<div dir="ltr">Thank you Bogdan,<div>That helped a lot. As you mentioned I need to start only with server_domain or client_domain. </div><div>Now I changed my config a bit as shown below:</div><div>#### (WebRTC) Client<br>modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")<br>modparam("tls_mgm", "certificate", "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")<br>modparam("tls_mgm", "private_key", "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")<br>modparam("tls_mgm", "ca_list", "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")<br>modparam("tls_mgm", "ca_dir", "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")<br>modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")<br>modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")<br>modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")<br><br>### This is for MS-Teams direct route<br>modparam("tls_mgm", "client_domain", "<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>")<br>modparam("tls_mgm", "certificate", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/cert.pem" target="_blank">dom1.formsteams.com/cert.pem</a>")<br>modparam("tls_mgm", "private_key", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/privkey.pem" target="_blank">dom1.formsteams.com/privkey.pem</a>")<br>modparam("tls_mgm", "ca_list", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/fullchain.pem" target="_blank">dom1.formsteams.com/fullchain.pem</a>")<br>modparam("tls_mgm", "ca_dir", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>")<br>modparam("tls_mgm", "tls_method", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]SSLv23")<br>modparam("tls_mgm", "verify_cert", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]1")<br>modparam("tls_mgm", "require_cert", "[<a href="http://dom1.formsteams.com/" target="_blank">dom1.formsteams.com</a>]1")<br>modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")<br></div><div><br></div><div>Looks like the initial handshake is fine when my server sends OPTIONS to MSTeams. There is a bug in the code according to the logs as shown below:</div><div><br></div><div>opensips[10659]: CRITICAL:core:io_watch_add: #012>>> used fd map fd=142 is not present in fd_array (fd=142,type=19,flags=80000003,data=0x7f825805ceb8)#012#012It seems you have hit a programming bug.#012Please help us make OpenSIPS better by reporting it at <a href="https://github.com/OpenSIPS/opensips/issues">https://github.com/OpenSIPS/opensips/issues</a><br>opensips[10659]: CRITICAL:core:io_watch_add: [TCP_main] check failed after successful fd add (fd=141,type=19,data=0x7f825804fd98,flags=1) already=0<br>opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 1, verify success<br>opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 0, verify success<br>opensips[23993]: INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS connection to <a href="http://52.114.16.74:5061">52.114.16.74:5061</a> established<br>opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 1, verify success<br>opensips[23993]: NOTICE:tls_wolfssl:verify_callback: depth = 0, verify success<br>opensips[23995]: INFO:tls_wolfssl:_wolfssl_tls_async_connect: new TLS connection to <a href="http://52.114.76.76:5061">52.114.76.76:5061</a> established<br></div><div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div>Regards,</div>
<div>Jehanzaib</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 18, 2022 at 6:15 PM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org">bogdan@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div>
    <font face="monospace">Hi Jehanzaib,<br>
      <br>
      The sequence for the MST TLS domains is wrong.<br>
      <br>
      For each TLS domain block, you need to start only with a </font><font face="monospace">server_domain or client_domain - of course,
      different names. And for each domain you need you set the matching
      conditions. See
      <a href="https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#domains-param" target="_blank">https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#domains-param</a><br>
      <br>
      Basically something like:<br>
    </font><br>
    <font face="monospace">modparam("tls_mgm", "server_domain",
      "formsteams_server")<br>
      modparam("tls_mgm", "match_ip_address", "</font><font face="monospace"><font face="monospace"><font face="monospace">[formsteams_server]</font></font>....")<br>
      modparam("tls_mgm", "match_sip_domain", "</font><font face="monospace"><font face="monospace"><font face="monospace">[formsteams_server]....</font></font>")<font face="monospace"><br>
        modparam("tls_mgm", "certificate", "[formsteams_server].....)<br>
        ....<br>
      </font><br>
      <br>
      modparam("tls_mgm", "client_domain", </font><font face="monospace"><font face="monospace"><font face="monospace">"formsteams_client"</font></font>)<br>
    </font><font face="monospace"><font face="monospace">modparam("tls_mgm",
        "match_ip_address", "</font><font face="monospace"><font face="monospace"><font face="monospace">[formsteams_client]</font></font>....")<br>
        modparam("tls_mgm", "match_sip_domain", "</font><font face="monospace"><font face="monospace"><font face="monospace">[formsteams_client]....</font></font>")<br>
      </font>modparam("tls_mgm", "certificate",
      "[formsteams_client].....)<br>
      ....<br>
      <br>
      <br>
      Best regards,<br>
    </font>
    <pre cols="72">Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  <a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS eBootcamp 23rd May - 3rd June 2022
  <a href="https://opensips.org/training/OpenSIPS_eBootcamp_2022/" target="_blank">https://opensips.org/training/OpenSIPS_eBootcamp_2022/</a></pre>
    <div>On 5/18/22 2:38 AM, Jehanzaib Younis
      wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">Hi Bogdan,
        <div>That's the problem, when I try to add the client_domain I
          get an error. Actually, I have a working config for webrtc but
          now I am adding a new domain for MS teams direct route. In
          fact, any other domain gives an error. If I disable MS Teams
          domain, the opensips do not give an error message and my
          webrtc client can connect without any issue. </div>
        <div><br>
        </div>
        <div>loadmodule "tls_mgm.so"<br>
          modparam("tls_mgm", "tls_library", "wolfssl")<br>
          <br>
          #### (WebRTC) Client<br>
          modparam("tls_mgm", "server_domain", "sip.mywebphone.xx")<br>
          modparam("tls_mgm", "certificate",
          "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/cert.pem")<br>
          modparam("tls_mgm", "private_key",
"[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/privkey.pem")<br>
          modparam("tls_mgm", "ca_list",
"[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx/fullchain.pem")<br>
          modparam("tls_mgm", "ca_dir",
          "[sip.mywebphone.xx]/etc/letsencrypt/live/sip.mywebphone.xx")<br>
          modparam("tls_mgm", "tls_method", "[sip.mywebphone.xx]SSLv23")<br>
          modparam("tls_mgm", "verify_cert", "[sip.mywebphone.xx]1")<br>
          modparam("tls_mgm", "require_cert", "[sip.mywebphone.xx]1")<br>
          <br>
          ### This is for MS-Teams direct route <br>
          modparam("tls_mgm", "server_domain", "<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>")<br>
          modparam("tls_mgm", "client_domain", "<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>")<br>
          modparam("tls_mgm", "certificate", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/cert.pem" target="_blank">dom1.formsteams.com/cert.pem</a>")<br>
          modparam("tls_mgm", "private_key", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/privkey.pem" target="_blank">dom1.formsteams.com/privkey.pem</a>")<br>
          modparam("tls_mgm", "ca_list", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com/fullchain.pem" target="_blank">dom1.formsteams.com/fullchain.pem</a>")<br>
          modparam("tls_mgm", "ca_dir", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]/etc/letsencrypt/live/<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>")<br>
          modparam("tls_mgm", "tls_method", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]SSLv23")<br>
          modparam("tls_mgm", "verify_cert", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]1")<br>
          modparam("tls_mgm", "require_cert", "[<a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a>]1")<br>
          modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom")</div>
        <div><br>
        </div>
        <div>When i enable the MS-Teams direct route domain i get the
          below error:</div>
        <div>no certificate for tls domain '
          <a href="http://dom1.formsteams.com" target="_blank">dom1.formsteams.com</a> '
          defined<br>
        </div>
        <div><br>
        </div>
        <div><br>
          <div>
            <div dir="ltr">
              <div>Regards,</div>
              <div>Jehanzaib</div>
            </div>
          </div>
          <br>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Wed, May 18, 2022 at 3:04
          AM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div> <font face="monospace">Hi Jehanzaib,<br>
              <br>
              What are the TLS client domains you have defined in your
              tls_mgm module ?<br>
              <br>
              Regards,<br>
            </font>
            <pre cols="72">Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  <a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS eBootcamp 23rd May - 3rd June 2022
  <a href="https://opensips.org/training/OpenSIPS_eBootcamp_2022/" target="_blank">https://opensips.org/training/OpenSIPS_eBootcamp_2022/</a></pre>
            <div>On 5/17/22 4:32 PM, Jehanzaib Younis wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">Hi,
                <div><br>
                </div>
                <div>I am having trouble to send/receive OPTIONS to ms
                  teams. </div>
                <div>Using the dispatcher module. The socket is defined
                  as tls:<b>mysbcip</b>:5061</div>
                <div>Looks like when my opensips (3.2.x) tries to send
                  OPTIONS. it is giving me the following error </div>
                <div><b><br>
                  </b></div>
                <div>ERROR:proto_tls:proto_tls_conn_init: no TLS client
                  domain found</div>
                <div>ERROR:core:tcp_conn_create: failed to do proto 3
                  specific init for conn 0x7f00ef2a85a0<br>
                </div>
                <div>ERROR:core:tcp_async_connect: tcp_conn_create
                  failed<br>
                </div>
                <div>ERROR:proto_tls:proto_tls_send: async TCP connect
                  failed<br>
                </div>
                <div>ERROR:tm:msg_send: send() to <a href="http://52.114.76.76:5061" target="_blank">52.114.76.76:5061</a> for
                  proto tls/3 failed<br>
                </div>
                <div>ERROR:tm:t_uac: attempt to send to '<a>sip:sip3.pstnhub.microsoft.com:5061;transport:tls</a>'
                  failed<br>
                </div>
                <div><br>
                </div>
                <div>I am setting the Contact as <a><sip:mytlsdomain:5061;transport=tls></a></div>
                <div><br>
                </div>
                <div>Looks like the client domain is used for outgoing
                  TLS connection but no idea which domain i need to add
                  here. The socket is my opensips ip address.</div>
                <div><br>
                </div>
                <div>Has anyone seen a similar kind of behaviour?</div>
                <div><br>
                </div>
                <div>Thank you.</div>
                <div><br clear="all">
                  <div>
                    <div dir="ltr">
                      <div>Regards,</div>
                      <div>Jehanzaib</div>
                    </div>
                  </div>
                </div>
              </div>
              <br>
              <fieldset></fieldset>
              <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
            </blockquote>
            <br>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </div>

</blockquote></div>