</p>
<p><br>
</p>
<p>loadmodule "proto_tls.so" <br>
<br>
modparam("proto_tls","verify_cert", "0") <br>
modparam("proto_tls","require_cert", "0") #0 means *do not* force the client to present a certificate where as 1 means *do* ask the client to present a cert. <br>
modparam("proto_tls","tls_method", "TLSv1") #If you want RFC3261 conformance and all your clients support TLSv1 (or you are planning to use encrypted "tunnels" only between differe<br>
<br>
<br>
modparam("proto_tls", "certificate", "/usr/local/etc/opensips/tls/rootCA/certs/cert.pem") <br>
modparam("proto_tls", "private_key", "/usr/local/etc/opensips/tls/rootCA/private/key.pem") <br>
modparam("proto_tls", "ca_list", "/usr/local/etc/opensips/tls/rootCA/cacert.pem") <br>
modparam("proto_tls", "ca_dir", "/usr/local/etc/opensips/tls/rootCA/") </p>
<p><br>
</p>
<p># Sets the TLS protocol. The first parameter, if set, represents the id of the domain. TLS method which can be: <br>
# <br>
# TLSv1_2 - means OpenSIPS will accept only TLSv1.2 connections (rfc3261 conformant). <br>
# <br>
# TLSv1 - means OpenSIPS will accept only TLSv1 connections (rfc3261 conformant). <br>
# <br>
# SSLv3 - means OpenSIPS will accept only SSLv3 connections <br>
# <br>
# SSLv2 - means OpenSIPS will accept only SSLv2 connections (almost all old clients support this). <br>
# <br>
# SSLv23 - means OpenSIPS will accept any of the above methods, but the initial SSL hello must be v2 (in the initial hello all the supported protocols are advertised enabling swit<br>
# <br>
#Default value is SSLv23. <br>
</p>
<p><br>
</p>
<p>Tell me if I'm wrongly, please.<br>
</p>
<p><br>
</p>
<p>Best regards.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div>
<div name="divtagdefaultwrapper">
<div><font size="2">
<div>RODRIGO PIMENTA CARVALHO<br>
Inatel Competence Center<br>
Software<br>
Ph: <a href="tel:%2B55%2035%203471%209200" value="+553534719200" target="_blank">+55 35 3471 9200</a> RAMAL 979<br>
</div>
</font></div>
</div>
</div>
<br>
<br>
<div style="color:rgb(0,0,0)">
<hr style="display:inline-block;width:98%">
<div dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>De:</b> <a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a> <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>> em nome de Ali Pey <<a href="mailto:alipey@gmail.com" target="_blank">alipey@gmail.com</a>><br>
<b>Enviado:</b> sexta-feira, 8 de abril de 2016 10:25<br>
<b>Para:</b> OpenSIPS users mailling list<br>
<b>Assunto:</b> Re: [OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5</font>
<div> </div>
</div><div><div class="h5">
<div>
<div dir="ltr">
<div class="gmail_extra">Hello Hamid,</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">The parameters below don't have any effects. In my scenario, the sip phones are rejecting the tls connection by saying "Certificate Validation Failure".</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Neither of parameters below had any effects.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Anyone else has any idea what I need to look for?</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Regards,</div>
<div class="gmail_extra">Ali Pey</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 8, 2016 at 4:00 AM, Hamid Hashmi <span dir="ltr">
<<a href="mailto:hamid2kviii@hotmail.com" target="_blank">hamid2kviii@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
<div dir="ltr">Please define following values
<div>
<pre style="border:1px solid rgb(153,204,204);padding-left:15pt;background-color:rgb(254,254,238)">tls_ca_list = "/path/to/file"
tls_method = tlsv1</pre>
for details please consult <a href="https://contactmonkey.com/api/v1/tracker?cm_session=fe1ad39b-b209-487a-ae7d-5dc3874a3f4b&cm_type=link&cm_link=4c658b68-ff08-42fc-abc9-b28ade77429a&cm_destination=http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html" target="_blank">http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html</a></div>
<div><br>
</div>
<div>Regards</div>
<div>Hamid R. Hashmi<br>
<br>
<div>
<hr>
Date: Thu, 7 Apr 2016 13:14:28 -0400<br>
From: <a href="mailto:alipey@gmail.com" target="_blank">alipey@gmail.com</a><br>
To: <a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a><br>
Subject: [OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5
<div>
<div><br>
<br>
<div dir="ltr">Hello,
<div><br>
</div>
<div>My opensips server is just a registrar server and I have enabled tls with the following settings:</div>
<div><br>
</div>
<div>listen=tls:xx.xx.xx.xx:5061<br>
</div>
<div>
<div>disable_tls=no</div>
<div>tls_certificate="/etc/opensips/pbx-bundle.crt"</div>
<div>tls_private_key="/etc/opensips/pbx.key"<br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>When my sip phones try to open tls connection, they reject the connection saying "Certificate Validation Failure". My certificate is valid and works fine on the https website.</div>
<div><br>
</div>
<div>What am I missing? What should I look for?</div>
<div><br>
</div>
<div>Regards,</div>
<div>Ali Pey</div>
<div><br>
</div>
<img style="border: 0px none; width: 0px; min-height: 0px;" height="0" width="0"><img style="border: 0px none; width: 0px; min-height: 0px;" height="0" width="0"></div>
<br>
</div>
</div>
_______________________________________________ Users mailing list <a href="mailto:Users@lists.opensips.org" target="_blank">
Users@lists.opensips.org</a> <a href="https://contactmonkey.com/api/v1/tracker?cm_session=fe1ad39b-b209-487a-ae7d-5dc3874a3f4b&cm_type=link&cm_link=00f9206d-5114-4ccd-8119-2069b0340470&cm_destination=http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">
http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="https://contactmonkey.com/api/v1/tracker?cm_session=fe1ad39b-b209-487a-ae7d-5dc3874a3f4b&cm_type=link&cm_link=1103e740-0d3e-425d-950a-182c7bbe3a6e&cm_destination=http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<img style="border: 0px none; width: 0px; min-height: 0px;" height="0" width="0"><img style="border: 0px none; width: 0px; min-height: 0px;" height="0" width="0"></div>
</div>
</div></div></div>
</div>
</div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="https://contactmonkey.com/api/v1/tracker?cm_session=1c3415e8-3ff0-4383-91d7-b0cc42a6a240&cm_type=link&cm_link=dfc01ff2-46ff-48a4-841d-8960663fda50&cm_destination=http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div><img class="cm-tracker" src="https://contactmonkey.com/api/v1/tracker?cm_session=1c3415e8-3ff0-4383-91d7-b0cc42a6a240&cm_type=open&cm_user_email=alipey@gmail.com" width="0" height="0" style="border:0; width:0px; height:0px;"><img class="cm-tracker" src="https://contactmonkey.com/api/v1/tracker?cm_session=1c3415e8-3ff0-4383-91d7-b0cc42a6a240&cm_type=open&cm_user_email=alipey@gmail.com" width="0" height="0" style="border:0; width:0px; height:0px;"><font class="cm-tracker" face="https://contactmonkey.com/api/v1/tracker?cm_session=1c3415e8-3ff0-4383-91d7-b0cc42a6a240&cm_type=open&cm_user_email=alipey@gmail.com" style=""></font></div>