<div dir="ltr"><div dir="ltr"><div dir="ltr">Hello there,<div><br></div><div>I'm running opensips 2.4 server with tls support (but without cert verification). For SIP clients I use pjsiplib 2.8.</div><div><br></div><div>When user ends call with pjsua_call_hangup() server throws this error:</div><div><br></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">opensips[14258]: </span><span style="font-weight:bold;color:rgb(255,84,84)">ERROR:proto_tls:_tls_read: SYSCALL error -> (104) <Connection reset by peer></span><span style="color:rgb(0,0,0)">
</span><br>opensips[14258]: <span style="font-weight:bold;color:rgb(255,84,84)">ERROR:proto_tls:_tls_read: TLS connection to <a href="http://185.63.109.74:44828">185.63.109.74:44828</a> read failed</span><span style="color:rgb(0,0,0)">
</span><br>opensips[14258]: <span style="font-weight:bold;color:rgb(255,84,84)">ERROR:proto_tls:_tls_read: TLS read error: 5</span><span style="color:rgb(0,0,0)">
</span><br>opensips[14258]: <span style="font-weight:bold;color:rgb(255,84,84)">ERROR:proto_tls:tls_read_req: failed to read</span></span></div><div><br></div><div>Second issue occurs when someone wants to connect to the sip server. It throws:<br></div><div><br></div><div><div>opensips[12482]: ERROR:proto_tls:tls_accept: New TLS connection from <a href="http://213.205.230.197:42038">213.205.230.197:42038</a> failed to accept</div><div>opensips[12482]: ERROR:proto_tls:tls_print_errstack: TLS errstack: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error</div><div>opensips[12482]: ERROR:proto_tls:tls_read_req: failed to do pre-tls reading</div></div><div><br></div><div>Above happens from time to time, but there was a situation when clients cannot establish any connection with opensips till I restart server. Server logs was filled with those errors.</div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">
</span><br></span>Could you help me with those issues? Maybe my tls configuration is wrong? Any ideas?<br></div><div><br></div><div>I'm pasting my configuration. I replaced my server ip and port with My.Server.Ip and MY.PORT respectively.</div><div><br></div><div><div>####### Global Parameters #########</div><div><br></div><div>log_level=1</div><div>log_stderror=no</div><div>log_facility=LOG_LOCAL0</div><div><br></div><div>children=4</div><div><br></div><div>/* uncomment the following lines to enable debugging */</div><div>#debug_mode=yes</div><div><br></div><div>/* uncomment the next line to enable the auto temporary blacklisting of </div><div> not available destinations (default disabled) */</div><div>#disable_dns_blacklist=no</div><div><br></div><div>/* uncomment the next line to enable IPv6 lookup after IPv4 dns </div><div> lookup failures (default disabled) */</div><div>#dns_try_ipv6=yes</div><div><br></div><div>/* comment the next line to enable the auto discovery of local aliases</div><div> based on reverse DNS on IPs */</div><div>auto_aliases=no</div><div><br></div><div><br></div><div>listen=udp:My.Server.IP:MY.PORT</div><div>listen=tls:My.Server.IP:MY.PORT</div><div><br></div><div><br></div><div>####### Modules Section ########</div><div><br></div><div>#set module path</div><div>mpath="/usr/lib/x86_64-linux-gnu/opensips/modules/"</div><div><br></div><div>#### STUN server</div><div>loadmodule "stun.so"</div><div><br></div><div>modparam("stun", "primary_ip", "My.Server.IP")</div><div>modparam("stun", "primary_port", "MY.PORT")</div><div>modparam("stun", "alternate_ip", "My.Server.IP")</div><div>modparam("stun", "alternate_port", "MY.PORT")</div><div><br></div><div>#### SIGNALING module</div><div>loadmodule "signaling.so"</div><div><br></div><div>#### StateLess module</div><div>loadmodule "sl.so"</div><div><br></div><div>#### Transaction Module</div><div>loadmodule "tm.so"</div><div>modparam("tm", "fr_timeout", 30)</div><div>modparam("tm", "fr_inv_timeout", 600)</div><div>modparam("tm", "restart_fr_on_each_reply", 1)</div><div>modparam("tm", "onreply_avp_mode", 1)</div><div><br></div><div>#### Dialog module</div><div>loadmodule "dialog.so"</div><div>modparam("dialog", "enable_stats", 0)</div><div><br></div><div>#### Record Route Module</div><div>loadmodule "rr.so"</div><div>/* do not append from tag to the RR (no need for this script) */</div><div>modparam("rr", "append_fromtag", 0)</div><div><br></div><div>#### MAX ForWarD module</div><div>loadmodule "maxfwd.so"</div><div><br></div><div>#### SIP MSG OPerationS module</div><div>loadmodule "sipmsgops.so"</div><div><br></div><div>#### FIFO Management Interface</div><div>loadmodule "mi_fifo.so"</div><div>modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")</div><div>modparam("mi_fifo", "fifo_mode", 0666)</div><div><br></div><div>#### URI module</div><div>loadmodule "uri.so"</div><div>modparam("uri", "use_uri_table", 0)</div><div><br></div><div>#### USeR LOCation module</div><div>loadmodule "usrloc.so"</div><div>modparam("usrloc", "nat_bflag", "NAT")</div><div>modparam("usrloc", "working_mode_preset", "single-instance-no-db")</div><div><br></div><div>#### NAT HELPER ####</div><div>loadmodule "nathelper.so"</div><div>modparam("nathelper", "sipping_bflag", "SIPPING_ENABLE")</div><div>modparam("nathelper", "remove_on_timeout_bflag", "SIPPING_RTO")</div><div>modparam("nathelper", "natping_tcp", 1)</div><div><br></div><div>#### REGISTRAR module</div><div>loadmodule "registrar.so"</div><div>modparam("registrar", "tcp_persistent_flag", "TCP_PERSISTENT")</div><div>/* uncomment the next line not to allow more than 10 contacts per AOR */</div><div>#modparam("registrar", "max_contacts", 10)</div><div><br></div><div>#### ACCounting module</div><div>loadmodule "acc.so"</div><div>/* what special events should be accounted ? */</div><div>modparam("acc", "early_media", 0)</div><div>modparam("acc", "report_cancels", 0)</div><div>/* by default we do not adjust the direct of the sequential requests.</div><div> if you enable this parameter, be sure the enable "append_fromtag"</div><div> in "rr" module */</div><div>modparam("acc", "detect_direction", 0)</div><div><br></div><div>### MediaProxy</div><div>loadmodule "mediaproxy.so"</div><div>modparam("mediaproxy", "disable", 0)</div><div>modparam("mediaproxy", "ice_candidate", "low-priority")</div><div>modparam("mediaproxy", "ice_candidate_avp", "$avp(ice_candidate)")</div><div><br></div><div>loadmodule "proto_udp.so"</div><div><br></div><div>### TLS MODULE</div><div>#loadmodule "proto_hep.so"</div><div>loadmodule "proto_tls.so"</div><div>loadmodule "tls_mgm.so"</div><div>#set global tls parameters</div><div> modparam("tls_mgm", "verify_cert", "0")</div><div> modparam("tls_mgm", "require_cert", "0")</div><div># modparam("tls_mgm", "tls_method", "TLSv1")</div><div><br></div><div>modparam("tls_mgm", "certificate", "/root/tls_cnf/tls/rootCA/cacert.pem")</div><div>modparam("tls_mgm", "private_key", "/root/tls_cnf/tls/rootCA/private/cakey.pem")</div><div>modparam("tls_mgm", "ca_list", "/root/tls_cnf/tls/rootCA/cacert.pem") </div><div>modparam("tls_mgm", "ca_dir", "/root/tls_cnf/tls/rootCA/") </div><div><br></div><div>####### Routing Logic ########</div><div><br></div><div># main request routing logic</div><div><br></div><div>route{</div><div><br></div><div> if (!mf_process_maxfwd_header("10")) {</div><div> send_reply("483","Too Many Hops");</div><div> exit;</div><div> }</div><div><br></div><div> if (has_totag()) {</div><div><br></div><div> # handle hop-by-hop ACK (no routing required)</div><div> if ( is_method("ACK") && t_check_trans() ) {</div><div> t_relay();</div><div> exit;</div><div> }</div><div><br></div><div> # sequential request within a dialog should</div><div> # take the path determined by record-routing</div><div> if ( !loose_route() ) {</div><div> # we do record-routing for all our traffic, so we should not</div><div> # receive any sequential requests without Route hdr.</div><div> send_reply("404","Not here");</div><div> exit;</div><div> }</div><div><br></div><div> if (is_method("BYE")) {</div><div> # do accounting even if the transaction fails</div><div> #do_accounting("log","failed");</div><div> }</div><div><br></div><div> # route it out to whatever destination was set by loose_route()</div><div> # in $du (destination URI).</div><div> route(relay);</div><div> exit;</div><div> }</div><div><br></div><div> # CANCEL processing</div><div> if (is_method("CANCEL")) {</div><div> if (t_check_trans())</div><div> t_relay();</div><div> exit;</div><div> }</div><div><br></div><div> # absorb retransmissions, but do not create transaction</div><div> t_check_trans();</div><div><br></div><div> if ( !(is_method("REGISTER") ) ) {</div><div><br></div><div> if (is_myself("$fd")) {</div><div><br></div><div> } else {</div><div> # if caller is not local, then called number must be local</div><div><br></div><div> if (!is_myself("$rd")) {</div><div> send_reply("403","Relay Forbidden");</div><div> exit;</div><div> }</div><div> }</div><div><br></div><div> }</div><div><br></div><div> # preloaded route checking</div><div> if (loose_route()) {</div><div> xlog("L_ERR",</div><div> "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");</div><div> if (!is_method("ACK"))</div><div> send_reply("403","Preload Route denied");</div><div> exit;</div><div> }</div><div><br></div><div> # record routing</div><div> if (!is_method("REGISTER|MESSAGE"))</div><div> record_route();</div><div><br></div><div> # account only INVITEs</div><div> if (is_method("INVITE")) {</div><div> create_dialog();</div><div> engage_media_proxy();</div><div> #do_accounting("log");</div><div> }</div><div><br></div><div><br></div><div> if (!is_myself("$rd")) {</div><div> append_hf("P-hint: outbound\r\n"); </div><div><br></div><div> route(relay);</div><div> }</div><div><br></div><div> # requests for my domain</div><div><br></div><div> if (is_method("PUBLISH|SUBSCRIBE")) {</div><div> send_reply("503", "Service Unavailable");</div><div> exit;</div><div> }</div><div><br></div><div> if (is_method("REGISTER")) {</div><div><br></div><div> if (!save("location"))</div><div> sl_reply_error();</div><div><br></div><div> exit;</div><div> }</div><div><br></div><div> if ($rU==NULL) {</div><div> # request with no Username in RURI</div><div> send_reply("484","Address Incomplete");</div><div> exit;</div><div> }</div><div><br></div><div> # do lookup with method filtering</div><div> if (!lookup("location","m")) {</div><div> t_reply("404", "Not Found");</div><div> exit;</div><div> }</div><div><br></div><div> # when routing via usrloc, log the missed calls also</div><div> do_accounting("log","missed");</div><div> route(relay);</div><div>}</div><div><br></div><div><br></div><div>route[relay] {</div><div> # for INVITEs enable some additional helper routes</div><div> if (is_method("INVITE")) {</div><div> t_on_branch("per_branch_ops");</div><div> t_on_reply("handle_nat");</div><div> t_on_failure("missed_call");</div><div> }</div><div><br></div><div> if (!t_relay()) {</div><div> send_reply("500","Internal Error");</div><div> }</div><div> exit;</div><div>}</div><div><br></div><div><br></div><div><br></div><div><br></div><div>branch_route[per_branch_ops] {</div><div> xlog("new branch at $ru\n");</div><div>}</div><div><br></div><div><br></div><div>onreply_route[handle_nat] {</div><div> xlog("incoming reply\n");</div><div>}</div><div><br></div><div><br></div><div>failure_route[missed_call] {</div><div> if (t_was_cancelled()) {</div><div> exit;</div><div> }</div><div><br></div><div> # uncomment the following lines if you want to block client </div><div> # redirect based on 3xx replies.</div><div> ##if (t_check_status("3[0-9][0-9]")) {</div><div> ##t_reply("404","Not found");</div><div> ## exit;</div><div> ##}</div><div><br></div><div><br></div><div>}</div></div><div><br></div><div><br></div><div><br></div></div></div></div>