<div dir="ltr"><span id="m_-8969509322233141953inbox-inbox-docs-internal-guid-a833c2f7-6fe8-e46b-ca0f-e972a886039e" style="font-size:12px;white-space:pre-wrap"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font face="Consolas">Try turning off certificate verification while you work through the issue. </font></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font face="Consolas"><br></font></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font face="Consolas">I have also found that there is a need on opensips 2.2.x to re-specify the global params under your server/client domains - i have certainly had issues with that in the past. try issuing all of your global directives a second time, prefixed with your server domain.</font></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font face="Consolas"><br></font></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font face="Consolas">Personally I specify the ciphers list and aim for a higher standard of security - here's an excerpt:</font></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font face="Consolas"><br></font></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem")</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">modparam("tls_mgm", "ec_curve", "secp384r1")</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">modparam("tls_mgm", "ciphers_list", "EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">modparam("tls_mgm", "verify_cert", "1")   <font color="#ff9900"># Switch off during initial testing to rule this out</font></span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">modparam("tls_mgm", "require_cert", "1")  </span><span style="color:rgb(255,153,0);font-family:Consolas"># Switch off during initial testing to rule this out</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">modparam("tls_mgm", "tls_method", "TLSv1_2")</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/dom.sip.crt")</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">modparam("tls_mgm", "private_key", "/etc/pki/tls/private/dom.sip.key")</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt")</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;background-color:transparent;font-weight:400;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/")</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span id="inbox-inbox-docs-internal-guid-a833c2f7-6ff0-538c-3606-d88e1dce59f7"></span><font face="monospace">Note the inclusion of ca_dir and ciphers_list. Looking forward to hearing how you get on.</font><br class="inbox-inbox-Apple-interchange-newline">

</p></span><br><div class="gmail_quote"><div dir="ltr">On Fri, Sep 8, 2017 at 4:42 PM Jonathan Hunter <<a href="mailto:hunterj91@hotmail.com" target="_blank">hunterj91@hotmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div dir="ltr">

<div id="m_-8969509322233141953m_6840361055690419221divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif" dir="ltr">

<p></p>

<div>Hi Guys,</div>

<div><br>

</div>

<div>Sorry for the noise. </div>

<div><br>

</div>

<div>I am testing SIP over TLS and having some issues getting client devices to register having upgraded from opensips 1.11 to 2.2.5.</div>

<div><br>

</div>

<div>Please see my configuration below;</div>

<div><br>

</div>

<div><br>

</div>

<div>opensips 2.2.5</div>

<div><br>

</div>

<div><br>

</div>

<div>listen=tcp:<Public_IP>:5060</div>

<div>listen=tls:<Public_IP>:5061</div>

<div>loadmodule "proto_tcp.so"</div>

<div>loadmodule "proto_udp.so"</div>

<div>loadmodule "proto_tls.so"</div>

<div>loadmodule "tls_mgm.so"</div>

<div><br>

</div>

<div>#Global params</div>

<div>modparam("tls_mgm", "tls_method", "SSLv23")</div>

<div>modparam("tls_mgm", "certificate", "/etc/opensips/tls/rootCA/certs/ssl_certificate.pem")</div>

<div>modparam("tls_mgm", "private_key", "/etc/opensips/tls/rootCA/certs/sip.provider.net.pem")</div>

<div>modparam("tls_mgm", "ca_list", "/etc/opensips/tls/rootCA/certs/IntermediateCA.pem")</div>

<div>modparam("tls_mgm", "require_cert", "0")</div>

<div>modparam("tls_mgm", "verify_cert", "1")</div>

<div>#server domain</div>

<div>modparam("tls_mgm", "server_domain", "sv_dom=<Public_IP>:5061")</div>

<div>modparam("tls_mgm", "certificate", "sv_dom:/etc/opensips/tls/rootCA/certs/ssl_certificate.pem")</div>

<div>modparam("tls_mgm", "private_key", "sv_dom:/etc/opensips/tls/rootCA/certs/sip.provider.net.pem")</div>

<div>modparam("tls_mgm", "ca_list", "sv_dom:/etc/opensips/tls/rootCA/certs/IntermediateCA.pem")</div>

<div>modparam("tls_mgm", "tls_method", "sv_dom:SSLv23")</div>

<div>modparam("tls_mgm", "require_cert", "sv_dom:0")</div>

<div>modparam("tls_mgm", "verify_cert", "sv_dom:1")</div>

<div><br>

</div>

<div><br>

</div>

<div><br>

</div>

<div>I am trying to register both Bria client and Yealink and I cant register my device, opensips logs show no errors;</div>

<div><br>

</div>

<div>Sep  8 15:14:56 localhost VU-SIP-Proxy[14664]: INFO:core:probe_max_sock_buff: using snd buffer of 244 kb</div>

<div>Sep  8 15:14:56 localhost VU-SIP-Proxy[14664]: INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 37</div>

<div>Sep  8 15:14:56 localhost VU-SIP-Proxy[14649]: INFO:proto_tls:tls_accept: New TLS connection from <a href="http://91.151.6.28:10405" target="_blank">91.151.6.28:10405</a> accepted</div>

<div>Sep  8 15:14:56 localhost VU-SIP-Proxy[14649]: INFO:proto_tls:tls_accept: Client did not present a TLS certificate</div>

<div>Sep  8 15:14:56 localhost VU-SIP-Proxy[14649]: INFO:proto_tls:tls_dump_cert_info: tls_accept: local TLS server certificate subject: /CN=<a href="http://sip.provider.net" target="_blank">sip.provider.net</a>, issuer: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA</div>

<div><br>

</div>

<div>And in a wireshark trace when debugging I see using the private key, there is Client Hello,Server Hello, Certificate, Server Hello Done, then Client Key Exchange, Change Cipher Spec,Finished, then New Session Ticket, change Cipher Spec, then finished.</div>

<div><br>

</div>

<div>At which point I see Close Notify.</div>

<div><br>

</div>

<div>Do I need to specify a Ciphers list? </div>

<div><br>

</div>

<div>I appreciate debugging TLS can be complex but having had it working ok in the testing phase on 1.11 I presume I am just misconfiguring for 2.2?</div>

<div><br>

</div>

<div>Many Thanks!</div>

<div><br>

</div>

<div>Jon</div>

<br>

<p></p>

</div>

</div>

_______________________________________________<br>

Users mailing list<br>

<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>

<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>

</blockquote></div></div><div dir="ltr">-- <br></div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Callum Guy<div>Head of Information Security</div><div>X-on</div></div></div>

<br>

<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><font size="3" face="Verdana"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span></font></p><img src="http://www.x-on.co.uk/email/footer/banner-surgeryconnect-sept-v3.jpg"><br><p><font size="4"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span><b><sup><font face="Verdana">0333 332 0000  |  <a href="http://www.x-on.co.uk" target="_blank">www.x-on.co.uk</a>  |  <sub> </sub></font></sup></b></font><font size="4"><b><sub><sup><font face="Verdana"><a href="https://www.linkedin.com/company/x-on" target="_blank"><img src="http://www.x-on.co.uk//images/icon/linkedin.png" width="24" height="24"></a>  <a href="https://www.facebook.com/XonTel" target="_blank"><img src="http://www.x-on.co.uk//images/icon/facebook.png" width="24" height="24"></a>  <a href="https://twitter.com/xonuk" target="_blank"><img src="http://www.x-on.co.uk//images/icon/twitter.png" width="24" height="24"></a></font></sup></sub> </b></font>

<span style="font-size:6.0pt;font-family:Verdana;color:black"><br>X-on

is a trading name of Storacall Technology Ltd a limited company registered in

England and Wales.<br>

Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead,

Herts, HP3 9SD. Company Registration No. 2578478.<br>

The information in this e-mail is confidential and for use by the addressee(s)

only. If you are not the intended recipient, please notify X-on immediately on <span>+44(0)333 332 0000</span> and delete the<br>message from your computer. If you are not a named addressee you must not use,

disclose, disseminate, distribute, copy, print or reply to this email. </span><span style="font-size:6.0pt;font-family:Verdana;color:black">Views

or opinions expressed by an individual<br>within this email may not necessarily

reflect the views of X-on or its associated companies. Although X-on routinely

screens for viruses, addressees should scan this email and any attachments<br>for

viruses. X-on makes no representation or warranty as to the absence of viruses

in this email or any attachments.</span></p>

<p><span style="font-size:6.0pt;font-family:Verdana;color:black"></span><font size="2"><span style="font-size:6.0pt;font-family:Verdana;color:black"></span></font></p>