<div dir="ltr"><div></div><div>I was confused because I use a wildcard cert, so I only have one cert for server/client and any possible subdomain. I don't need to match server/client requests to different certs.</div><div>So I ended up with this config and it seems to work fine.</div><div>Thanks<br></div><div><br></div><div>loadmodule "tls_mgm.so"<br>modparam("tls_mgm", "tls_library", "wolfssl")</div><div><br></div><div>modparam("tls_mgm", "server_domain", "sd_1")<br>modparam("tls_mgm", "ca_list", "[sd_1]/etc/letsencrypt/fullchain.pem")<br>modparam("tls_mgm", "certificate", "[sd_1]/etc/letsencrypt/cert.pem")<br>modparam("tls_mgm", "private_key", "[sd_1]/etc/letsencrypt/privkey.pem")<br>modparam("tls_mgm", "require_cert", "[sd_1]0")<br>modparam("tls_mgm", "tls_method", "[sd_1]TLSv1-")<br>modparam("tls_mgm", "verify_cert", "[sd_1]0")<br>modparam("tls_mgm", "match_sip_domain", "[sd_1]*")<br>modparam("tls_mgm", "match_ip_address", "[sd_1]*")</div><div><br></div><div>modparam("tls_mgm", "client_domain", "cd_1")<br>modparam("tls_mgm", "ca_list", "[cd_1]/etc/letsencrypt/fullchain.pem")<br>modparam("tls_mgm", "certificate", "[cd_1]/etc/letsencrypt/cert.pem")<br>modparam("tls_mgm", "private_key", "[cd_1]/etc/letsencrypt/privkey.pem")<br>modparam("tls_mgm", "require_cert", "[cd_1]0")<br>modparam("tls_mgm", "tls_method", "[cd_1]TLSv1-")<br>modparam("tls_mgm", "verify_cert", "[cd_1]0")<br>modparam("tls_mgm", "match_sip_domain", "[cd_1]*")<br>modparam("tls_mgm", "match_ip_address", "[cd_1]*")<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 10 Feb 2022 at 07:59, Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org">bogdan@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<font face="monospace">Hi Alberto,<br>
<br>
When OpenSIPS is about the create a new TLS connection, it has to
know what TSL certificate (client) to use for it.<br>
<br>
There are 2 way of indicating that :<br>
<br>
* use "match_ip_address" [1] to map the TLS client domain to some
IPs you want to connect to via TLS<br>
<br>
* use "client_tls_domain_avp" [2] to manually select from script
which TLS domain to be used - set the AVP before the t_relay() to
the TLS destination.<br>
<br>
<br>
[1]
<a href="https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address" target="_blank">https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address</a><br>
<br>
[2]
<a href="https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp" target="_blank">https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp</a><br>
<br>
Best regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS eBootcamp
<a href="https://www.opensips.org/Training/Bootcamp" target="_blank">https://www.opensips.org/Training/Bootcamp</a></pre>
<div>On 2/4/22 2:40 PM, Alberto wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi,</div>
<div>I have a sip client connecting to opensips using tls, all
requests are then routed to an asterisk server using
mid_registrar.</div>
<div><br>
</div>
<div>UDP to UDP and TCP to TCP work fine, but TLS doesn't.</div>
<div><br>
</div>
<div>This is the error, but I'm having a hard time understanding
it.<br>
</div>
<div><br>
</div>
<div>Feb 4 12:29:32 [3406] //etc/opensips/opensips.cfg:453
Forward REGISTER for <a href="http://sip:tls-1001@10.0.0.252:5061" target="_blank">sip:tls-1001@10.0.0.252:5061</a> to
10.0.0.153:5061;transport=tls<br>
Feb 4 12:29:32 [3406] ERROR:proto_tls:proto_tls_conn_init: no
TLS client domain found<br>
Feb 4 12:29:32 [3406] ERROR:core:tcp_conn_create: failed to
do proto 3 specific init for conn 0x7ff9be1810f8<br>
Feb 4 12:29:32 [3406] ERROR:core:tcp_async_connect:
tcp_conn_create failed, closing the socket<br>
Feb 4 12:29:32 [3406] ERROR:proto_tls:proto_tls_send: async
TCP connect failed<br>
Feb 4 12:29:32 [3406] ERROR:tm:msg_send: send() to <a href="http://10.0.0.153:5061" target="_blank">10.0.0.153:5061</a>
for proto tls/3 failed<br>
Feb 4 12:29:32 [3406] ERROR:tm:t_forward_nonack: sending
request failed<br>
Feb 4 12:29:32 [3406] ERROR:tm:w_t_relay: t_forward_nonack
failed</div>
<div><br>
</div>
<div><br>
</div>
<div>My configuration:</div>
<div>#############<br>
</div>
<div>loadmodule "mid_registrar.so"<br>
modparam("mid_registrar", "attr_avp", "$avp(avp_json)")<br>
modparam("mid_registrar", "max_contacts", 1)<br>
modparam("mid_registrar", "mode", 0)<br>
modparam("mid_registrar", "tcp_persistent_flag",
"TCP_PERSIST_REGISTRATIONS")</div>
<div><br>
</div>
<div>loadmodule "tls_mgm.so"<br>
modparam("tls_mgm", "tls_library", "wolfssl")<br>
modparam("tls_mgm", "server_domain", "dom1")<br>
modparam("tls_mgm", "ca_list",
"[dom1]/etc/letsencrypt/fullchain.pem")<br>
modparam("tls_mgm", "certificate",
"[dom1]/etc/letsencrypt/cert.pem")<br>
modparam("tls_mgm", "private_key",
"[dom1]/etc/letsencrypt/privkey.pem")<br>
modparam("tls_mgm", "require_cert", "[dom1]0")<br>
modparam("tls_mgm", "tls_method", "[dom1]TLSv1-")<br>
modparam("tls_mgm", "verify_cert", "[dom1]0")</div>
<div><br>
</div>
<div>loadmodule "proto_tls.so"</div>
<div><br>
</div>
<div>###############<br>
</div>
<div>$ru = <a>"sip:10.0.0.153:5061;transport=tls"</a>;<br>
setflag("TCP_PERSISTENT");</div>
<div>route(relay);</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks<br>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
</blockquote></div>