<div dir="ltr">It's always easy to overlook the content in errors that haven't been seen before, I agree that on reflection this should have been looked into in more detail as it does cover the scenario. In the context of a Comodo certificate (which we use regularly) it sounded implausible that we wouldn't be able to validate it. TIL - intermediate certificates matter.<div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jul 25, 2017 at 4:27 PM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org">bogdan@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <tt>I have to admit that you have to "know how to read the SSL
      errors" in order to really understand the root problem :) . Now
      that you find the issue and if we look back at the error description
      "</tt><font face="monospace">verify error:num=20:unable to get
      local issuer certificate", it make sense - SSL complains it did
      not find the comodo CA in order to validate the certificate
      presented by the TLS client (which was probably signed by Comodo).<br>
      <br>
      Best regards,<br>
    </font></div><div bgcolor="#FFFFFF" text="#000000">
    <pre class="m_-682500489058526153moz-signature" cols="72">Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  <a class="m_-682500489058526153moz-txt-link-freetext" href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>

OpenSIPS Bootcamp 2017, Houston, US
  <a class="m_-682500489058526153moz-txt-link-freetext" href="http://opensips.org/training/OpenSIPS_Bootcamp_2017.html" target="_blank">http://opensips.org/training/OpenSIPS_Bootcamp_2017.html</a>
</pre>
    </div><div bgcolor="#FFFFFF" text="#000000"><div class="m_-682500489058526153moz-cite-prefix">On 07/25/2017 05:27 PM, Callum Guy
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hi Bogdan,
        <div><br>
        </div>
        <div>Thanks for your response, based on your advice I performed
          a full packet capture on the handshake and established that a
          certificate was indeed being presented.</div>
        <div><br>
        </div>
        <div>Following up on this I managed to establish that the
          problem was a missing intermediary CA in the certificate
          chain, specifically:</div>
        <div><br>
        </div>
        <div><a href="https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca" target="_blank">https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca</a><br>
        </div>
        <div><br>
        </div>
        <div>The error message presented by OpenSIPs was certainly
          misleading in this case. For others benefit the approach for
          installing a new CA is super simple:</div>
        <div>
          <ol>
            <li>create the file in /etc/pki/ca-trust/source/anchors
              (i.e. comodo-ca-rsa-ev-secure-server.pem)<br>
            </li>
            <li>run "update-ca-trust" with root privs</li>
          </ol>
          <div>Problem solved.</div>
        </div>
        <div><br>
        </div>
        <div>Have a good day all!</div>
        <div><br>
        </div>
        <div>Callum</div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei
          Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>> wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000"> <tt>Hi Callum,<br>
              <br>
              The error may indicate the fact that the TLS client does
              not present a TLS certificate while connection to your
              OpenSIPS. This has nothing to do with the TLS multi
              domain, which anyhow is supported. As the test, you can
              create a separate TLS domain (server) bound to the IP of
              that TLS client, TLS domain having the require_certificate
              option turned off.<br>
              <br>
              Best Regards,<br>
            </tt>
            <pre class="m_-682500489058526153m_-1847085509171715036moz-signature" cols="72">Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  <a class="m_-682500489058526153m_-1847085509171715036moz-txt-link-freetext" href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>

OpenSIPS Bootcamp 2017, Houston, US
  <a class="m_-682500489058526153m_-1847085509171715036moz-txt-link-freetext" href="http://opensips.org/training/OpenSIPS_Bootcamp_2017.html" target="_blank">http://opensips.org/training/OpenSIPS_Bootcamp_2017.html</a>
</pre>
          </div>
          <div bgcolor="#FFFFFF" text="#000000">
            <div class="m_-682500489058526153m_-1847085509171715036moz-cite-prefix">On
              07/25/2017 03:26 PM, Callum Guy wrote:<br>
            </div>
          </div>
          <div bgcolor="#FFFFFF" text="#000000">
            <blockquote type="cite">
              <div dir="ltr">Hi All,
                <div><br>
                </div>
                <div><b>Running: </b>opensips-2.3.1-1.el7.x86_64 /
                  CentOS 7</div>
                <div><br>
                </div>
                <div>I have been working with new TLS connection and
                  have been having problems validating their client
                  certificate. My OpenSIPs configuration works fine for
                  other providers (i.e. Twilio) however I am seeing the
                  following error messages reported while verify_cert is
                  enabled:</div>
                <div><br>
                </div>
                <div>
                  <div><font face="monospace">Jul 25 13:10:32 <a href="http://proxy.ex.com" target="_blank">proxy.ex.com</a>
                      opensips[4881]: NOTICE:tls_mgm:verify_callback:
                      depth = 0</font></div>
                  <div><font face="monospace">Jul 25 13:10:32 <a href="http://proxy.ex.com" target="_blank">proxy.ex.com</a>
                      opensips[4881]: NOTICE:tls_mgm:verify_callback:
                      subject =
/serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
                      Organization/C=GB/postalCode=SO16
                      7NP/L=Southampton/street=2 Venture Road/O=SIMWOOD
                      ESMS LIMITED/OU=COMODO EV Multi-Domain SSL/CN=<a href="http://simwood.com" target="_blank">simwood.com</a></font></div>
                  <div><font face="monospace">Jul 25 13:10:32 <a href="http://proxy.ex.com" target="_blank">proxy.ex.com</a>
                      opensips[4881]: NOTICE:tls_mgm:verify_callback:
                      verify error:num=20:unable to get local issuer
                      certificate</font></div>
                  <div><font face="monospace">Jul 25 13:10:32 <a href="http://proxy.ex.com" target="_blank">proxy.ex.com</a>
                      opensips[4881]: NOTICE:tls_mgm:verify_callback:
                      something wrong with the cert ... error code is 20
                      (check x509_vfy.h)</font></div>
                  <div><font face="monospace">Jul 25 13:10:32 <a href="http://proxy.ex.com" target="_blank">proxy.ex.com</a>
                      opensips[4881]: NOTICE:tls_mgm:verify_callback:
                      verify return:0</font></div>
                  <div><font face="monospace">Jul 25 13:10:32 <a href="http://proxy.ex.com" target="_blank">proxy.ex.com</a>
                      opensips[4881]: ERROR:proto_tls:tls_accept: New
                      TLS connection from <a href="http://178.22.140.34:34281" target="_blank">178.22.140.34:34281</a>
                      failed to accept</font></div>
                  <div><font face="monospace">Jul 25 13:10:32 <a href="http://proxy.ex.com" target="_blank">proxy.ex.com</a>
                      opensips[4881]:
                      ERROR:proto_tls:tls_print_errstack: TLS errstack:
                      error:140890B2:SSL
                      routines:SSL3_GET_CLIENT_CERTIFICATE:no
                      certificate returned</font></div>
                  <div><font face="monospace">Jul 25 13:10:32 <a href="http://proxy.ex.com" target="_blank">proxy.ex.com</a>
                      opensips[4881]: ERROR:proto_tls:tls_read_req:
                      failed to do pre-tls reading</font></div>
                </div>
                <div><br>
                </div>
                <div>Part of my reason for resorting to the mailing list
                  are old mailing list emails discussing that
                  multi-domain certificates are not supported by
                  OpenSIPs - is anyone able to confirm if this remains a
                  problem?</div>
                <div><br>
                </div>
                <div>The openssl error code 20 is translated as <span style="color:rgb(111,66,193);font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;white-space:pre-wrap">X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY</span></div>
                <div><br>
                </div>
                <div>I have seen other reports that this issue may be
                  related to an improperly chained certificate - does
                  this sound at all likely?</div>
                <div><br>
                </div>
                <div>Any tips on debugging would be greatly appreciated,
                  thanks.</div>
                <div><br>
                </div>
                <div>Callum</div>
              </div>
              <div dir="ltr">-- <br>
              </div>
              <div class="m_-682500489058526153m_-1847085509171715036gmail_signature" data-smartmail="gmail_signature">
                <div dir="ltr">Callum Guy
                  <div>Head of Information Security</div>
                  <div>X-on</div>
                </div>
              </div>
              <br>
              <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><font face="Verdana" size="3"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span></font></p>
            </blockquote>
          </div>
          <div bgcolor="#FFFFFF" text="#000000">
            <blockquote type="cite"><img src="http://www.x-on.co.uk/email/footer/banner-surgeryconnect-sept-v2.jpg"><br>
              <p><font size="4"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span><b><sup><font face="Verdana">0333 332 0000  |  <a href="http://www.x-on.co.uk" target="_blank">www.x-on.co.uk</a>  |  <sub> </sub></font></sup></b></font><font size="4"><b><sub><sup><font face="Verdana"><a href="https://www.linkedin.com/company/x-on" target="_blank"><img src="http://www.x-on.co.uk//images/icon/linkedin.png" height="24" width="24"></a>  <a href="https://www.facebook.com/XonTel" target="_blank"><img src="http://www.x-on.co.uk//images/icon/facebook.png" height="24" width="24"></a>  <a href="https://twitter.com/xonuk" target="_blank"><img src="http://www.x-on.co.uk//images/icon/twitter.png" height="24" width="24"></a></font></sup></sub> </b></font>
                <span style="font-size:6.0pt;font-family:Verdana;color:black"><br>
                  X-on is a trading name of Storacall Technology Ltd a
                  limited company registered in England and Wales.<br>
                  Registered Office : Avaland House, 110 London Road,
                  Apsley, Hemel Hempstead, Herts, HP3 9SD. Company
                  Registration No. 2578478.<br>
                  The information in this e-mail is confidential and for
                  use by the addressee(s) only. If you are not the
                  intended recipient, please notify X-on immediately on
                  <span><a href="tel:+44%20333%20332%200000" value="+443333320000" target="_blank">+44(0)333 332 0000</a></span>
                  and delete the<br>
                  message from your computer. If you are not a named
                  addressee you must not use, disclose, disseminate,
                  distribute, copy, print or reply to this email. </span><span style="font-size:6.0pt;font-family:Verdana;color:black">Views or
                  opinions expressed by an individual<br>
                  within this email may not necessarily reflect the
                  views of X-on or its associated companies. Although
                  X-on routinely screens for viruses, addressees should
                  scan this email and any attachments<br>
                  for viruses. X-on makes no representation or warranty
                  as to the absence of viruses in this email or any
                  attachments.</span></p>
              <p><span style="font-size:6.0pt;font-family:Verdana;color:black"></span><font size="2"><span style="font-size:6.0pt;font-family:Verdana;color:black"></span></font></p>
              <br>
              <fieldset class="m_-682500489058526153m_-1847085509171715036mimeAttachmentHeader"></fieldset>
              <br>
              <pre>_______________________________________________
Users mailing list
<a class="m_-682500489058526153m_-1847085509171715036moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a class="m_-682500489058526153m_-1847085509171715036moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
            </blockquote>
            <br>
          </div>
        </blockquote>
      </div>
      <div dir="ltr">-- <br>
      </div>
      <div class="m_-682500489058526153gmail_signature" data-smartmail="gmail_signature">
        <div dir="ltr">Callum Guy
          <div>Head of Information Security</div>
          <div>X-on</div>
        </div>
      </div>
      <br>
      <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><font face="Verdana" size="3"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span></font></p>
      <img src="http://www.x-on.co.uk/email/footer/banner-surgeryconnect-sept-v2.jpg"><br>
      <p><font size="4"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span><b><sup><font face="Verdana">0333 332 0000  |  <a href="http://www.x-on.co.uk" target="_blank">www.x-on.co.uk</a>  |  <sub> </sub></font></sup></b></font><font size="4"><b><sub><sup><font face="Verdana"><a href="https://www.linkedin.com/company/x-on" target="_blank"><img src="http://www.x-on.co.uk//images/icon/linkedin.png" height="24" width="24"></a>
                   <a href="https://www.facebook.com/XonTel" target="_blank"><img src="http://www.x-on.co.uk//images/icon/facebook.png" height="24" width="24"></a>
                   <a href="https://twitter.com/xonuk" target="_blank"><img src="http://www.x-on.co.uk//images/icon/twitter.png" height="24" width="24"></a></font></sup></sub>
          </b></font>
        <span style="font-size:6.0pt;font-family:Verdana;color:black"><br>
          X-on
          is a trading name of Storacall Technology Ltd a limited
          company registered in
          England and Wales.<br>
          Registered Office : Avaland House, 110 London Road, Apsley,
          Hemel Hempstead,
          Herts, HP3 9SD. Company Registration No. 2578478.<br>
          The information in this e-mail is confidential and for use by
          the addressee(s)
          only. If you are not the intended recipient, please notify
          X-on immediately on <span><a href="tel:+44%20333%20332%200000" value="+443333320000" target="_blank">+44(0)333 332 0000</a></span> and
          delete the<br>
          message from your computer. If you are not a named addressee
          you must not use,
          disclose, disseminate, distribute, copy, print or reply to
          this email. </span><span style="font-size:6.0pt;font-family:Verdana;color:black">Views
          or opinions expressed by an individual<br>
          within this email may not necessarily
          reflect the views of X-on or its associated companies.
          Although X-on routinely
          screens for viruses, addressees should scan this email and any
          attachments<br>
          for
          viruses. X-on makes no representation or warranty as to the
          absence of viruses
          in this email or any attachments.</span></p>
      <p><span style="font-size:6.0pt;font-family:Verdana;color:black"></span><font size="2"><span style="font-size:6.0pt;font-family:Verdana;color:black"></span></font></p>
    </blockquote>
    <br>
  </div></blockquote></div><div dir="ltr">-- <br></div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Callum Guy<div>Head of Information Security</div><div>X-on</div></div></div>

<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><font size="3" face="Verdana"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span></font></p><img src="http://www.x-on.co.uk/email/footer/banner-surgeryconnect-sept-v2.jpg"><br><p><font size="4"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span><b><sup><font face="Verdana">0333 332 0000  |  <a href="http://www.x-on.co.uk" target="_blank">www.x-on.co.uk</a>  |  <sub> </sub></font></sup></b></font><font size="4"><b><sub><sup><font face="Verdana"><a href="https://www.linkedin.com/company/x-on" target="_blank"><img src="http://www.x-on.co.uk//images/icon/linkedin.png" height="24" width="24"></a>  <a href="https://www.facebook.com/XonTel" target="_blank"><img src="http://www.x-on.co.uk//images/icon/facebook.png" height="24" width="24"></a>  <a href="https://twitter.com/xonuk" target="_blank"><img src="http://www.x-on.co.uk//images/icon/twitter.png" height="24" width="24"></a></font></sup></sub> </b></font>

























<span style="font-size:6.0pt;font-family:Verdana;color:black"><br>X-on
is a trading name of Storacall Technology Ltd a limited company registered in
England and Wales.<br>
Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead,
Herts, HP3 9SD. Company Registration No. 2578478.<br>
The information in this e-mail is confidential and for use by the addressee(s)
only. If you are not the intended recipient, please notify X-on immediately on <span>+44(0)333 332 0000</span> and delete the<br>message from your computer. If you are not a named addressee you must not use,
disclose, disseminate, distribute, copy, print or reply to this email. </span><span style="font-size:6.0pt;font-family:Verdana;color:black">Views
or opinions expressed by an individual<br>within this email may not necessarily
reflect the views of X-on or its associated companies. Although X-on routinely
screens for viruses, addressees should scan this email and any attachments<br>for
viruses. X-on makes no representation or warranty as to the absence of viruses
in this email or any attachments.</span></p>





<p><span style="font-size:6.0pt;font-family:Verdana;color:black"></span><font size="2"><span style="font-size:6.0pt;font-family:Verdana;color:black"></span></font></p>