<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Johan,</p>
<p>The issue is probably caused by the fact that OpenSIPS tries to
initialize a 'default' client and server domain and the
certificate file is inexistent at the default path
('/usr/local/opensips//etc/opensips/tls/cert.pem'). So even if you
define your "sv_dom" custom server domain, OpenSIPS still tries to
create default domains for fallback purposes. When you omit the
'[sv_dom]' prefix for the domain settings in your second test, you
overwrite the default ones (with a valid path for the certificate
this time).</p>
<p>In conclusion, either specify your custom domain _and_ default
domains separately (set the modparams multiple times) or make sure
the certificate is found at the default path. Also, note that it's
not necessary to define a custom server domain if you only intend
to use a single one, as the default will match any socket.</p>
<p>Regards,<br>
</p>
<pre class="moz-signature" cols="72">Vlad Patrascu
OpenSIPS Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>
<div class="moz-cite-prefix">On 02/17/2019 01:35 PM, johan de clercq
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:00b901d4c6b4$d232bb20$76983160$@democon.be">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi, <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I believe that I have found a bug in
tls_mgm: <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Using opensips default certificates:<o:p></o:p></p>
<p class="MsoNormal">/usr/local/opensips/etc/opensips/tls# ls
-lu<o:p></o:p></p>
<p class="MsoNormal">total 24<o:p></o:p></p>
<p class="MsoNormal">-rw-r--r-- 1 root staff 2049 Feb 17 12:13
ca.conf<o:p></o:p></p>
<p class="MsoNormal">-rw-r--r-- 1 root staff 1048 Feb 17 12:13
README<o:p></o:p></p>
<p class="MsoNormal">-rw-r--r-- 1 root staff 1127 Feb 17 12:13
request.conf<o:p></o:p></p>
<p class="MsoNormal">drwxr-sr-x 4 root staff 4096 Feb 17 12:16
rootCA<o:p></o:p></p>
<p class="MsoNormal">drwxr-sr-x 2 root staff 4096 Feb 17 12:13
user<o:p></o:p></p>
<p class="MsoNormal">-rw-r--r-- 1 root staff 591 Feb 17 12:13
user.conf<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">/usr/local/opensips/etc/opensips/tls/rootCA#
ls<o:p></o:p></p>
<p class="MsoNormal">cacert.pem certs index.txt private
serial<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tls params: <o:p></o:p></p>
<p class="MsoNormal">loadmodule "tls_mgm.so"<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "server_domain",
"sv_dom=5.135.140.139:5061") <o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "require_cert",
"[sv_dom]0")<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "verify_cert",
"[sv_dom]0")<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "tls_method",
"[sv_dom]SSLv23")<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "certificate",
"[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "private_key",
"[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")
<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "ca_list",
"[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
<o:p></o:p></p>
<p class="MsoNormal">#### PROTO_TLS module <o:p></o:p></p>
<p class="MsoNormal">loadmodule "proto_tls.so"<o:p></o:p></p>
<p class="MsoNormal">modparam("proto_tls", "trace_destination",
"hep_dest")<o:p></o:p></p>
<p class="MsoNormal">modparam("proto_tls", "trace_on", 1)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I removed the passphrase: <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">mv etc/tls/rootCA/private/cakey.pem
etc/tls/rootCA/private/cakey.pem.protected<o:p></o:p></p>
<p class="MsoNormal">openssl rsa -in
etc/tls/rootCA/private/cakey.pem.protected -out
etc/tls/rootCA/private/cakey.pem<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">and then tried to run opensips from cmdline
: ./opensips -f /usr/local/opensips/etc/opensips/opensips.cfg<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">syslog output:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Feb 17 12:22:01 ns3012072
./opensips[28673]: ERROR:tls_mgm:load_certificate: unable to
load certificate file
'/usr/local/opensips//etc/opensips/tls/cert.pem'<o:p></o:p></p>
<p class="MsoNormal">Feb 17 12:22:01 ns3012072
./opensips[28673]: ERROR:tls_mgm:init_tls_domains: Failed to
init TLS domain 'default'<o:p></o:p></p>
<p class="MsoNormal">Feb 17 12:22:01 ns3012072
./opensips[28673]: ERROR:core:init_mod: failed to initialize
module tls_mgm<o:p></o:p></p>
<p class="MsoNormal">Feb 17 12:22:01 ns3012072
./opensips[28673]: ERROR:core:main: error while initializing
modules<o:p></o:p></p>
<p class="MsoNormal">Feb 17 12:22:01 ns3012072
./opensips[28673]: CRITICAL:core:sig_usr: segfault in
attendant (starter) process!<o:p></o:p></p>
<p class="MsoNormal">Feb 17 12:22:01 ns3012072 kernel: [
4024.678398] opensips[28673]: segfault at 7fcb76dbf850 ip
00007fcb76546f69 sp 00007ffe803ac150 error 4 in
libcrypto.so.1.1[7fcb763df000+265000]<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next I tried with: <o:p></o:p></p>
<p class="MsoNormal">loadmodule "tls_mgm.so"<o:p></o:p></p>
<p class="MsoNormal">#modparam("tls_mgm", "server_domain",
"sv_dom=5.135.140.139:5061") <o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "require_cert", "0")<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "verify_cert", "0")<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "tls_method", "SSLv23")<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "certificate",
"/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "private_key",
"/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")
<o:p></o:p></p>
<p class="MsoNormal">modparam("tls_mgm", "ca_list",
"/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") <o:p></o:p></p>
<p class="MsoNormal">#### PROTO_TLS module <o:p></o:p></p>
<p class="MsoNormal">loadmodule "proto_tls.so"<o:p></o:p></p>
<p class="MsoNormal">modparam("proto_tls", "trace_destination",
"hep_dest")<o:p></o:p></p>
<p class="MsoNormal">modparam("proto_tls", "trace_on", 1)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">and then opensips starts
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Can you please explain what I am doing
wrong ?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><img style="width:2.6583in;height:1.2625in"
id="_x0034_85395db-595c-48b6-9dfb-1ae976a74568"
src="cid:part1.D358B1BA.295070AB@opensips.org"
alt="cid:F3100D46-F00D-4610-87ED-3E91DA790A82" class=""
height="121" width="255"><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Helvetica",sans-serif">Johan
De Clercq, Managing Director<span style="color:black"><br>
Democon bvba - Ooigemstraat 41 - 8780 Oostrozebeke</span></span><span
style="font-size:14.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Helvetica",sans-serif;color:black">Tel
+3256980990</span><span
style="font-size:14.0pt;font-family:"Helvetica",sans-serif">
GSM +32478720104</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>