<div dir="auto">Please upgrade to the latest version and see if the error persists. If yes, please run the server in debug mode and save the logs so this issue can be investigated properly.</div><div dir="auto"><br></div><div dir="auto">Thanks,</div><div dir="auto">Ovidiu</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 18, 2022 at 09:02 Jehanzaib Younis <<a href="mailto:jehanzaib.kiani@gmail.com">jehanzaib.kiani@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thank you Bogdan,<div>That helped a lot. As you mentioned I need to start only with server_domain or client_domain. </div><div>Now I changed my config a bit as shown below:</div><div>#### (WebRTC) Client<br>modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")<br>modparam("tls_mgm", "certificate", "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")<br>modparam("tls_mgm", "private_key", "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")<br>modparam("tls_mgm", "ca_list", "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")<br>modparam("tls_mgm", "ca_dir", "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")<br>modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")<br>modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")<br>modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")<br><br>### This is for MS-Teams direct route<br>modparam("tls_mgm", "client_domain", "<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>")<br>modparam("tls_mgm", "certificate", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/cert.pem" target="_blank">dom1.formsteams.com/cert.pem</a>")<br>modparam("tls_mgm", "private_key", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/privkey.pem" target="_blank">dom1.formsteams.com/privkey.pem</a>")<br>modparam("tls_mgm", "ca_list", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/fullchain.pem" target="_blank">dom1.formsteams.com/fullchain.pem</a>")<br>modparam("tls_mgm", "ca_dir", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>")<br>modparam("tls_mgm", "tls_method", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]SSLv23")<br>modparam("tls_mgm", "verify_cert", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]1")<br>modparam("tls_mgm", "require_cert", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]1")<br>modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")<br></div><div><br></div><div>Looks like the initial handshake is fine when my server sends OPTIONS to MSTeams. There is a bug in the code according to the logs as shown below:</div><div><br></div><div>opensips[10659]: CRITICAL:core:io_watch_add: #012>>> used fd map fd=142 is not present in fd_array (fd=142,type=19,flags=80000003,data=0x7f825805ceb8)#012#012It seems you have hit a programming bug.#012Please help us make OpenSIPS better by reporting it at <a href="https://github.com/OpenSIPS/opensips/issues" target="_blank">https://github.com/OpenSIPS/opensips/issues</a><br>opensips[10659]: CRITICAL:core:io_watch_add: [TCP_main] check failed after successful fd add (fd=141,type=19,data=0x7f825804fd98,flags=1) already=0<br>opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 1, verify success<br>opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 0, verify success<br>opensips[23993]: INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS connection to <a href="http://52.114.16.74:5061" target="_blank">52.114.16.74:5061</a> established<br>opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 1, verify success<br>opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 0, verify success<br>opensips[23995]: INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS connection to <a href="http://52.114.76.76:5061" target="_blank">52.114.76.76:5061</a> established<br></div><div><br></div><div><br clear="all"><div><div dir="ltr" data-smartmail="gmail_signature"><div>Regards,</div>
<div>Jehanzaib</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 18, 2022 at 6:15 PM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<font face="monospace">Hi Jehanzaib,<br>
<br>
The sequence for the MST TLS domains is wrong.<br>
<br>
For each TLS domain block, you need to start only with a </font><font face="monospace">server_domain or client_domain - of course,
different names. And for each domain you need you set the matching
conditions. See
<a href="https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#domains-param" target="_blank">https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#domains-param</a><br>
<br>
Basically something like:<br>
</font><br>
<font face="monospace">modparam("tls_mgm", "server_domain",
"formsteams_server")<br>
modparam("tls_mgm", "match_ip_address", "</font><font face="monospace"><font face="monospace"><font face="monospace">[formsteams_server]</font></font>....")<br>
modparam("tls_mgm", "match_sip_domain", "</font><font face="monospace"><font face="monospace"><font face="monospace">[formsteams_server]....</font></font>")<font face="monospace"><br>
modparam("tls_mgm", "certificate", "[formsteams_server].....)<br>
....<br>
</font><br>
<br>
modparam("tls_mgm", "client_domain", </font><font face="monospace"><font face="monospace"><font face="monospace">"formsteams_client"</font></font>)<br>
</font><font face="monospace"><font face="monospace">modparam("tls_mgm",
"match_ip_address", "</font><font face="monospace"><font face="monospace"><font face="monospace">[formsteams_client]</font></font>....")<br>
modparam("tls_mgm", "match_sip_domain", "</font><font face="monospace"><font face="monospace"><font face="monospace">[formsteams_client]....</font></font>")<br>
</font>modparam("tls_mgm", "certificate",
"[formsteams_client].....)<br>
....<br>
<br>
<br>
Best regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS eBootcamp 23rd May - 3rd June 2022
<a href="https://opensips.org/training/OpenSIPS_eBootcamp_2022/" target="_blank">https://opensips.org/training/OpenSIPS_eBootcamp_2022/</a></pre>
<div>On 5/18/22 2:38 AM, Jehanzaib Younis
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Bogdan,
<div>That's the problem, when I try to add the client_domain I
get an error. Actually, I have a working config for webrtc but
now I am adding a new domain for MS teams direct route. In
fact, any other domain gives an error. If I disable MS Teams
domain, the opensips do not give an error message and my
webrtc client can connect without any issue. </div>
<div><br>
</div>
<div>loadmodule "tls_mgm.so"<br>
modparam("tls_mgm", "tls_library", "wolfssl")<br>
<br>
#### (WebRTC) Client<br>
modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")<br>
modparam("tls_mgm", "certificate",
"[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")<br>
modparam("tls_mgm", "private_key",
"[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")<br>
modparam("tls_mgm", "ca_list",
"[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")<br>
modparam("tls_mgm", "ca_dir",
"[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")<br>
modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")<br>
modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")<br>
modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")<br>
<br>
### This is for MS-Teams direct route <br>
modparam("tls_mgm", "server_domain", "<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>")<br>
modparam("tls_mgm", "client_domain", "<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>")<br>
modparam("tls_mgm", "certificate", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/cert.pem" target="_blank">dom1.formsteams.com/cert.pem</a>")<br>
modparam("tls_mgm", "private_key", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/privkey.pem" target="_blank">dom1.formsteams.com/privkey.pem</a>")<br>
modparam("tls_mgm", "ca_list", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/fullchain.pem" target="_blank">dom1.formsteams.com/fullchain.pem</a>")<br>
modparam("tls_mgm", "ca_dir", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>")<br>
modparam("tls_mgm", "tls_method", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]SSLv23")<br>
modparam("tls_mgm", "verify_cert", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]1")<br>
modparam("tls_mgm", "require_cert", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]1")<br>
modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")</div>
<div><br>
</div>
<div>When i enable the MS-Teams direct route domain i get the
below error:</div>
<div>no certificate for tls domain '
<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a> '
defined<br>
</div>
<div><br>
</div>
<div><br>
<div>
<div dir="ltr">
<div>Regards,</div>
<div>Jehanzaib</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, May 18, 2022 at 3:04
AM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <font face="monospace">Hi Jehanzaib,<br>
<br>
What are the TLS client domains you have defined in your
tls_mgm module ?<br>
<br>
Regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS eBootcamp 23rd May - 3rd June 2022
<a href="https://opensips.org/training/OpenSIPS_eBootcamp_2022/" target="_blank">https://opensips.org/training/OpenSIPS_eBootcamp_2022/</a></pre>
<div>On 5/17/22 4:32 PM, Jehanzaib Younis wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I am having trouble to send/receive OPTIONS to ms
teams. </div>
<div>Using the dispatcher module. The socket is defined
as tls:<b>mysbcip</b>:5061</div>
<div>Looks like when my opensips (3.2.x) tries to send
OPTIONS. it is giving me the following error </div>
<div><b><br>
</b></div>
<div>ERROR:proto_tls:proto_tls_conn_init: no TLS client
domain found</div>
<div>ERROR:core:tcp_conn_create: failed to do proto 3
specific init for conn 0x7f00ef2a85a0<br>
</div>
<div>ERROR:core:tcp_async_connect: tcp_conn_create
failed<br>
</div>
<div>ERROR:proto_tls:proto_tls_send: async TCP connect
failed<br>
</div>
<div>ERROR:tm:msg_send: send() to <a href="http://52.114.76.76:5061" target="_blank">52.114.76.76:5061</a> for
proto tls/3 failed<br>
</div>
<div>ERROR:tm:t_uac: attempt to send to '<a>sip:sip3.pstnhub.microsoft.com:5061;transport:tls</a>'
failed<br>
</div>
<div><br>
</div>
<div>I am setting the Contact as <a><sip:mytlsdomain:5061;transport=tls></a></div>
<div><br>
</div>
<div>Looks like the client domain is used for outgoing
TLS connection but no idea which domain i need to add
here. The socket is my opensips ip address.</div>
<div><br>
</div>
<div>Has anyone seen a similar kind of behaviour?</div>
<div><br>
</div>
<div>Thank you.</div>
<div><br clear="all">
<div>
<div dir="ltr">
<div>Regards,</div>
<div>Jehanzaib</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">VoIP Embedded, Inc.<br><a href="http://www.voipembedded.com" target="_blank">http://www.voipembedded.com</a></div>