<div dir="ltr">Good morning all<div><br></div><div>Can anyone clarify whether the TLS domain in SAN is supported or not please?</div><div><br></div><div>Many thanks</div><div>Mark.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 13 Nov 2020 at 15:59, Kevin Vines <<a href="mailto:kevin.vines@gmail.com">kevin.vines@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div style="background-color:rgb(255,255,255);line-height:initial"><div id="gmail-m_8643232066864092418response_container_BBPPID" style="outline:none" dir="auto"> <div name="BB10" id="gmail-m_8643232066864092418BB10_response_div_BBPPID" dir="auto" style="width:100%"> You got me there... the doc states</div><div name="BB10" id="gmail-m_8643232066864092418BB10_response_div_BBPPID" dir="auto" style="width:100%"><br></div><div name="BB10" id="gmail-m_8643232066864092418BB10_response_div_BBPPID" dir="auto" style="width:100%"><pre style="background-color:rgb(255,255,255);font-size:10pt;font-family:"Courier New",monospace">OpenSIPS offers SIP service for multiple
<span id="gmail-m_8643232066864092418l_219" style="color:rgb(85,85,85)">  219 </span>   domains, e.g. <a href="http://atlanta.com" target="_blank">atlanta.com</a> and <a href="http://biloxi.com" target="_blank">biloxi.com</a>. Altough both domains
<span id="gmail-m_8643232066864092418l_220" style="color:rgb(85,85,85)">  220 </span>   will be hosted on a single SIP proxy, the SIP proxy needs 2
<span id="gmail-m_8643232066864092418l_221" style="color:rgb(85,85,85)">  221 </span>   certificates: One for <a href="http://atlanta.com" target="_blank">atlanta.com</a> and one for <a href="http://biloxi.com" target="_blank">biloxi.com</a>. For
<span id="gmail-m_8643232066864092418l_222" style="color:rgb(85,85,85)">  222 </span>   incoming TLS connections</pre><pre style="background-color:rgb(255,255,255);font-size:10pt;font-family:"Courier New",monospace"><br></pre><pre style="background-color:rgb(255,255,255);font-size:10pt;font-family:"Courier New",monospace"><span style="font-family:initial;font-size:initial">If you need one cert per domain, maybe it implies that you need to have the domain as the CN instead of a SAN?</span></pre><pre style="background-color:rgb(255,255,255);font-size:10pt;font-family:"Courier New",monospace"><span style="font-family:initial;font-size:initial"><br></span></pre><pre style="background-color:rgb(255,255,255);font-size:10pt;font-family:"Courier New",monospace"><span style="font-family:initial;font-size:initial">Kevin </span></pre></div></div><div id="gmail-m_8643232066864092418_original_msg_header_BBPPID" dir="auto">                                                                                                                                             <table width="100%" style="border-spacing:0px;display:table;outline:none"><tbody><tr><td colspan="2" style="font-size:initial;text-align:initial">                           <div style="border-style:solid none none;border-top-width:1pt;border-top-color:rgb(181,196,223);padding:3pt 0in 0in;font-family:Tahoma,"BB Alpha Sans","Slate Pro";font-size:10pt">  <div id="gmail-m_8643232066864092418from"><b>From:</b> <a href="mailto:farmorg@gmail.com" target="_blank">farmorg@gmail.com</a></div><div id="gmail-m_8643232066864092418sent"><b>Sent:</b> November 13, 2020 10:43 a.m.</div><div id="gmail-m_8643232066864092418to"><b>To:</b> <a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a></div><div id="gmail-m_8643232066864092418reply_to"><b>Reply to:</b> <a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a></div><div id="gmail-m_8643232066864092418subject"><b>Subject:</b> Re: [OpenSIPS-Users] Teams TLS Error</div></div></td></tr></tbody></table> <br> </div><div name="BB10" dir="auto" style="line-height:initial;outline:none"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">OK so now I have this:<br><div><br></div><div><div>modparam("tls_mgm","certificate", "[<a href="http://my.domain.name" target="_blank">my.domain.name</a>]/usr/local/etc/opensips/tls/<a href="http://myCert.pem" target="_blank">myCert.pem</a>")</div><div>modparam("tls_mgm","private_key", "[<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium"><a href="http://my.domain.name" target="_blank">my.domain.name</a></span>]/usr/local/etc/opensips/tls/<a href="http://myKey.key" target="_blank">myKey.key</a>")</div><div>modparam("tls_mgm","ca_dir", "/etc/ssl/certs")</div><div>modparam("tls_mgm","verify_cert", "[<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium"><a href="http://my.domain.name" target="_blank">my.domain.name</a></span>]1")</div><div>modparam("tls_mgm","require_cert", "[<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium"><a href="http://my.domain.name" target="_blank">my.domain.name</a></span>]1")</div><div>modparam("tls_mgm","tls_method", "[<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium"><a href="http://my.domain.name" target="_blank">my.domain.name</a></span>]TLSv1_2")</div><div>modparam("tls_mgm", "match_sip_domain", "<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium"><a href="http://my.domain.name" target="_blank">my.domain.name</a></span>")</div></div><div><br></div><div>But now it claims that <a href="http://my.domain.name" target="_blank">my.domain.name</a>  is not defined in <a href="http://myCert.pem" target="_blank">myCert.pem</a></div><div>I know it is - it is in a SAN within the certificate.</div><div><br></div><div>Any suggestions?</div><div>Many thanks</div><div>Mark.</div><div><br></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 13 Nov 2020 at 15:12, Kevin Vines <<a href="mailto:kevin.vines@gmail.com" target="_blank">kevin.vines@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div style="background-color:rgb(255,255,255)"><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990response_container_BBPPID" style="outline:none" dir="auto"> <div id="gmail-m_8643232066864092418gmail-m_9038209434663990990BB10_response_div_BBPPID" dir="auto" style="width:100%"> Hi Mark,</div><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990BB10_response_div_BBPPID" dir="auto" style="width:100%"><br></div><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990BB10_response_div_BBPPID" dir="auto" style="width:100%">Based on some googling it looks like you need to specify the domain eg:</div><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990BB10_response_div_BBPPID" dir="auto" style="width:100%"><br></div><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990BB10_response_div_BBPPID" dir="auto" style="width:100%">modparam("tls_mgm","verify_cert", "[<a href="http://domain.com" target="_blank">domain.com</a>]1")</div>                                                                                                                                      <div id="gmail-m_8643232066864092418gmail-m_9038209434663990990response_div_spacer_BBPPID" dir="auto" style="width:100%"> <br></div><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990response_div_spacer_BBPPID" dir="auto" style="width:100%"><a href="https://fossies.org/linux/opensips/modules/tls_mgm/README" target="_blank">https://fossies.org/linux/opensips/modules/tls_mgm/README</a></div> <div id="gmail-m_8643232066864092418gmail-m_9038209434663990990blackberry_signature_BBPPID" dir="auto">     <div id="gmail-m_8643232066864092418gmail-m_9038209434663990990_signaturePlaceholder_BBPPID" dir="auto"><p dir="ltr">Kevin <br></p></div> </div></div><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990_original_msg_header_BBPPID" dir="auto">                                                                                                                                             <table id="gmail-m_8643232066864092418gmail-m_9038209434663990990_pHCWrapper_BBPPID" width="100%" style="border-spacing:0px;display:table;outline:none"><tbody><tr><td colspan="2">                           <div style="border-style:solid none none;border-top-width:1pt;border-top-color:rgb(181,196,223);padding:3pt 0in 0in;font-family:tahoma,"bb alpha sans","slate pro";font-size:10pt">  <div id="gmail-m_8643232066864092418gmail-m_9038209434663990990from"><b>From:</b> <a href="mailto:farmorg@gmail.com" target="_blank">farmorg@gmail.com</a></div><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990sent"><b>Sent:</b> November 13, 2020 9:49 a.m.</div><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990to"><b>To:</b> <a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a></div><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990reply_to"><b>Reply to:</b> <a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a></div><div id="gmail-m_8643232066864092418gmail-m_9038209434663990990subject"><b>Subject:</b> [OpenSIPS-Users] Teams TLS Error</div></div></td></tr></tbody></table> <br> </div><div dir="auto" style="outline:none"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi everyone<br><div dir="ltr"></div><div><br></div><div>OpenSIPS 3.1.0</div><div><br></div><div>I am following the OpenSIPS as Teams SBC guide and have added the TLS config:</div><div><br></div><div><div>modparam("tls_mgm","verify_cert", "1")</div><div>modparam("tls_mgm","require_cert", "1")</div><div>modparam("tls_mgm","tls_method", "TLSv1_2")</div><div>modparam("tls_mgm","certificate", "/usr/local/etc/opensips/tls/<a href="http://myCert.pem" target="_blank">myCert.pem</a>")</div><div>modparam("tls_mgm","private_key", "/usr/local/etc/opensips/tls/<a href="http://myKey.key" target="_blank">myKey.key</a>")</div><div>modparam("tls_mgm", "ca_dir", "/etc/ssl/certs")</div></div><div><br></div><div>But I am seeing a TLS domain error:</div><div><br></div><div><div>Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS domain name</div><div>Nov 13 14:36:50 [175314] Traceback (last included file at the bottom):</div><div>Nov 13 14:36:50 [175314]  0. /usr/local//etc/opensips/<a href="http://opensips.cfg" target="_blank">opensips.cfg</a></div><div>Nov 13 14:36:50 [175314] CRITICAL:core:yyerror: parse error in /usr/local//etc/opensips/<a href="http://opensips.cfg:191" target="_blank">opensips.cfg:191</a>:19-20: Parameter <verify_cert> not found in module <tls_mgm> - can't set</div><div>Nov 13 14:36:50 [175314] #modparam("tls_mgm", "require_cert", "[dom4]1")</div><div>Nov 13 14:36:50 [175314]</div><div>Nov 13 14:36:50 [175314] modparam("tls_mgm","verify_cert", "1")</div><div>Nov 13 14:36:50 [175314] ^~</div><div>Nov 13 14:36:50 [175314] modparam("tls_mgm","require_cert", "1")</div><div>Nov 13 14:36:50 [175314] modparam("tls_mgm","tls_method", "TLSv1_2")</div><div>Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm</div><div>Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: found <require_cert> in module tls_mgm [/usr/local/lib64/opensips/modules/]</div><div>Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS domain name</div></div><div><br></div><div>Can anyone tell me what I might be missing please?</div><div><br></div><div>Many thanks</div><div>Mark.</div><div><br></div></div></div></div>
</div></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr">Mark Farmer<br><a href="mailto:farmorg@gmail.com" target="_blank">farmorg@gmail.com</a></div>
</div></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Mark Farmer<br><a href="mailto:farmorg@gmail.com" target="_blank">farmorg@gmail.com</a></div>