<div dir="ltr"><div><div>Hi All,<br><br></div>I have installed opensips-2.3.2 on centos and followed <br><a href="https://www.opensips.org/Documentation/Tutorials-TLS-2-1">https://www.opensips.org/Documentation/Tutorials-TLS-2-1</a>  AND <a href="http://www.opensips.org/html/docs/modules/2.3.x/tls_mgm.html">http://www.opensips.org/html/docs/modules/2.3.x/tls_mgm.html</a><br>to generate self-signed certificates and TLS setup.<br><br></div><div>I want to achieve scenario <br></div><div>asterisk(TLS) -> opensips(TLS) -> asterisk(TLS)<br><br></div><div>What should be the certificate settings for this kind of setup?<br><br></div><div>My opensips.cfg configurations for TLS are as below:<br><br>modparam("proto_udp", "udp_port", 5060)<br><br>modparam("tls_mgm", "verify_cert", "1")<br>modparam("tls_mgm", "require_cert", "0")<br>modparam("tls_mgm", "tls_method", "TLSv1")<br><br><br>modparam("tls_mgm", "certificate", "/usr/local/etc/opensips/tls_cnf/tls/rootCA/cacert.pem")<br>modparam("tls_mgm", "private_key", "/usr/local/etc/opensips/tls_cnf/tls/rootCA/private/cakey1.pem")<br>modparam("tls_mgm", "certificate", "/usr/local/etc/opensips/tls_cnf/tls/rootCA/cacert.pem")<br>modparam("tls_mgm", "ca_list", "/usr/local/etc/opensips/tls_cnf/tls/rootCA/cacert.pem")<br><br>modparam("tls_mgm", "client_domain", "dom1=<a href="http://172.16.16.149:5080">172.16.16.149:5080</a>")<br>modparam("tls_mgm", "private_key", "[dom1]/usr/local/etc/opensips/tls_cnf/asterisk_149.pem")<br>modparam("tls_mgm", "certificate", "[dom1]/usr/local/etc/opensips/tls_cnf/asterisk_149.pem")<br>modparam("tls_mgm", "ca_list", "[dom1]/usr/local/etc/opensips/tls_cnf/asterisk_149.pem")<br><br>*asterisk_149.pem file is imported from asterisk server.Asterisk server is listening on port 5080 for TLS.<br><br></div><div>When I am setting "verify_cert" to "0",calls working but on setting its value to "1", opensips gives below errors:<br><br>ERROR:proto_tls:tls_accept: New TLS connection from <a href="http://172.16.16.149:34678">172.16.16.149:34678</a> failed to accept<br>ERROR:proto_tls:tls_print_errstack: TLS errstack: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed<br>ERROR:proto_tls:tls_read_req: failed to do pre-tls reading<br><br></div><div>Please provide guidance to solve this issue.<br></div><div><br></div><div><br>Thank you,<br></div><div>Rutu Patel<br></div><div><br></div></div>