<div dir="auto">Hi James,<div dir="auto"><br></div><div dir="auto">Can you please share what parameters you have configured for TLS in opensips 3.3?</div><div dir="auto"><br></div><div dir="auto">Because I have also facing same issue for wss connection.</div><div dir="auto"><br></div><div dir="auto">I have try same certificate in freeswitch and check that WSS url in piesocket that connect established.</div><div dir="auto"><br></div><div dir="auto">But when I configured same certificate in opensips and check in piesocket then connection not established.</div><div dir="auto"><br></div><div dir="auto">So if you share what you have configured I will try same on my side to solve my issue.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 7, 2023, 13:43 James Nicholls via Users <<a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
I have an existing opensips 3.3.4 setup that uses modparam to set tls_mgm certificates with separate server_domain and client_domain entries. This works fine for registration and calling using TLS but I want to be able to update certificates with tls_reload so I'm trying to move them to the database instead.<br>
<br>
The tls_mgm table schema added by opensips-cli has a domain and type column. Does "type" mean client/server or is it something else? I have tried having separate entries for client/server certs, or combining them into one row, but I can't get it to work. Everything seems to result in "no TLS client domain found" as below.<br>
<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn 0x7f3c9f1b5e98<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: DBG:core:tcpconn_destroy: delaying (0x7f3c9f1b5e98, flags 0018) ref = -1 ...<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_async_connect: tcp_conn_create failed, closing the socket<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_send: async TCP connect failed<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:msg_send: send() to (PBX IP):5061 for proto tls/3 failed<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:t_forward_nonack: sending request failed<br>
<br>
Example row in the tls_mgm table:<br>
<br>
domain: (SIP branded hostname)<br>
match_ip_address: (opensips IP):4003<br>
match_sip_domain: *<br>
type: 1<br>
method: TLSv1_2-<br>
verify_cert: 0<br>
require_cert: 0<br>
certificate: -----BEGIN CERTIFICATE----- [...]<br>
private_key: -----BEGIN RSA PRIVATE KEY----- [...]<br>
crl_check_all: 0<br>
crl_dir: NULL<br>
ca_list: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem<br>
ca_dir: NULL<br>
cipher_list: NULL<br>
dh_params: NULL<br>
ec_curve: NULL<br>
<br>
Is there any documentation for adding certificates to the tls_mgm table? I haven't found anything in the 3.3.x docs, the only examples use modparam. Hopefully I have got something really obvious wrong.<br>
<br>
Kind regards,<br>
<br>
James Nicholls<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank" rel="noreferrer">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div>