<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">I got opensips to start by removing the "server_domain" part, following that I had an issue where opensips was unable use the private key and had this in the log:</div><div dir="ltr"><br></div><div dir="ltr">Sep 5 09:25:14 opensips-test-mtl opensips[74857]: ERROR:tls_mgm:load_private_key: unable to load private key file '/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/private/cakey.pem'. #012Retry (2 left) (check password case)<br>Sep 5 09:25:14 opensips-test-mtl opensips[74857]: ERROR:tls_mgm:load_private_key: unable to load private key file '/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/private/cakey.pem'. #012Retry (1 left) (check password case)<br>Sep 5 09:25:14 opensips-test-mtl opensips[74857]: ERROR:tls_mgm:load_private_key: unable to load private key file '/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/private/cakey.pem'. #012Retry (0 left) (check password case)</div><div dir="ltr"><br></div><div>I then found this post: <a href="https://github.com/OpenSIPS/opensips/issues/987">https://github.com/OpenSIPS/opensips/issues/987</a> and tried the solution given (removing the passphrase from the key) which worked. Thanks for your help, now I will need to play around with this a bit more to get something more secure.<br></div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Sep 5, 2018 at 5:59 AM Callum Guy <<a href="mailto:callum.guy@x-on.co.uk">callum.guy@x-on.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Can you confirm the contents of <span style="color:rgb(33,33,33)"> 'something.com:/usr/src/</span><span style="color:rgb(33,33,33)">opensips-2.4.1/tls_cnf/tls/</span><span style="color:rgb(33,33,33)">rootCA/cacert.pem' and</span> that opensips daemon user has access to the path?<div><br class="m_-8172221192911325058m_-8416651165752328423inbox-inbox-Apple-interchange-newline"></div><div>You don't need to setup client and server domains if you are just testing, <b>but you do need to be using tls_mgm</b> (<a href="http://www.opensips.org/html/docs/modules/devel/tls_mgm.html" target="_blank">http://www.opensips.org/html/docs/modules/devel/tls_mgm.html</a>):</div><div><br></div><div>Here is an example strong configuration which might get you started - put the certs where you have them, ensure they are accessible and perhaps comment out the strong ciphers etc while testing, as per the example:</div><div><div><font face="monospace"><br></font></div><div><font face="monospace">listen=tls:your_serv_IP:5061</font></div><div><font face="monospace">loadmodule "proto_tls.so"</font></div><div><font face="monospace">loadmodule "proto_udp.so"</font></div><div><font face="monospace">loadmodule "tls_mgm.so"</font></div><div><font face="monospace"><br></font></div><div><font face="monospace"># TLS: Default configuration</font></div><div><span style="font-family:monospace">modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/this-domain.sip.crt")</span><br></div><div><font face="monospace">modparam("tls_mgm", "private_key", "/etc/pki/tls/private/this-domain.sip.key")</font></div><div><font face="monospace">modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt")</font></div><div><font face="monospace">modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/")</font></div></div><div># Define standards:</div><div><div><span style="font-family:monospace">#</span><font face="monospace">modparam("tls_mgm", "ciphers_list", "EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")</font><br></div><div><span style="font-family:monospace">#</span><font face="monospace">modparam("tls_mgm", "verify_cert", "1")</font></div><div><span style="font-family:monospace">#</span><font face="monospace">modparam("tls_mgm", "require_cert", "1")</font></div><div><span style="font-family:monospace">#</span><font face="monospace">modparam("tls_mgm", "tls_method", "TLSv1_2")</font></div><div><span style="font-family:monospace">#</span><font face="monospace">modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem")</font></div><div><span style="font-family:monospace">#</span><font face="monospace">modparam("tls_mgm", "ec_curve", "secp384r1")</font></div><br class="m_-8172221192911325058inbox-inbox-Apple-interchange-newline"></div><div><br></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Sep 4, 2018 at 6:57 PM Dominic <<a href="mailto:wallnut.monkeys@gmail.com" target="_blank">wallnut.monkeys@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi all, I'm currently trying to setup OpenSIPS to use tls. For this I am following the steps described here: <a href="http://www.opensips.org/Documentation/Tutorials-TLS-2-2" target="_blank">http://www.opensips.org/Documentation/Tutorials-TLS-2-2</a></div><div dir="ltr"><br></div><div>This is a dev box, so for now I just want to get things working, my setup is as follows:</div><div>UACs are registering to Opensips, which is setup as a mid-registrar in front of asterisk. Rtpproxy is used on a different box to relay the rtp between the UACs and Asterisk.</div><div><br></div><div>I followed the steps described in the tutorial mentioned above but I cannot get opensips to startup. So I have a few questions regarding the tutorial:</div><div><br></div><div>question 1:</div><div>If my opensips is only accepting connections (phones registering to it from the internet), then I presume I only need the server domain part in the following part of the tutorial?:</div><div><pre>#server domain
modparam("proto_tls", "server_domain", "sv_dom=<your-ip-address>:<port>")
modparam("proto_tls", "certificate", "sv_dom:$CERT_DIR/rootCA/cacert.pem")
modparam("proto_tls", "private_key", "sv_dom:$CERT_DIR/rootCA/private/cakey.pem")
modparam("proto_tls", "ca_list", "sv_dom:$CERT_DR/rootCA/cacert.pem")
#client domain
modparam("proto_tls", "client_domain", "cl_dom=<UAS-ip-address>:<port>")
modparam("proto_tls", "certificate", "cl_dom:$CERT_DIR/user/user-cert.pem")
modparam("proto_tls", "private_key", "cl_dom:$CERT_DIR/user/user-privkey.pem")
modparam("proto_tls", "ca_list", "cl_dom:$CERT_DR/user/user-calist.pem")</pre></div></div><div dir="ltr"><br></div><div>question 2:<br></div><div>in the above code, I need to replace sv_dom with what exactly something like <a href="http://blablabla.com" target="_blank">blablabla.com</a>?</div><div><br></div><div>question 3:</div><div>Do I need to edit the certificates conf files (ca.conf, request.conf, user.conf), because I just copied the existing files as is, which may be why I'm having issues.</div><div><br></div><div>So far I tried using the ones generated by the opensipctl tls command and I am always getting the errors below upon startup. I also tried the builtin certificaties and I get the same result:</div><div>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: INFO:tls_mgm:mod_init: initializing TLS management<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: INFO:tls_mgm:mod_init: openssl version: OpenSSL 1.0.2g 1 Mar 2016<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: INFO:tls_mgm:mod_init: disabling compression due ZLIB problems<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default'<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: DBG:tls_mgm:init_ssl_ctx_behavior: no DH params file for tls domain 'default' defined, using default '(null)'<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: NOTICE:tls_mgm:init_ssl_ctx_behavior: No EC curve defined<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: NOTICE:tls_mgm:init_ssl_ctx_behavior: cipher list set to NULL<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: INFO:tls_mgm:init_ssl_ctx_behavior: client verification NOT activated. Weaker security.<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: ERROR:tls_mgm:load_certificate: unable to load certificate file 'something.com:/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/cacert.pem'<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: ERROR:core:init_mod: failed to initialize module tls_mgm<br>Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: ERROR:core:main: error while initializing modules<br></div><div><br></div><div>If anyone sees something I don't feel free to let me know</div><div>Thanks</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div></div></div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="m_-8172221192911325058gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Callum Guy<div>Head of Information Security</div><div>X-on</div></div></div>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><font size="3" face="Verdana"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span></font></p><img src="https://www.x-on.co.uk/email/footer/banner-surgeryconnect-sept-oct.jpg"><br><p><font size="4"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span><b><sup><font face="Verdana">0333 332 0000 | <a href="http://www.x-on.co.uk" target="_blank">www.x-on.co.uk</a> | <sub> </sub></font></sup></b></font><font size="4"><b><sub><sup><font face="Verdana"><a href="https://www.linkedin.com/company/x-on" target="_blank"><img src="http://www.x-on.co.uk//images/icon/linkedin.png" width="24" height="24"></a> <a href="https://www.facebook.com/XonTel" target="_blank"><img src="http://www.x-on.co.uk//images/icon/facebook.png" width="24" height="24"></a> <a href="https://twitter.com/xonuk" target="_blank"><img src="http://www.x-on.co.uk//images/icon/twitter.png" width="24" height="24"></a></font></sup></sub> </b></font>
<span style="font-size:6.0pt;font-family:Verdana;color:black"><br>X-on
is a trading name of Storacall Technology Ltd a limited company registered in
England and Wales.<br>
Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead,
Herts, HP3 9SD. Company Registration No. 2578478.<br>
The information in this e-mail is confidential and for use by the addressee(s)
only. If you are not the intended recipient, please notify X-on immediately on <span>+44(0)333 332 0000</span> and delete the<br>message from your computer. If you are not a named addressee you must not use,
disclose, disseminate, distribute, copy, print or reply to this email. </span><span style="font-size:6.0pt;font-family:Verdana;color:black">Views
or opinions expressed by an individual<br>within this email may not necessarily
reflect the views of X-on or its associated companies. Although X-on routinely
screens for viruses, addressees should scan this email and any attachments<br>for
viruses. X-on makes no representation or warranty as to the absence of viruses
in this email or any attachments.</span></p>
<p><span style="font-size:6.0pt;font-family:Verdana;color:black"></span><font size="2"><span style="font-size:6.0pt;font-family:Verdana;color:black"></span></font></p>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div>