<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<font face="monospace">Yes, doing a wildcard for SIP/IP matching in
the TLS domain definition is the correct approach if you plan to
use only one certificate.<br>
<br>
Regards,<br>
</font>
<pre class="moz-signature" cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a class="moz-txt-link-freetext" href="https://www.opensips-solutions.com">https://www.opensips-solutions.com</a>
OpenSIPS eBootcamp
<a class="moz-txt-link-freetext" href="https://www.opensips.org/Training/Bootcamp">https://www.opensips.org/Training/Bootcamp</a></pre>
<div class="moz-cite-prefix">On 2/10/22 1:09 PM, Alberto wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANoA6_JiLDnoP0kawxbw9=UsiUQDfvtqXGF=Vk7iifVyDAUzSg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>I was confused because I use a wildcard cert, so I only
have one cert for server/client and any possible subdomain. I
don't need to match server/client requests to different certs.</div>
<div>So I ended up with this config and it seems to work fine.</div>
<div>Thanks<br>
</div>
<div><br>
</div>
<div>loadmodule "tls_mgm.so"<br>
modparam("tls_mgm", "tls_library", "wolfssl")</div>
<div><br>
</div>
<div>modparam("tls_mgm", "server_domain", "sd_1")<br>
modparam("tls_mgm", "ca_list",
"[sd_1]/etc/letsencrypt/fullchain.pem")<br>
modparam("tls_mgm", "certificate",
"[sd_1]/etc/letsencrypt/cert.pem")<br>
modparam("tls_mgm", "private_key",
"[sd_1]/etc/letsencrypt/privkey.pem")<br>
modparam("tls_mgm", "require_cert", "[sd_1]0")<br>
modparam("tls_mgm", "tls_method", "[sd_1]TLSv1-")<br>
modparam("tls_mgm", "verify_cert", "[sd_1]0")<br>
modparam("tls_mgm", "match_sip_domain", "[sd_1]*")<br>
modparam("tls_mgm", "match_ip_address", "[sd_1]*")</div>
<div><br>
</div>
<div>modparam("tls_mgm", "client_domain", "cd_1")<br>
modparam("tls_mgm", "ca_list",
"[cd_1]/etc/letsencrypt/fullchain.pem")<br>
modparam("tls_mgm", "certificate",
"[cd_1]/etc/letsencrypt/cert.pem")<br>
modparam("tls_mgm", "private_key",
"[cd_1]/etc/letsencrypt/privkey.pem")<br>
modparam("tls_mgm", "require_cert", "[cd_1]0")<br>
modparam("tls_mgm", "tls_method", "[cd_1]TLSv1-")<br>
modparam("tls_mgm", "verify_cert", "[cd_1]0")<br>
modparam("tls_mgm", "match_sip_domain", "[cd_1]*")<br>
modparam("tls_mgm", "match_ip_address", "[cd_1]*")<br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 10 Feb 2022 at 07:59,
Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org"
moz-do-not-send="true">bogdan@opensips.org</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <font face="monospace">Hi Alberto,<br>
<br>
When OpenSIPS is about the create a new TLS connection, it
has to know what TSL certificate (client) to use for it.<br>
<br>
There are 2 way of indicating that :<br>
<br>
* use "match_ip_address" [1] to map the TLS client domain
to some IPs you want to connect to via TLS<br>
<br>
* use "client_tls_domain_avp" [2] to manually select from
script which TLS domain to be used - set the AVP before
the t_relay() to the TLS destination.<br>
<br>
<br>
[1]
<a
href="https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address"
target="_blank" moz-do-not-send="true">https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address</a><br>
<br>
[2]
<a
href="https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp"
target="_blank" moz-do-not-send="true">https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp</a><br>
<br>
Best regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank" moz-do-not-send="true">https://www.opensips-solutions.com</a>
OpenSIPS eBootcamp
<a href="https://www.opensips.org/Training/Bootcamp" target="_blank" moz-do-not-send="true">https://www.opensips.org/Training/Bootcamp</a></pre>
<div>On 2/4/22 2:40 PM, Alberto wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi,</div>
<div>I have a sip client connecting to opensips using
tls, all requests are then routed to an asterisk
server using mid_registrar.</div>
<div><br>
</div>
<div>UDP to UDP and TCP to TCP work fine, but TLS
doesn't.</div>
<div><br>
</div>
<div>This is the error, but I'm having a hard time
understanding it.<br>
</div>
<div><br>
</div>
<div>Feb 4 12:29:32 [3406]
//etc/opensips/opensips.cfg:453 Forward REGISTER for <a
href="http://sip:tls-1001@10.0.0.252:5061"
target="_blank" moz-do-not-send="true">sip:tls-1001@10.0.0.252:5061</a>
to 10.0.0.153:5061;transport=tls<br>
Feb 4 12:29:32 [3406]
ERROR:proto_tls:proto_tls_conn_init: no TLS client
domain found<br>
Feb 4 12:29:32 [3406] ERROR:core:tcp_conn_create:
failed to do proto 3 specific init for conn
0x7ff9be1810f8<br>
Feb 4 12:29:32 [3406] ERROR:core:tcp_async_connect:
tcp_conn_create failed, closing the socket<br>
Feb 4 12:29:32 [3406] ERROR:proto_tls:proto_tls_send:
async TCP connect failed<br>
Feb 4 12:29:32 [3406] ERROR:tm:msg_send: send() to <a
href="http://10.0.0.153:5061" target="_blank"
moz-do-not-send="true">10.0.0.153:5061</a> for proto
tls/3 failed<br>
Feb 4 12:29:32 [3406] ERROR:tm:t_forward_nonack:
sending request failed<br>
Feb 4 12:29:32 [3406] ERROR:tm:w_t_relay:
t_forward_nonack failed</div>
<div><br>
</div>
<div><br>
</div>
<div>My configuration:</div>
<div>#############<br>
</div>
<div>loadmodule "mid_registrar.so"<br>
modparam("mid_registrar", "attr_avp",
"$avp(avp_json)")<br>
modparam("mid_registrar", "max_contacts", 1)<br>
modparam("mid_registrar", "mode", 0)<br>
modparam("mid_registrar", "tcp_persistent_flag",
"TCP_PERSIST_REGISTRATIONS")</div>
<div><br>
</div>
<div>loadmodule "tls_mgm.so"<br>
modparam("tls_mgm", "tls_library", "wolfssl")<br>
modparam("tls_mgm", "server_domain", "dom1")<br>
modparam("tls_mgm", "ca_list",
"[dom1]/etc/letsencrypt/fullchain.pem")<br>
modparam("tls_mgm", "certificate",
"[dom1]/etc/letsencrypt/cert.pem")<br>
modparam("tls_mgm", "private_key",
"[dom1]/etc/letsencrypt/privkey.pem")<br>
modparam("tls_mgm", "require_cert", "[dom1]0")<br>
modparam("tls_mgm", "tls_method", "[dom1]TLSv1-")<br>
modparam("tls_mgm", "verify_cert", "[dom1]0")</div>
<div><br>
</div>
<div>loadmodule "proto_tls.so"</div>
<div><br>
</div>
<div>###############<br>
</div>
<div>$ru = <a moz-do-not-send="true">"sip:10.0.0.153:5061;transport=tls"</a>;<br>
setflag("TCP_PERSISTENT");</div>
<div>route(relay);</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks<br>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>