<div dir="ltr">Is there any update here ? <div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><b><i>Thanks & Regards</i></b><div><i>Sasmita Panda</i></div><div><i>Senior Network Testing and Software Engineer</i></div><div><i>3CLogic , ph:07827611765</i></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 30, 2024 at 5:27 PM Sasmita Panda <<a href="mailto:spanda@3clogic.com">spanda@3clogic.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi , <div><br></div><div><br></div><div>for outbound call to a tls gateway I have below configuration for client_domain </div><div><br></div><div><br>modparam("tls_mgm", "client_domain", "dom1")<br>modparam("tls_mgm", "match_ip_address", "[dom1]*")<br>modparam("tls_mgm", "tls_method", "[dom1]-TLSv1_2")<br>modparam("tls_mgm", "certificate", "[dom1]/etc/opensips/tls/3cdomain.crt")<br>modparam("tls_mgm", "private_key", "[dom1]/etc/opensips/tls/3cdomain.key")<br>modparam("tls_mgm", "require_cert", "[dom1]0")<br>modparam("tls_mgm", "verify_cert", "[dom1]0")<br></div><div><br></div><div> With this configuration when I place an outbound call I am getting below error in the logs . I don't have the certificate and key of the next party . How can I authorized this certificate the</div><div>provide on opensips end ? </div><div><br></div><div><br></div><div><b> NOTICE:tls_openssl:verify_callback: depth = 1, verify failure<br> NOTICE:tls_openssl:verify_callback: subject = /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http:\/\/<a href="http://certs.godaddy.com" target="_blank">certs.godaddy.com</a>\/repository\//CN=Go Daddy Secure Certificate Authority - G2<br> NOTICE:tls_openssl:verify_callback: issuer = /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2<br> NOTICE:tls_openssl:verify_callback: verify error: unable to get local issuer certificate [error=20]<br> INFO:tls_openssl:openssl_tls_connect: New TLS connection to 18.169.x.y:5065 established<br> INFO:tls_openssl:tls_dump_cert_info: tls_connect: server TLS certificate subject: /CN=*.sftel.yyy.cloud, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http:\/\/<a href="http://certs.godaddy.com" target="_blank">certs.godaddy.com</a>\/repository\//CN=Go Daddy Secure Certificate Authority - G2<br> WARNING:tls_openssl:openssl_tls_connect: TLS server certificate verification failed<br> ERROR:tls_openssl:tls_dump_verification_failure: unable to get local issuer certificate<br> INFO:tls_openssl:tls_dump_cert_info: tls_connect: local TLS client certificate subject: /CN=*.<a href="http://xxx.com" target="_blank">xxx.com</a>, issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=xyz RSA Domain Validation Secure Server CA</b><br><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><b><i><br></i></b></div><div><b><i>What should I do here ? </i></b></div><div dir="ltr"><b><i><br></i></b></div><div dir="ltr"><b><i>Thanks & Regards</i></b><div><i>Sasmita Panda</i></div><div><i>Senior Network Testing and Software Engineer</i></div><div><i>3CLogic , ph:07827611765</i></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 29, 2024 at 12:52 PM Sasmita Panda <<a href="mailto:spanda@3clogic.com" target="_blank">spanda@3clogic.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi All , <div><br></div><div>I am using opensips 3.2 from very long time . For TLS connection I was using our domain specific certificate and private key which was authorized by some verified organization . With that my TLS connection with the server is getting established and also I am able to get REGISTER and INVITE request on the connection . </div><div><br></div><div><br></div><div>Rather than this , when I build opensips with TLS=1 opensips itself creates its own rootCA . If I am using those crt and private key file for TLS connection the connection get established but I am not getting any request . What can be the reason . </div><div><br></div><div>My configuration is like below . </div><div><br></div><div>modparam("tls_mgm", "server_domain", "dom3")<br>modparam("tls_mgm", "match_ip_address", "[dom3]20.1.x.y:5061")<br>modparam("tls_mgm", "match_sip_domain", "[dom3]none")<br>#
20.1.x.y this is my servers private IP on which I have configured TLS socket . <br>modparam("tls_mgm", "tls_method", "[dom3]-TLSv1_2")<br><br>modparam("tls_mgm", "certificate", "[dom3]/etc/opensips/tls/rootCA/cacert.pem")<br>modparam("tls_mgm", "private_key", "[dom3]/etc/opensips/tls/rootCA/private/cakey.pem")<br>modparam("tls_mgm", "ca_list", "[dom3]/etc/opensips/tls/rootCA/certs/01.pem")<br><br>modparam("tls_mgm", "require_cert", "[dom3]0")<br>modparam("tls_mgm", "verify_cert", "[dom3]1")<br></div><div><br></div><div>In the logs I am getting below message </div><div><br></div><div><b>2024-08-29T07:14:59.213460+00:00 ip-20-1-205-63 /sbin/opensips[22895]: INFO:tls_openssl:openssl_tls_accept: New TLS connection from x.x.x.x:20219 accepted<br>2024-08-29T07:14:59.213866+00:00 ip-20-1-205-63 /sbin/opensips[22895]: INFO:tls_openssl:openssl_tls_accept: Client did not present a TLS certificate<br>2024-08-29T07:14:59.214064+00:00 ip-20-1-205-63 /sbin/opensips[22895]: INFO:tls_openssl:tls_dump_cert_info: tls_accept: local TLS server certificate subject: /CN=OpenSIPS/ST=<a href="http://opensips.org/C=IP/emailAddress=team@opensips.org/O=opensips.org" target="_blank">opensips.org/C=IP/emailAddress=team@opensips.org/O=opensips.org</a>, issuer: /CN=OpenSIPS/ST=<a href="http://opensips.org/C=IP/emailAddress=team@opensips.org/O=opensips.org" target="_blank">opensips.org/C=IP/emailAddress=team@opensips.org/O=opensips.org</a></b><br></div><div><br></div><div>I have added siptrace and tracing to the DB as well . I am not getting any SIP messages on the 2nd case . What can be the reason for this ? This is quite critical to me . Please do help. </div><div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><b><i>Thanks & Regards</i></b><div><i>Sasmita Panda</i></div><div><i>Senior Network Testing and Software Engineer</i></div><div><i>3CLogic , ph:07827611765</i></div></div></div></div></div></div></div></div>
</blockquote></div>
</blockquote></div>