<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Vlad,<br><div><br></div><div>It seems opensips crashed when I set <span style="background-color:rgb(254,254,238);color:rgb(0,0,0)">?tls_domain=dom1 to enable tls connection to mysql db.  I followed the method in the manual.</span></div><div><pre class="gmail-programlisting" style="background-color:rgb(254,254,238);border:1px solid rgb(153,204,204);color:rgb(0,0,0);padding-left:15pt">modparam("usrloc", "db_url", "mysql://root:1234@localhost/opensips?tls_domain=dom1")</pre></div><div><span style="background-color:rgb(254,254,238);color:rgb(0,0,0)"><br></span></div><div><span style="background-color:rgb(254,254,238);color:rgb(0,0,0)">Here is the log.</span></div><div><br></div><div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: INFO:tls_mgm:mod_init: initializing TLS management</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined, using default '/etc/pki/CA/'</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT activated. Weaker security.</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined, using default '/etc/pki/CA/'</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT activated. Weaker security.</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: INFO:proto_tls:mod_init: initializing TLS protocol</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: INFO:proto_bin:mod_init: initializing BIN protocol</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: INFO:clusterer:mod_init: Clusterer module - initializing</div><div>Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: CRITICAL:core:sig_usr: segfault in attendant (starter) process!</div><div>Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243] opensips[4935]: segfault at 0 ip 0000000000000000 sp 00007ffececa3d08 error 14 in opensips[558b5bb75000+1c000]</div><div>Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code: Bad RIP value.</div><div>Sep 25 10:14:01 ip-10-100-20-35 opensips: INFO:core:daemonize: pre-daemon process exiting with -1</div></div><div><br></div><div>and my client domain settings</div><div><br></div><div><div>#client domain</div><div>modparam("tls_mgm", "client_domain", "dom1")</div><div>modparam("tls_mgm", "match_ip_address", "[dom1]*")</div><div>modparam("tls_mgm", "match_sip_domain", "[dom1]*")</div><div>modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")</div><div>modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")</div><div>modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")</div><div>modparam("tls_mgm","tls_method", "[dom1]SSLv23")</div><div>modparam("tls_mgm","verify_cert", "[dom1]0")</div><div>modparam("tls_mgm","require_cert", "[dom1]0")</div></div><div><br></div><div>It is expected to see some other errors such as invalid cert but not crash in pre-daemon process. Any clue on this for me to debug? If I remove "<span style="background-color:rgb(254,254,238);color:rgb(0,0,0)">?tls_domain=dom1", there is no such crash though the opensips server still couldn't start because I forced the mysql db to use ssl connection.</span> Thanks!</div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu <<a href="mailto:vladp@opensips.org">vladp@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div>
    <p>Hi Jacky,</p>
    <p>I cant think of any workaround unfortunately.<br>
    </p>
    <p>Regards,<br>
    </p>
    <pre cols="72">-- 
Vlad Patrascu
OpenSIPS Core Developer
<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a></pre>
    <div>On 17.09.2022 18:46, jacky z wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">Hi  Vlad,<br>
        <div><br>
        </div>
        <div>Is there any workaround to disable the client cert? Thanks!</div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Wed, Sep 14, 2022 at 9:16
          PM Vlad Patrascu <<a href="mailto:vladp@opensips.org" target="_blank">vladp@opensips.org</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div>
            <p>Hi Jacky,</p>
            <p>OpenSIPS will always require you to configure a client
              certificate for TLS client domains and will also present
              that certificate when connecting. But normally, a TLS
              server can simply choose not to verify the client
              certificate. I don't have any experience with AWS RDS
              though but it seems odd to not accept a connection only
              because the client did present a certificate.</p>
            <p>Regards,<br>
            </p>
            <pre cols="72">-- 
Vlad Patrascu
OpenSIPS Core Developer
<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a></pre>
            <div>On 14.09.2022 05:42, jacky z wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">
                <div>Hi Bogdan-Andrei,</div>
                <div><br>
                </div>
                <div>I checked the mariadb documentation and found
                  mariadb has two options to set ssl connection: two-way
                  TSL and one-way TSL. It seems AWS RDS only supports
                  one-way TSL, that is, TSL is used without a client
                  cert. Does OPENSIPS support such one-way TSL to
                  connect a database? Thanks!</div>
                <br>
                <div class="gmail_quote">
                  <div dir="ltr" class="gmail_attr">On Wed, Sep 14, 2022
                    at 12:06 AM jacky z <<a href="mailto:zjack0992@gmail.com" target="_blank">zjack0992@gmail.com</a>>
                    wrote:<br>
                  </div>
                  <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                    <div dir="ltr">
                      <div dir="ltr">Hi Bogdan-Andrei,
                        <div><br>
                        </div>
                        <div>I have set<font face="arial, sans-serif"> the
                            "certificate" and "private_key" in my
                            script, as I explained in method 1. However,
                            AWS RDS doesn't support a client cert.
                            Please refer to</font></div>
                        <div><a href="https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws" target="_blank">https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws</a><br>
                        </div>
                        <div><br>
                        </div>
                        <div>Is there any workaround to use the public
                          cert list provided by AWS? Anyone has
                          successfully used RDS with SSL connections?
                          Thanks!</div>
                      </div>
                    </div>
                    <br>
                    <div class="gmail_quote">
                      <div dir="ltr" class="gmail_attr">On Tue, Sep 13,
                        2022 at 9:54 PM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>>
                        wrote:<br>
                      </div>
                      <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                        <div> <font face="monospace">Set the
                            certificate and key you have in the tls_mgm
                            module, for the "certificate" and
                            "private_key" parameters.<br>
                            <br>
                            Regards,<br>
                          </font>
                          <pre cols="72">Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  <a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
  <a href="https://www.opensips.org/events/Summit-2022Athens/" target="_blank">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
                          <div>On 9/13/22 2:57 PM, jacky z wrote:<br>
                          </div>
                          <blockquote type="cite">
                            <div dir="ltr">
                              <div dir="ltr">
                                <div dir="ltr">
                                  <div dir="ltr">
                                    <div dir="ltr">
                                      <div dir="ltr">
                                        <div dir="ltr">
                                          <div>Hi Bogdan-Andrei,</div>
                                          <div><br>
                                          </div>
                                          <div>I tried two methods. </div>
                                          <div><br>
                                          </div>
                                          <div>Method 1: </div>
                                          <div><br>
                                          </div>
                                          <div><font face="monospace">#enabled
                                              TLS connection:</font></div>
                                          <div><font face="monospace">modparam("db_mysql",
                                              "use_tls", 1)<br>
                                            </font></div>
                                          <div><font face="monospace"><br>
                                            </font></div>
                                          <div><font face="monospace">#setup
                                              a client domain:</font></div>
                                          <div>
                                            <div><font face="monospace">modparam("tls_mgm",
                                                "client_domain", "dom1")</font></div>
                                            <div><font face="monospace">modparam("tls_mgm",
                                                "match_ip_address",
                                                "[dom1]*")</font></div>
                                            <div><font face="monospace">modparam("tls_mgm",
                                                "match_sip_domain",
                                                "[dom1]*")</font></div>
                                            <div><font face="monospace">modparam("tls_mgm","certificate",
"[dom1]/etc/ssl/certs/rootCACert.pem")</font></div>
                                            <div><font face="monospace">modparam("tls_mgm","private_key",
"[dom1]/etc/ssl/private/rootCAKey.pem")</font></div>
                                            <div><font face="monospace">modparam("tls_mgm","ca_list",
"[dom1]/etc/ssl/certs/rootCACert.pem")</font></div>
                                            <div><font face="monospace">modparam("tls_mgm","tls_method",
                                                "[dom1]SSLv23")</font></div>
                                            <div><font face="monospace">modparam("tls_mgm","verify_cert",
                                                "[dom1]0")</font></div>
                                            <div><font face="monospace">modparam("tls_mgm","require_cert",
                                                "[dom1]0")</font></div>
                                            <div><span style="font-family:monospace;font-size:9pt">#
                                                set db_url</span></div>
                                            <div><span style="font-family:monospace;font-size:9pt">modparam("usrloc",
                                                "db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1")</span></div>
                                          </div>
                                          <div>...</div>
                                          <div><br>
                                          </div>
                                          <div>I couldn't figure out how
                                            to use global-bundle.pem AWS
                                            provided with this method.
                                            No luck to get a connection
                                            with RDS. If I don't use
                                            ssl, opensips can connect to
                                            RDS without encryption.</div>
                                          <div><br>
                                          </div>
                                          <div>Method 2:</div>
                                          <div><br>
                                          </div>
                                          <div>I tried </div>
                                          <div><span style="font-family:monospace;font-size:12px"><br>
                                            </span></div>
                                          <div><span style="font-family:monospace;font-size:12px">modparam("usrloc",
                                              "db_url",
                                              "mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&</span><font face="monospace"><span style="font-size:12px">ssl_ca_certs=/etc/ssl/certs/global-bundle.pem</span></font><span style="font-family:monospace;font-size:12px">")</span></div>
                                          <div dir="ltr"><br>
                                          </div>
                                          <div>to include the AWS cert.
                                            Still no luck.</div>
                                          <div><br>
                                          </div>
                                          <div>Thanks!</div>
                                          <br>
                                          <div class="gmail_quote">
                                            <div dir="ltr" class="gmail_attr">On Tue,
                                              Sep 13, 2022 at 4:52 PM
                                              Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>> wrote:<br>
                                            </div>
                                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                              <div> <font face="monospace">Hi,<br>
                                                  <br>
                                                  sorry for my silly
                                                  question, but how do
                                                  you connect from the
                                                  OpenSIPS side ??<br>
                                                  <br>
                                                  Regards,<br>
                                                </font>
                                                <pre cols="72">Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  <a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
  <a href="https://www.opensips.org/events/Summit-2022Athens/" target="_blank">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
                                                <div>On 9/13/22 10:41
                                                  AM, jacky z wrote:<br>
                                                </div>
                                                <blockquote type="cite">
                                                  <div dir="ltr">
                                                    <div dir="ltr">
                                                      <div dir="ltr">Hi
                                                        Team,
                                                        <div><br>
                                                        </div>
                                                        <div>We hope to
                                                          connect to aws
                                                          RDS database
                                                          with ssl
                                                          encryption. We
                                                          have setup a
                                                          client domain
                                                          according to
                                                          OPENSIPS
                                                          documents.
                                                          However, AWS
                                                          RDS does not
                                                          support client
                                                          cert as
                                                          someone has
                                                          confirmed with
                                                          AWS <a href="https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws" target="_blank">https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws</a></div>
                                                        <div><br>
                                                        </div>
                                                        <div>Is there
                                                          any way to use
                                                          the cert
                                                          provided by
                                                          AWS to
                                                          connect? AWS
                                                          provides a
                                                          global-bundle.pem
                                                          (<a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html" target="_blank">https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html</a>)
                                                          for such a
                                                          connection,
                                                          but we don't
                                                          know how to
                                                          include it in
                                                          the config
                                                          file.</div>
                                                        <div><br>
                                                        </div>
                                                        <div>Thanks</div>
                                                        <div><br>
                                                        </div>
                                                        <div>Jacky z</div>
                                                      </div>
                                                    </div>
                                                  </div>
                                                  <br>
                                                  <fieldset></fieldset>
                                                  <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
                                                </blockquote>
                                                <br>
                                              </div>
                                            </blockquote>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </blockquote>
                          <br>
                        </div>
                      </blockquote>
                    </div>
                  </blockquote>
                </div>
              </div>
              <br>
              <fieldset></fieldset>
              <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
            </blockquote>
          </div>
          _______________________________________________<br>
          Users mailing list<br>
          <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
          <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
        </blockquote>
      </div>
      <br>
      <fieldset></fieldset>
      <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
    </blockquote>
  </div>

_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div>