<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Thanks very much Callum, seeing a working example with separate client/server tls_mgm rows really helped get us sorted.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
I notice that you set verify_cert (and require_cert) to 0, is there any reason for that? I won't go into too much detail because it's probably worth another thread, but we're seeing problems with TLS calling when it's on, opensips doesn't like my 3CX instance
that uses a Lets Encrypt cert.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Kind regards,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
James</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Callum Guy <callum.guy@x-on.co.uk><br>
<b>Sent:</b> 07 April 2023 14:43<br>
<b>To:</b> James Nicholls <james.nicholls@qunifi.com>; OpenSIPS users mailling list <users@lists.opensips.org><br>
<b>Subject:</b> Re: [OpenSIPS-Users] tls_mgm domain database configuration</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div>Hi James,</div>
<div><br>
</div>
<div>It could certainly be clearer!</div>
<div><br>
</div>
<div>Here's an extract from my script and some example inserts for a client and server record.</div>
<div><br>
</div>
<div><a href="https://gist.github.com/spacetourist/788ea722901e81d355850842e2b17cda">https://gist.github.com/spacetourist/788ea722901e81d355850842e2b17cda</a><br>
</div>
<div><br>
</div>
INSERT INTO opensips_dev.tls_mgm (id, domain, match_ip_address, match_sip_domain, type, method, verify_cert, require_cert, certificate, private_key, crl_check_all, crl_dir, ca_list, ca_dir, cipher_list, dh_params, ec_curve) VALUES (5, 'default', '*', '*', 1,
'TLSv1_2', 0, 0, 0x2D2D2D2D2D424547494E20434...2D2D2D2D0A, 0x2D2D2D2D2D424547494...B45592D2D2D2D2D0A, 0, null, null, null, 'EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH,!RSA,!SHA', 0x2D2D2D2D2D4245...D2D2D0A, 'secp384r1');<br>
<br>
INSERT INTO opensips_dev.tls_mgm (id, domain, match_ip_address, match_sip_domain, type, method, verify_cert, require_cert, certificate, private_key, crl_check_all, crl_dir, ca_list, ca_dir, cipher_list, dh_params, ec_curve) VALUES (15, 'default', '*', '*',
2, 'TLSv1_2', 0, 0, 0x2D2D2D2...D2D0A, 0x2D2D2D2D2...D2D2D0A, 0, null, null, null, 'EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH,!RSA,!SHA', 0x2D2D2D2D2D42454...2D0A, 'secp384r1');<br>
<div><br>
</div>
<div>Hope that helps get you moving!</div>
<div><br>
</div>
<div>Callum</div>
</div>
<br>
<div class="x_gmail_quote">
<div dir="ltr" class="x_gmail_attr">On Fri, 7 Apr 2023 at 09:12, James Nicholls via Users <<a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>> wrote:<br>
</div>
<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
Hi all,<br>
<br>
I have an existing opensips 3.3.4 setup that uses modparam to set tls_mgm certificates with separate server_domain and client_domain entries. This works fine for registration and calling using TLS but I want to be able to update certificates with tls_reload
so I'm trying to move them to the database instead.<br>
<br>
The tls_mgm table schema added by opensips-cli has a domain and type column. Does "type" mean client/server or is it something else? I have tried having separate entries for client/server certs, or combining them into one row, but I can't get it to work. Everything
seems to result in "no TLS client domain found" as below.<br>
<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn 0x7f3c9f1b5e98<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: DBG:core:tcpconn_destroy: delaying (0x7f3c9f1b5e98, flags 0018) ref = -1 ...<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_async_connect: tcp_conn_create failed, closing the socket<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_send: async TCP connect failed<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:msg_send: send() to (PBX IP):5061 for proto tls/3 failed<br>
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:t_forward_nonack: sending request failed<br>
<br>
Example row in the tls_mgm table:<br>
<br>
domain: (SIP branded hostname)<br>
match_ip_address: (opensips IP):4003<br>
match_sip_domain: *<br>
type: 1<br>
method: TLSv1_2-<br>
verify_cert: 0<br>
require_cert: 0<br>
certificate: -----BEGIN CERTIFICATE----- [...]<br>
private_key: -----BEGIN RSA PRIVATE KEY----- [...]<br>
crl_check_all: 0<br>
crl_dir: NULL<br>
ca_list: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem<br>
ca_dir: NULL<br>
cipher_list: NULL<br>
dh_params: NULL<br>
ec_curve: NULL<br>
<br>
Is there any documentation for adding certificates to the tls_mgm table? I haven't found anything in the 3.3.x docs, the only examples use modparam. Hopefully I have got something really obvious wrong.<br>
<br>
Kind regards,<br>
<br>
James Nicholls<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br>
<p dir="ltr" style="font-family:Arial,Helvetica,sans-serif; font-size:1.3em; line-height:1.38; margin-top:0pt; margin-bottom:0pt; text-align:justify">
<font size="3" face="Verdana"><span style="font-size:8px; color:rgb(0,0,0); background-color:transparent; font-weight:400; font-style:normal; font-variant:normal; text-decoration:none; vertical-align:baseline"></span></font></p>
<div style="font-family:Arial,Helvetica,sans-serif; font-size:1.3em"><img src="https://www.x-on.co.uk/email/footer/banner-03-2023.jpg"><br>
</div>
<div style="font-family:Arial,Helvetica,sans-serif; font-size:1.3em"><br>
</div>
<div><font size="4" style="font-family:Arial,Helvetica,sans-serif; font-size:1.3em"><b><sup><font face="Verdana">0333 332 0000 |
<a href="https://www.x-on.co.uk" target="_blank">x-on.co.uk</a> | <sub> </sub></font></sup></b></font><font size="4" style="font-family:Arial,Helvetica,sans-serif; font-size:1.3em"><b><sub><sup><font face="Verdana"><a href="https://www.linkedin.com/company/x-on" target="_blank"><img width="24" height="24" src="http://www.x-on.co.uk//images/icon/linkedin.png"></a>
<a href="https://www.facebook.com/XonTel" target="_blank"><img width="24" height="24" src="http://www.x-on.co.uk//images/icon/facebook.png"></a> <a href="https://twitter.com/xonuk" target="_blank"><img width="24" height="24" src="http://www.x-on.co.uk//images/icon/twitter.png"></a></font></sup></sub> </b></font><b style="font-family:Arial,Helvetica,sans-serif; font-size:large"><sup><font face="Verdana">
| </font></sup></b><b style="font-size:16.9px"><sup><font face="Verdana"><a href="https://practiceindex.co.uk/gp/x-on" target="_blank">Practice Index Reviews</a></font></sup></b>
<p><font face="Verdana" color="#ff0000" size="1"><b>Our new office address: 22 Riduna Park, Melton IP12 1QT.</b></font></p>
<p style="font-family:Arial,Helvetica,sans-serif; font-size:1.3em"><span style="font-size:6pt; font-family:Verdana; color:black">X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales.<br>
Registered Office : Glebe Farm, Down Street, Dummer, Basingstoke, Hampshire, England RG25 2AD. Company Registration No. 2578478.<br>
The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on
<span>+44(0)333 332 0000</span> and delete the<br>
message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email.
</span><span style="font-size:6pt; font-family:Verdana; color:black">Views or opinions expressed by an individual<br>
within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments<br>
for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.</span></p>
<p style="font-family:Arial,Helvetica,sans-serif; font-size:1.3em"><span style="font-size:6pt; font-family:Verdana; color:black"></span><font size="2"><span style="font-size:6pt; font-family:Verdana; color:black"></span></font></p>
</div>
</div>
</body>
</html>