<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>Hi Callum,<br>
<br>
The error may indicate the fact that the TLS client does not
present a TLS certificate while connection to your OpenSIPS. This
has nothing to do with the TLS multi domain, which anyhow is
supported. As the test, you can create a separate TLS domain
(server) bound to the IP of that TLS client, TLS domain having the
require_certificate option turned off.<br>
<br>
Best Regards,<br>
</tt>
<pre class="moz-signature" cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a>
OpenSIPS Bootcamp 2017, Houston, US
<a class="moz-txt-link-freetext" href="http://opensips.org/training/OpenSIPS_Bootcamp_2017.html">http://opensips.org/training/OpenSIPS_Bootcamp_2017.html</a>
</pre>
<div class="moz-cite-prefix">On 07/25/2017 03:26 PM, Callum Guy
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFjCFz=R8T1=0aCNwamX6C4N5bWEtZO13im6RrgpoOa4bEhR9A@mail.gmail.com">
<div dir="ltr">Hi All,
<div><br>
</div>
<div><b>Running: </b>opensips-2.3.1-1.el7.x86_64 / CentOS 7</div>
<div><br>
</div>
<div>I have been working with new TLS connection and have been
having problems validating their client certificate. My
OpenSIPs configuration works fine for other providers (i.e.
Twilio) however I am seeing the following error messages
reported while verify_cert is enabled:</div>
<div><br>
</div>
<div>
<div><font face="monospace">Jul 25 13:10:32 <a
href="http://proxy.ex.com" moz-do-not-send="true">proxy.ex.com</a>
opensips[4881]: NOTICE:tls_mgm:verify_callback: depth = 0</font></div>
<div><font face="monospace">Jul 25 13:10:32 <a
href="http://proxy.ex.com" moz-do-not-send="true">proxy.ex.com</a>
opensips[4881]: NOTICE:tls_mgm:verify_callback: subject =
/serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
Organization/C=GB/postalCode=SO16
7NP/L=Southampton/street=2 Venture Road/O=SIMWOOD ESMS
LIMITED/OU=COMODO EV Multi-Domain SSL/CN=<a
href="http://simwood.com" moz-do-not-send="true">simwood.com</a></font></div>
<div><font face="monospace">Jul 25 13:10:32 <a
href="http://proxy.ex.com" moz-do-not-send="true">proxy.ex.com</a>
opensips[4881]: NOTICE:tls_mgm:verify_callback: verify
error:num=20:unable to get local issuer certificate</font></div>
<div><font face="monospace">Jul 25 13:10:32 <a
href="http://proxy.ex.com" moz-do-not-send="true">proxy.ex.com</a>
opensips[4881]: NOTICE:tls_mgm:verify_callback: something
wrong with the cert ... error code is 20 (check
x509_vfy.h)</font></div>
<div><font face="monospace">Jul 25 13:10:32 <a
href="http://proxy.ex.com" moz-do-not-send="true">proxy.ex.com</a>
opensips[4881]: NOTICE:tls_mgm:verify_callback: verify
return:0</font></div>
<div><font face="monospace">Jul 25 13:10:32 <a
href="http://proxy.ex.com" moz-do-not-send="true">proxy.ex.com</a>
opensips[4881]: ERROR:proto_tls:tls_accept: New TLS
connection from <a href="http://178.22.140.34:34281"
moz-do-not-send="true">178.22.140.34:34281</a> failed to
accept</font></div>
<div><font face="monospace">Jul 25 13:10:32 <a
href="http://proxy.ex.com" moz-do-not-send="true">proxy.ex.com</a>
opensips[4881]: ERROR:proto_tls:tls_print_errstack: TLS
errstack: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned</font></div>
<div><font face="monospace">Jul 25 13:10:32 <a
href="http://proxy.ex.com" moz-do-not-send="true">proxy.ex.com</a>
opensips[4881]: ERROR:proto_tls:tls_read_req: failed to do
pre-tls reading</font></div>
</div>
<div><br>
</div>
<div>Part of my reason for resorting to the mailing list are old
mailing list emails discussing that multi-domain certificates
are not supported by OpenSIPs - is anyone able to confirm if
this remains a problem?</div>
<div><br>
</div>
<div>The openssl error code 20 is translated as <span style="color:rgb(111,66,193);font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;white-space:pre">X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY</span></div>
<div><br>
</div>
<div>I have seen other reports that this issue may be related to
an improperly chained certificate - does this sound at all
likely?</div>
<div><br>
</div>
<div>Any tips on debugging would be greatly appreciated, thanks.</div>
<div><br>
</div>
<div>Callum</div>
</div>
<div dir="ltr">-- <br>
</div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">Callum Guy
<div>Head of Information Security</div>
<div>X-on</div>
</div>
</div>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><font
face="Verdana" size="3"><span
style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span></font></p>
<img
src="http://www.x-on.co.uk/email/footer/banner-surgeryconnect-sept-v2.jpg"
moz-do-not-send="true"><br>
<p><font size="4"><span
style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span><b><sup><font
face="Verdana">0333 332 0000 | <a
href="http://www.x-on.co.uk" target="_blank"
moz-do-not-send="true">www.x-on.co.uk</a> | <sub> </sub></font></sup></b></font><font
size="4"><b><sub><sup><font face="Verdana"><a
href="https://www.linkedin.com/company/x-on"
target="_blank" moz-do-not-send="true"><img
src="http://www.x-on.co.uk//images/icon/linkedin.png"
moz-do-not-send="true" height="24" width="24"></a>
<a href="https://www.facebook.com/XonTel"
target="_blank" moz-do-not-send="true"><img
src="http://www.x-on.co.uk//images/icon/facebook.png"
moz-do-not-send="true" height="24" width="24"></a>
<a href="https://twitter.com/xonuk" target="_blank"
moz-do-not-send="true"><img
src="http://www.x-on.co.uk//images/icon/twitter.png"
moz-do-not-send="true" height="24" width="24"></a></font></sup></sub>
</b></font>
<span style="font-size:6.0pt;font-family:Verdana;color:black"><br>
X-on
is a trading name of Storacall Technology Ltd a limited
company registered in
England and Wales.<br>
Registered Office : Avaland House, 110 London Road, Apsley,
Hemel Hempstead,
Herts, HP3 9SD. Company Registration No. 2578478.<br>
The information in this e-mail is confidential and for use by
the addressee(s)
only. If you are not the intended recipient, please notify
X-on immediately on <span>+44(0)333 332 0000</span> and
delete the<br>
message from your computer. If you are not a named addressee
you must not use,
disclose, disseminate, distribute, copy, print or reply to
this email. </span><span
style="font-size:6.0pt;font-family:Verdana;color:black">Views
or opinions expressed by an individual<br>
within this email may not necessarily
reflect the views of X-on or its associated companies.
Although X-on routinely
screens for viruses, addressees should scan this email and any
attachments<br>
for
viruses. X-on makes no representation or warranty as to the
absence of viruses
in this email or any attachments.</span></p>
<p><span style="font-size:6.0pt;font-family:Verdana;color:black"></span><font
size="2"><span
style="font-size:6.0pt;font-family:Verdana;color:black"></span></font></p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>