<div dir="ltr">I am sure the client supports TLSv1.2 version . That was confirmed . <div><br></div><div>I am not sure about the ciphers . I have to ask them . </div><div><br></div><div><span style="font-family:"courier new",monospace">modparam("tls_mgm", "ciphers_list", "AES256-GCM-SHA384,AES256-</span><span style="font-family:"courier new",monospace">SHA256,AES256-SHA,CAMELLIA256-</span><span style="font-family:"courier new",monospace">SHA,AES128-SHA,CAMELLIA128-</span><span style="font-family:"courier new",monospace">SHA,RC4-SHA")</span> </div><div><br></div><div>Is this the list of whitelisted ciphers ? <br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><b><i>Thanks & Regards</i></b><div><i>Sasmita Panda</i></div><div><i>Senior Network Testing and Software Engineer</i></div><div><i>3CLogic , ph:07827611765</i></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jun 28, 2019 at 1:33 PM Răzvan Crainea <<a href="mailto:razvan@opensips.org">razvan@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi, Sasmita!<br>
<br>
I see that you require TLSv1.2 authentication method - are you sure your <br>
clients do support this version? A similar problem can be with the <br>
ciphers, are you sure your clients support the whitelisted ciphers? As <br>
you do not enforce anything, this might be true, but this is something <br>
you should double-check. Besides that, I don't have any other ideas.<br>
<br>
Best regards,<br>
Răzvan<br>
<br>
On 6/27/19 9:02 AM, Sasmita Panda wrote:<br>
> Hi,<br>
> <br>
> SSL miss configuration in client side or in opensips side . I think I <br>
> have done the configuration right .<br>
> <br>
> listen=wss:<a href="http://192.168.143.20:443" rel="noreferrer" target="_blank">192.168.143.20:443</a> <<a href="http://192.168.143.20:443" rel="noreferrer" target="_blank">http://192.168.143.20:443</a>><br>
> loadmodule "tls_mgm.so"<br>
> modparam("tls_mgm", "tls_method", "tlsv1_2")<br>
> modparam("tls_mgm", "verify_cert", "0")<br>
> modparam("tls_mgm", "require_cert", "0")<br>
> modparam("tls_mgm", "certificate", <br>
> "/usr/local/etc/opensips/tls/3ccloudwebrtc2019.crt")<br>
> modparam("tls_mgm", "private_key", <br>
> "/usr/local/etc/opensips/tls/3ccloud.key")<br>
> modparam("tls_mgm", "ca_list", <br>
> "/usr/local/etc/opensips/tls/rootCA/cacert.pem")<br>
> loadmodule "proto_wss.so"<br>
> modparam("proto_wss", "wss_port", 443)<br>
> <br>
> This is for wss . Is there anything I am missing in configuration ?<br>
> <br>
> <br>
> */Thanks & Regards/*<br>
> /Sasmita Panda/<br>
> /Senior Network Testing and Software Engineer/<br>
> /3CLogic , ph:07827611765/<br>
> <br>
> <br>
> On Wed, Jun 26, 2019 at 8:10 PM Răzvan Crainea <<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <br>
> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>> wrote:<br>
> <br>
> TBH, all I can see in the logs you sent is that a connection was<br>
> terminated (without even being started), and a connection that was<br>
> started, but closed by the client. So in order to understand what's<br>
> happening, you need to understand why the client is closing the<br>
> connection. Check logs, documentation, anything, but this doesn't seem<br>
> to be related to OpenSIPS, it looks like some SSL misconfiguration.<br>
> <br>
> Best regards,<br>
> Răzvan<br>
> <br>
> On 6/26/19 4:24 PM, Sasmita Panda wrote:<br>
> > Is there any update on this issue . How I can solve this error<br>
> message<br>
> > from my opensips logs .<br>
> ><br>
> ><br>
> > */Thanks & Regards/*<br>
> > /Sasmita Panda/<br>
> > /Senior Network Testing and Software Engineer/<br>
> > /3CLogic , ph:07827611765/<br>
> ><br>
> ><br>
> > On Tue, Jun 25, 2019 at 3:48 PM Sasmita Panda <<a href="mailto:spanda@3clogic.com" target="_blank">spanda@3clogic.com</a><br>
> <mailto:<a href="mailto:spanda@3clogic.com" target="_blank">spanda@3clogic.com</a>><br>
> > <mailto:<a href="mailto:spanda@3clogic.com" target="_blank">spanda@3clogic.com</a> <mailto:<a href="mailto:spanda@3clogic.com" target="_blank">spanda@3clogic.com</a>>>> wrote:<br>
> ><br>
> > I have tried to take ssldump in the webrtc server in run time .<br>
> ><br>
> > New TCP connection #19: 192.168.1.y(48530) <-> 192.168.0.x(443)<br>
> > 19 0.0011 (0.0011) C>S TCP FIN<br>
> > 19 0.0013 (0.0001) S>C TCP FIN<br>
> ><br>
> > New TCP connection #20: 192.168.0.y(52975) <-> 192.168.0.x(443)<br>
> > 20 1 0.0006 (0.0006) C>S Handshake ClientHello<br>
> > 20 2 0.0008 (0.0002) S>C Handshake ServerHello<br>
> > 20 3 0.0008 (0.0000) S>C Handshake Certificate<br>
> > 20 4 0.0008 (0.0000) S>C Handshake ServerHelloDone<br>
> > 20 5 0.0020 (0.0011) C>S Handshake ClientKeyExchange<br>
> > 20 6 0.0020 (0.0000) C>S ChangeCipherSpec<br>
> > 20 7 0.0020 (0.0000) C>S Handshake<br>
> > 20 8 0.0036 (0.0015) S>C Handshake20 9 0.0036 (0.0000) S>C<br>
> > ChangeCipherSpec<br>
> > 20 10 0.0036 (0.0000) S>C Handshake<br>
> > 20 11 0.0042 (0.0006) C>S Alert<br>
> > 20 0.0042 (0.0000) C>S TCP FIN<br>
> > 20 0.0043 (0.0000) S>C TCP FIN<br>
> ><br>
> > The portion I marked in red whenever appear there is error in<br>
> > opensips logs . For below portion the connection was accepted .<br>
> ><br>
> > I am not even getting any error in my browser side . How I will<br>
> > debug this ? please help .<br>
> ><br>
> > */Thanks & Regards/*<br>
> > /Sasmita Panda/<br>
> > /Senior Network Testing and Software Engineer/<br>
> > /3CLogic , ph:07827611765/<br>
> ><br>
> ><br>
> > On Fri, Jun 14, 2019 at 2:51 PM Callum Guy<br>
> <<a href="mailto:callum.guy@x-on.co.uk" target="_blank">callum.guy@x-on.co.uk</a> <mailto:<a href="mailto:callum.guy@x-on.co.uk" target="_blank">callum.guy@x-on.co.uk</a>><br>
> > <mailto:<a href="mailto:callum.guy@x-on.co.uk" target="_blank">callum.guy@x-on.co.uk</a><br>
> <mailto:<a href="mailto:callum.guy@x-on.co.uk" target="_blank">callum.guy@x-on.co.uk</a>>>> wrote:<br>
> ><br>
> > You might find that a tcpdump is the only way to get to grips<br>
> > with the underlying issue.<br>
> ><br>
> > Having said that I wonder if there is any chance that the<br>
> > connection isn't accepting simply due to a cipher<br>
> > incompatibility. Are you setting a cipher list that you know<br>
> > your clients accept? Maybe try:<br>
> ><br>
> > modparam("tls_mgm", "ciphers_list",<br>
> > <br>
> "AES256-GCM-SHA384,AES256-SHA256,AES256-SHA,CAMELLIA256-SHA,AES128-SHA,CAMELLIA128-SHA,RC4-SHA")<br>
> ><br>
> ><br>
> > On Fri, 14 Jun 2019 at 09:17, Sasmita Panda<br>
> <<a href="mailto:spanda@3clogic.com" target="_blank">spanda@3clogic.com</a> <mailto:<a href="mailto:spanda@3clogic.com" target="_blank">spanda@3clogic.com</a>><br>
> > <mailto:<a href="mailto:spanda@3clogic.com" target="_blank">spanda@3clogic.com</a> <mailto:<a href="mailto:spanda@3clogic.com" target="_blank">spanda@3clogic.com</a>>>><br>
> wrote:<br>
> ><br>
> > I had a dedicated server for 1 Client . When that client<br>
> > faces the issue I started looking into the logs . And<br>
> this<br>
> > is what the error I got .<br>
> ><br>
> > but latter on when I saw other servers which is<br>
> getting used<br>
> > by different client in that logs also same error coming<br>
> > everyday .<br>
> ><br>
> > As a conclusion its happening with everybody .<br>
> ><br>
> > Below is the configuration .<br>
> ><br>
> > modparam("tls_mgm", "tls_method", "tlsv1_2")<br>
> > modparam("tls_mgm", "verify_cert", "0")<br>
> > modparam("tls_mgm", "require_cert", "0")<br>
> > modparam("tls_mgm", "certificate",<br>
> > "/usr/etc/opensips/tls/3ccloudwebrtc2019.crt")<br>
> > modparam("tls_mgm", "private_key",<br>
> > "/usr/etc/opensips/tls/3ccloud.key")<br>
> > modparam("tls_mgm", "ca_list",<br>
> > "/usr/etc/opensips/tls/rootCA/cacert.pem")<br>
> ><br>
> ><br>
> ><br>
> > */Thanks & Regards/*<br>
> > /Sasmita Panda/<br>
> > /Senior Network Testing and Software Engineer/<br>
> > /3CLogic , ph:07827611765/<br>
> ><br>
> ><br>
> > On Thu, Jun 13, 2019 at 6:50 PM Răzvan Crainea<br>
> > <<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>><br>
> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>>> wrote:<br>
> ><br>
> > Can you trace the SSL traffic between the two<br>
> endpoints?<br>
> > Perhaps the SSL<br>
> > header give you a reason for not accepting the<br>
> connection.<br>
> > Is this happening only for certain clients, or<br>
> for everyone?<br>
> > Are you requiring any certificates validation?<br>
> ><br>
> > Best regards,<br>
> > Răzvan<br>
> ><br>
> > On 6/12/19 3:34 PM, Sasmita Panda wrote:<br>
> > > I am using opensips 2.2<br>
> > > version: opensips 2.2.4 (x86_64/linux)<br>
> > ><br>
> > > I am using the proto_wss and tls_mgm module for<br>
> > establishing websocket<br>
> > > connection .<br>
> > ><br>
> > > I am getting bellow error again and again .<br>
> Whats the<br>
> > reson behind this<br>
> > > and how can I solve this problem ?<br>
> > ><br>
> > ><br>
> > > Jun 10 00:00:15 localhost<br>
> /usr/sbin/opensips[1548]:<br>
> > > INFO:core:probe_max_sock_buff: using snd<br>
> buffer of 416 kb<br>
> > > Jun 10 00:00:15 localhost<br>
> /usr/sbin/opensips[1548]:<br>
> > > INFO:core:init_sock_keepalive: TCP keepalive<br>
> enabled<br>
> > on socket 96<br>
> > > Jun 10 00:00:15 localhost<br>
> /usr/sbin/opensips[1546]:<br>
> > > ERROR:proto_wss:tls_accept: New TLS connection<br>
> from<br>
> > <a href="http://192.168.160.6:58616" rel="noreferrer" target="_blank">192.168.160.6:58616</a> <<a href="http://192.168.160.6:58616" rel="noreferrer" target="_blank">http://192.168.160.6:58616</a>><br>
> <<a href="http://192.168.160.6:58616" rel="noreferrer" target="_blank">http://192.168.160.6:58616</a>><br>
> > > <<a href="http://192.168.160.6:58616" rel="noreferrer" target="_blank">http://192.168.160.6:58616</a>> failed to accept<br>
> > > Jun 10 00:00:15 localhost<br>
> /usr/sbin/opensips[1546]:<br>
> > > ERROR:proto_wss:wss_read_req: cannot fix read<br>
> connection<br>
> > > Jun 10 00:00:17 localhost<br>
> /usr/sbin/opensips[1548]:<br>
> > > INFO:core:probe_max_sock_buff: using snd<br>
> buffer of 416 kb<br>
> > > Jun 10 00:00:17 localhost<br>
> /usr/sbin/opensips[1548]:<br>
> > > INFO:core:init_sock_keepalive: TCP keepalive<br>
> enabled<br>
> > on socket 96<br>
> > > Jun 10 00:00:17 localhost<br>
> /usr/sbin/opensips[1546]:<br>
> > > ERROR:proto_wss:tls_accept: New TLS connection<br>
> from<br>
> > <a href="http://192.168.175.59:12918" rel="noreferrer" target="_blank">192.168.175.59:12918</a> <<a href="http://192.168.175.59:12918" rel="noreferrer" target="_blank">http://192.168.175.59:12918</a>><br>
> <<a href="http://192.168.175.59:12918" rel="noreferrer" target="_blank">http://192.168.175.59:12918</a>><br>
> > > <<a href="http://192.168.175.59:12918" rel="noreferrer" target="_blank">http://192.168.175.59:12918</a>> failed to accept<br>
> > > Jun 10 00:00:17 localhost<br>
> /usr/sbin/opensips[1546]:<br>
> > > ERROR:proto_wss:wss_read_req: cannot fix read<br>
> connection<br>
> > ><br>
> > ><br>
> > > Please do help .<br>
> > ><br>
> > ><br>
> > ><br>
> > > */Thanks & Regards/*<br>
> > > /Sasmita Panda/<br>
> > > /Senior Network Testing and Software Engineer/<br>
> > > /3CLogic , ph:07827611765/<br>
> > ><br>
> > > _______________________________________________<br>
> > > Users mailing list<br>
> > > <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>><br>
> > <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>><br>
> > ><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
> > ><br>
> ><br>
> > --<br>
> > Răzvan Crainea<br>
> > OpenSIPS Core Developer<br>
> > <a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a><br>
> ><br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>><br>
> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>><br>
> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
> ><br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>><br>
> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>><br>
> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
> ><br>
> ><br>
> ><br>
> > *^0333 332 0000 | <a href="http://www.x-on.co.uk" rel="noreferrer" target="_blank">www.x-on.co.uk</a> <<a href="http://www.x-on.co.uk" rel="noreferrer" target="_blank">http://www.x-on.co.uk</a>><br>
> <<a href="http://www.x-on.co.uk" rel="noreferrer" target="_blank">http://www.x-on.co.uk</a>> |<br>
> > _**_^<<a href="https://www.linkedin.com/company/x-on" rel="noreferrer" target="_blank">https://www.linkedin.com/company/x-on</a>><br>
> > <<a href="https://www.facebook.com/XonTel" rel="noreferrer" target="_blank">https://www.facebook.com/XonTel</a>><br>
> <<a href="https://twitter.com/xonuk" rel="noreferrer" target="_blank">https://twitter.com/xonuk</a>> *<br>
> ><br>
> > X-on is a trading name of Storacall Technology Ltd a limited<br>
> > company registered in England and Wales.<br>
> > Registered Office : Avaland House, 110 London Road, Apsley,<br>
> > Hemel Hempstead, Herts, HP3 9SD. Company Registration No.<br>
> 2578478.<br>
> > The information in this e-mail is confidential and for use by<br>
> > the addressee(s) only. If you are not the intended recipient,<br>
> > please notify X-on immediately on +44(0)333 332 0000 and<br>
> delete the<br>
> > message from your computer. If you are not a named<br>
> addressee you<br>
> > must not use, disclose, disseminate, distribute, copy,<br>
> print or<br>
> > reply to this email. Views or opinions expressed by an<br>
> individual<br>
> > within this email may not necessarily reflect the views<br>
> of X-on<br>
> > or its associated companies. Although X-on routinely<br>
> screens for<br>
> > viruses, addressees should scan this email and any<br>
> attachments<br>
> > for viruses. X-on makes no representation or warranty as<br>
> to the<br>
> > absence of viruses in this email or any attachments.<br>
> ><br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>><br>
> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>><br>
> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>><br>
> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
> ><br>
> <br>
> -- <br>
> Răzvan Crainea<br>
> OpenSIPS Core Developer<br>
> <a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a><br>
> <br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
> <br>
> <br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
> <br>
<br>
-- <br>
Răzvan Crainea<br>
OpenSIPS Core Developer<br>
<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a><br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div>