<div dir="ltr">Hello Bogdan <br><br><div> I Just casually write , My intention was not rude or anything else , still it's my bad if any one feeling hurts .</div><div><br></div><div>as you say <span style="font-family:monospace">the party you are trying to connect to (</span><a href="http://1.2.3.4:40945/" target="_blank" style="font-family:monospace">1.2.3.4:40945</a><span style="font-family:monospace">) is not accepting your connection. i check that but can you please tell me what type of thing i have to check . means from opensips side or blink user configuration i have add tls certificate also in user configuration .</span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">In the opensips module parameter any configuration wrong for TLS service ? </span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">Many Thanks </span></div><div><span style="font-family:monospace">Devang</span></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 17, 2021 at 1:32 PM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org">bogdan@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<font face="monospace">It is quite impolite and rude to put pressure
here. This is a public, free list where people are voluntarily
offer help as they can, with no obligation at all.<br>
<br>
Now, in terms of your issue - with a bit of an effort, you can
read the logs which tell you what the problem is "Connection
refused", or, the party you are trying to connect to
(<a href="http://1.2.3.4:40945" target="_blank">1.2.3.4:40945</a>) is not accepting your connection.<br>
<br>
Regards, </font><br>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS eBootcamp 2021
<a href="https://opensips.org/training/OpenSIPS_eBootcamp_2021/" target="_blank">https://opensips.org/training/OpenSIPS_eBootcamp_2021/</a></pre>
<div>On 11/17/21 8:13 AM, Devang Dhandhalya
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">It's the 9th day still not getting any response .
Please can Anyone suggest a solution to this issue ?
<div><br>
</div>
<div>Many Thanks </div>
<div>Devang</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Nov 9, 2021 at 4:35 PM
Devang Dhandhalya <<a href="mailto:devang.dhandhalya@ecosmob.com" target="_blank">devang.dhandhalya@ecosmob.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><font face="arial, sans-serif">Hi All </font></div>
<div><font face="arial, sans-serif"><br>
</font></div>
<div><font face="arial, sans-serif">I Am Trying to Implement
opensips with TLS support in a local machine . I
generate TLS server (rootCA) and TLS Client (user)
certificates using opensips-cli .</font></div>
<div><font face="arial, sans-serif">softphone : Blink
version : 5.1.7 </font></div>
<div><font face="arial, sans-serif">opensips version : 3.2.2</font></div>
<div><font face="arial, sans-serif">Registration with tls is
working fine for TLS , at the time of calling getting
below error . I check in logs at DBG level </font></div>
<div><font face="arial, sans-serif">From User A to opensips
server tls handshake is working fine but from opensips
to User B tls handshake is going to fail please suggest
how to resolve this . </font></div>
<div><span style="font-family:arial,sans-serif"> </span><br>
</div>
<div>
<pre style="white-space:pre-wrap;color:rgb(0,0,0)"><font face="arial, sans-serif">INFO level Logs :</font></pre>
</div>
<div><font face="arial, sans-serif">ERROR:core:tcp_async_connect:
poll error: flags 1c<br>
ERROR:core:tcp_async_connect: failed to retrieve
SO_ERROR [server=<a href="http://1.2.3.4:40945" target="_blank">1.2.3.4:40945</a>]
(111) Connection refused<br>
ERROR:proto_tls:proto_tls_send: async TCP connect failed<br>
ERROR:tm:msg_send: send() to <a href="http://1.2.3.4:40945" target="_blank">1.2.3.4:40945</a> for proto
tls/3 failed<br>
ERROR:tm:t_forward_nonack: sending request failed<br>
ERROR:tls_openssl:openssl_tls_async_connect: New TLS
connection to <a href="http://1.2.3.4:34463" target="_blank">1.2.3.4:34463</a>
failed<br>
ERROR:tls_openssl:openssl_tls_async_connect: TLS error:
1 (ret=-1) err=Success(0)<br>
ERROR:tls_openssl:tls_print_errstack: TLS errstack:
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure<br>
ERROR:proto_tls:tls_read_req: failed to do pre-tls
handshake!<br>
</font></div>
<div><font face="arial, sans-serif"><br>
</font></div>
<div><font face="arial, sans-serif">DBG level Logs : </font></div>
<div><font face="arial, sans-serif"><br>
DBG:core:parse_msg: SIP Request:<br>
DBG:core:parse_msg: method: <INVITE><br>
DBG:core:parse_msg: uri:
<a><sip:14682973@1.2.3.4:34463;transport=tls></a><br>
DBG:core:parse_msg: version: <SIP/2.0><br>
DBG:core:parse_headers: flags=ffffffffffffffff<br>
DBG:core:parse_via_param: found param type 232,
<branch> = <z9hG4bK14b8.6a972877.0>; state=6<br>
DBG:core:parse_via_param: found param type 236,
<i> = <d7b6e394>; state=16<br>
DBG:core:parse_via: end of header reached, state=5<br>
DBG:core:parse_headers: via found,
flags=ffffffffffffffff<br>
DBG:core:parse_headers: this is the first via<br>
DBG:core:parse_via_param: found param type 234,
<received> = <1.2.3.4>; state=6<br>
DBG:core:parse_via_param: found param type 235,
<rport> = <38119>; state=6<br>
DBG:core:parse_via_param: found param type 232,
<branch> =
<z9hG4bKPja1ee2137-d7f4-4744-89e1-ff53b4b0b06b>;
state=6<br>
DBG:core:parse_via_param: found param type 237,
<alias> = <n/a>; state=16<br>
DBG:core:parse_via: end of header reached, state=5<br>
DBG:core:parse_headers: via found,
flags=ffffffffffffffff<br>
DBG:core:parse_headers: parse_headers: this is the
second via<br>
DBG:core:_parse_to: end of header reached, state=10<br>
DBG:core:_parse_to: display={}, ruri={<a href="mailto:sip%3A1001@1.2.3.4" target="_blank">sip:1001@1.2.3.4</a>}<br>
DBG:core:get_hdr_field: <To> [26]; uri=[<a href="mailto:sip%3A1001@1.2.3.4" target="_blank">sip:1001@1.2.3.4</a>]<br>
DBG:core:get_hdr_field: to body [<<a href="mailto:sip%3A1001@1.2.3.4" target="_blank">sip:1001@1.2.3.4</a>>#015#012]<br>
DBG:core:get_hdr_field: cseq <CSeq>: <14318>
<INVITE><br>
DBG:core:get_hdr_field: content_length=717<br>
DBG:core:get_hdr_field: found end of header<br>
DBG:core:parse_headers: flags=ffffffffffffffff<br>
DBG:proto_tls:proto_tls_send: no open tcp connection
found, opening new one, async = 1<br>
DBG:core:probe_max_sock_buff: getsockopt: snd is
initially 16384<br>
DBG:core:probe_max_sock_buff: using snd buffer of 416 kb<br>
DBG:core:init_sock_keepalive: TCP keepalive enabled on
socket 141<br>
DBG:core:print_ip: tcpconn_new: new tcp connection to:
1.2.3.4<br>
DBG:core:tcpconn_new: on port 34463, proto 3<br>
DBG:tls_mgm:tls_find_client_domain: found TLS client
domain: dom2<br>
DBG:tls_openssl:openssl_tls_conn_init: Creating a whole
new ssl connection<br>
DBG:tls_openssl:openssl_tls_conn_init: Setting in
CONNECT mode (client)<br>
DBG:proto_tls:proto_tls_send: Successfully connected
from interface <a href="http://1.2.3.4:34463" target="_blank">1.2.3.4:34463</a>
to <a href="http://1.2.3.4:36463" target="_blank">1.2.3.4:36463</a>!<br>
DBG:proto_tls:proto_tls_send: First TCP connect attempt
succeeded in less than 100ms, proceed to TLS connect<br>
DBG:tls_openssl:openssl_tls_update_fd: New fd is 141<br>
DBG:core:handle_worker: read response= 7f83eb6b5118, 2,
fd 119 from 8 (17254)<br>
DBG:core:tcpconn_add: hashes: 607, 894<br>
DBG:core:io_watch_add: [TCP_main] io_watch_add op (119
on 5) (0x55fd3f789ae0, 119, 19, 0x7f83eb6b5118,1),
fd_no=27/1024<br>
DBG:core:handle_tcpconn_ev: data available on
0x7f83eb6b5118 119<br>
DBG:core:io_watch_del: [TCP_main] io_watch_del op on
index 2 119 (0x55fd3f789ae0, 119, 2, 0x0,0x1) fd_no=28
called<br>
DBG:core:send2worker: to tcp worker 1 (0),
0x7f83eb6b5118 rw 1<br>
DBG:core:handle_io: We have received conn 0x7f83eb6b5118
with rw 1 on fd 5<br>
DBG:core:io_watch_add: [TCP_worker] io_watch_add op (5
on 102) (0x55fd3f789ae0, 5, 19, 0x7f83eb6b5118,1),
fd_no=4/1024<br>
DBG:proto_tls:tls_read_req: Using the global ( per
process ) buff<br>
DBG:tls_openssl:openssl_tls_async_connect: handshake
timeout for connection 0x7f83eb6b5118 10ms elapsed<br>
DBG:tls_openssl:openssl_tls_update_fd: New fd is 5</font></div>
<div><font face="arial, sans-serif"><br>
ERROR:tls_openssl:openssl_tls_async_connect: New TLS
connection to <a href="http://1.2.3.4:34463" target="_blank">1.2.3.4:34463</a>
failed<br>
ERROR:tls_openssl:openssl_tls_async_connect: TLS error:
1 (ret=-1) err=Success(0)<br>
ERROR:tls_openssl:tls_print_errstack: TLS errstack:
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure<br>
ERROR:proto_tls:tls_read_req: failed to do pre-tls
handshake!</font></div>
<div><font face="arial, sans-serif"><br>
DBG:proto_tls:proto_tls_send: Successfully started async
SSL connection<br>
DBG:core:io_watch_del: [TCP_worker] io_watch_del op on
index 0 5 (0x55fd3f789ae0, 5, 0, 0x10,0x3) fd_no=5
called<br>
DBG:core:tcpconn_release: releasing con 0x7f83eb6b5118,
state -2, fd=5, id=1228827518<br>
DBG:core:tcpconn_release: extra_data 0x7f83eb6bdd50<br>
DBG:tm:insert_timer_unsafe: [0]: 0x7f83eb6a9320 (12)<br>
DBG:core:tcpconn_release: releasing con 0x7f83eb6b5118,
state -3, fd=-1, id=1228827518<br>
DBG:tm:t_relay_to: new transaction fwd'ed<br>
DBG:core:tcpconn_release: extra_data 0x7f83eb6bdd50<br>
DBG:tm:do_t_cleanup: transaction 0x7f83eb6a90d0 already
updated! Skipping update!<br>
DBG:tm:t_unref: UNREF_UNSAFE: [0x7f83eb6a90d0] after is
0<br>
DBG:core:destroy_avp_list: destroying list (nil)<br>
DBG:core:receive_msg: cleaning up<br>
DBG:proto_tls:tls_read_req: tls_read_req end<br>
DBG:core:handle_tcp_worker: response= 7f83eb6b5118, -3
from tcp worker 0 (1)<br>
DBG:core:tcpconn_destroy: delaying (0x7f83eb6b5118,
flags 0038) ref = 1 ...<br>
DBG:core:handle_tcp_worker: response= 7f83eb6b5118, -2
from tcp worker 0 (0)<br>
DBG:core:tcpconn_destroy: destroying connection
0x7f83eb6b5118, flags 0038<br>
DBG:tls_openssl:openssl_tls_update_fd: New fd is 119<br>
DBG:tm:utimer_routine: timer routine:4,tl=0x7f83eb6a5d18
next=(nil), timeout=7700000<br>
DBG:tm:retransmission_handler: retransmission_handler :
request resending (t=0x7f83eb6a5af8, PUBLISH s ... )<br>
root@devang-MS-7817:/usr/local/etc/opensips/range# <br>
</font></div>
<div><font face="arial, sans-serif"><br>
</font></div>
<div>
<pre style="white-space:pre-wrap;color:rgb(0,0,0)"><span style="font-size:14px;white-space:normal"><font face="arial, sans-serif">I am following this OpenSIPS TLS config:</font></span></pre>
<pre style="white-space:pre-wrap;color:rgb(0,0,0)"><pre style="white-space:pre-wrap"><font face="arial, sans-serif">socket=udp:1.2.3.4<a href="http://192.168.0.105:506/" target="_blank">:</a>5060
</font></pre><pre style="white-space:pre-wrap"><font face="arial, sans-serif">socket=tcp:1.2.3.4<a href="http://192.168.0.105:506/" target="_blank">:</a>5060
</font></pre></pre>
<pre style="white-space:pre-wrap;color:rgb(0,0,0)"><font face="arial, sans-serif">socket=tls:1.2.3.4<a href="http://192.168.0.105:506" target="_blank">:</a>5061
</font></pre>
<pre style="white-space:pre-wrap;color:rgb(0,0,0)"><span style="font-family:arial,sans-serif;color:rgb(34,34,34)">loadmodule "tls_openssl.so"</span>
</pre>
</div>
<font face="arial, sans-serif"><br>
loadmodule "tls_mgm.so"<br>
# -------- TLS SERVER Certificate ---------#<br>
modparam("tls_mgm", "server_domain", "dom1")<br>
modparam("tls_mgm", "match_sip_domain", "[dom1]<a href="http://devang.com" target="_blank">devang.com</a>")<br>
modparam("tls_mgm", "match_ip_address", "[dom1]<a href="http://1.2.3.4:5061" target="_blank">1.2.3.4:5061</a>")<br>
modparam("tls_mgm", "verify_cert", "[dom1]0")<br>
modparam("tls_mgm", "require_cert", "[dom1]0")<br>
modparam("tls_mgm", "tls_method", "[dom1]-")<br>
modparam("tls_mgm", "certificate",
"[dom1]/usr/local/etc/opensips/tls/rootCA/ca_cert.pem")<br>
modparam("tls_mgm", "private_key",
"[dom1]/usr/local/etc/opensips/tls/rootCA/private_key.pem")<br>
<br>
# --------- TLS CLIENT CERTIFICATE --------#<br>
modparam("tls_mgm", "client_domain", "dom2")<br>
modparam("tls_mgm", "match_sip_domain", "[dom2]*")<br>
modparam("tls_mgm", "match_ip_address", "[dom2]*")<br>
modparam("tls_mgm", "verify_cert", "[dom2]0")<br>
modparam("tls_mgm", "require_cert", "[dom2]0")<br>
modparam("tls_mgm", "tls_method", "[dom2]-")<br>
modparam("tls_mgm", "certificate",
"[dom2]/usr/local/etc/opensips/tls/user/user-cert.pem")<br>
modparam("tls_mgm", "private_key",
"[dom2]/usr/local/etc/opensips/tls/user/user-privkey.pem")<br>
modparam("tls_mgm", "ca_list",
"[dom2]/usr/local/etc/opensips/tls/user/user-calist.pem")<br>
<br>
<br>
loadmodule "proto_tls.so"</font>
<div><font face="arial, sans-serif"><br>
</font></div>
<div>
<pre style="color:rgb(0,0,0)">checking the connection with s_client shows below :</pre>
</div>
<div>openssl s_client -showcerts -debug -connect <a href="http://1.2.3.4:5061" target="_blank">1.2.3.4:5061</a> -bugs<br>
</div>
<div>CONNECTED(00000005)<br>
</div>
<div>140510082113984:error:14094458:SSL
routines:ssl3_read_bytes:tlsv1 unrecognized
name:../ssl/record/rec_layer_s3.c:1528:SSL alert number
112<br>
</div>
<div>no peer certificate available<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 7 bytes and written 517 bytes<br>
Verification: OK<br>
---<br>
New, (NONE), Cipher is (NONE)<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
No ALPN negotiated<br>
Early data was not sent<br>
Verify return code: 0 (ok)<font face="arial, sans-serif"><br>
</font></div>
<div><font face="arial, sans-serif"><br>
<span style="color:rgb(0,0,0);font-size:14px"><br>
</span></font>
<div><font face="arial, sans-serif">Can anyone tell me
what I might be missing for tls config or </font><span style="color:rgb(0,0,0)">Please advise how to resolve
this SSL </span><span style="color:rgb(0,0,0)">handshake
failure.</span></div>
<br>
<div><font face="arial, sans-serif"><br>
</font></div>
<div><font face="arial, sans-serif">Many Thanks </font></div>
<div><font face="arial, sans-serif">Devang<br>
</font>
<div><font face="arial, sans-serif"><br>
70,1 15%</font><br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<div><font style="background-color:white" size="2" face="Arial" color="#808080"><b>Disclaimer</b></font></div>
<div>
<div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small">In
addition to generic Disclaimer which you have agreed on our
website, any views or opinions presented in this email are
solely those of the originator and do not necessarily
represent those of the Company or its sister concerns. Any
liability (in negligence, contract or otherwise) arising
from any third party taking any action, or refraining from
taking any action on the basis of any of the information
contained in this email is hereby excluded.</span></div>
</div>
<div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small"><br>
</span></div>
<div><font style="background-color:white" size="2" face="Arial" color="#808080"><b>Confidentiality</b></font></div>
<div><font style="background-color:white" size="2" face="Arial" color="#808080">This communication (including any
attachment/s) is intended only for the use of the addressee(s)
and contains information that is PRIVILEGED AND CONFIDENTIAL.
Unauthorized reading, dissemination, distribution, or copying
of this communication is prohibited. Please inform originator
if you have received it in error.</font></div>
<div><font style="background-color:white" size="2" face="Arial" color="#808080"><br>
</font></div>
<div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small"><b>Caution
for viruses, malware etc.</b></span></div>
<div><font style="background-color:white" size="2" face="Arial" color="#808080">This communication, including any attachments,
may not be free of viruses, trojans, similar or new
contaminants/malware, interceptions or interference, and may
not be compatible with your systems. You shall carry out
virus/malware scanning on your own before opening any
attachment to this e-mail. The sender of this e-mail and
Company including its sister concerns shall not be liable for
any damage that may incur to you as a result of viruses,
incompleteness of this message, a delay in receipt of this
message or any other computer problems. </font></div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
</blockquote></div>
<br>
<div><font face="Arial" size="2" style="background-color:white" color="#808080"><b>Disclaimer</b></font></div><div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small">In addition to generic Disclaimer which you have agreed on our website, any views or opinions presented in this email are solely those of the originator and do not necessarily represent those of the Company or its sister concerns. Any liability (in negligence, contract or otherwise) arising from any third party taking any action, or refraining from taking any action on the basis of any of the information contained in this email is hereby excluded.</span></div></div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small"><br></span></div><div><font face="Arial" size="2" style="background-color:white" color="#808080"><b>Confidentiality</b></font></div><div><font face="Arial" size="2" style="background-color:white" color="#808080">This communication (including any attachment/s) is intended only for the use of the addressee(s) and contains information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or copying of this communication is prohibited. Please inform originator if you have received it in error.</font></div><div><font face="Arial" size="2" style="background-color:white" color="#808080"><br></font></div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small"><b>Caution for viruses, malware etc.</b></span></div><div><font face="Arial" size="2" style="background-color:white" color="#808080">This communication, including any attachments, may not be free of viruses, trojans, similar or new contaminants/malware, interceptions or interference, and may not be compatible with your systems. You shall carry out virus/malware scanning on your own before opening any attachment to this e-mail. The sender of this e-mail and Company including its sister concerns shall not be liable for any damage that may incur to you as a result of viruses, incompleteness of this message, a delay in receipt of this message or any other computer problems. </font></div>