<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<font face="monospace">Hi,<br>
<br>
For the incoming TLS connections, the right TLS server domain is
selected based either on the IP address (of OpenSIPS's listener),
either on the SIP domain (if SNI is used).<br>
<br>
So, maybe SNI is not used in your case, so you should define a
match_ip_address:<br>
<a class="moz-txt-link-freetext" href="https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address">https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address</a><br>
<br>
Regards,<br>
</font>
<pre class="moz-signature" cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a class="moz-txt-link-freetext" href="https://www.opensips-solutions.com">https://www.opensips-solutions.com</a>
<a class="moz-txt-link-freetext" href="https://www.siphub.com">https://www.siphub.com</a></pre>
<div class="moz-cite-prefix">On 07.03.2025 23:10, Thiago Lopes via
Users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABMr7h=8U0K5ZGXcKT2xpLNdyVseRuhAJZOKxNj=RVZ=HC3TnA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi everyone,
<div><br>
</div>
<div>I'm trying to integrate Ms Teams and Opensips and I'm
having some problems. </div>
<div><br>
</div>
<div>I tried to use self signed and Letsencrypt certificates,
with no success. I always receive a ''no TLS client domain
found'. </div>
<div><br>
</div>
<div> /usr/sbin/opensips[505412]:
ERROR:proto_tls:proto_tls_conn_init: no TLS client domain
found<br>
/usr/sbin/opensips[505412]: ERROR:core:tcp_conn_create:
failed to do proto 3 specific init for conn 0x7f7220f343b0<br>
/usr/sbin/opensips[505412]: ERROR:core:tcp_async_connect:
tcp_conn_create failed<br>
</div>
<div><br>
</div>
<div>Here my opensips.cfg: </div>
<div><br>
</div>
<div>loadmodule "tls_mgm.so"<br>
<br>
/*#first the server domain */<br>
modparam("tls_mgm", "server_domain", "default") <br>
modparam("tls_mgm", "certificate",
"[default]/etc/letsencrypt/live/<a
href="http://sbc.mydomain.com/fullchain.pem"
moz-do-not-send="true">sbc.mydomain.com/fullchain.pem</a>")
<br>
modparam("tls_mgm", "private_key",
"[default]/etc/letsencrypt/live/<a
href="http://sbc.mydomain.com/privkey.pem"
moz-do-not-send="true">sbc.mydomain.com/privkey.pem</a>")
<br>
modparam("tls_mgm", "ca_list",
"[default]/etc/letsencrypt/live/<a
href="http://sbc.mydomain.com/inter.pem"
moz-do-not-send="true">sbc.mydomain.com/inter.pem</a>") <br>
modparam("tls_mgm", "match_sip_domain", "[default]<a
href="http://sbc.mydomain.com" moz-do-not-send="true">sbc.mydomain.com</a>")
<br>
modparam("tls_mgm", "verify_cert", "[default]0")<br>
#modparam("tls_mgm", "require_cert", "[default]1")<br>
#modparam("tls_mgm", "ciphers_list",
"[default]AES128-SHA256:AES256-SHA")<br>
modparam("tls_mgm", "tls_method", "[default]SSLv23")<br>
<br>
<br>
# #and the client domain
<br>
modparam("tls_mgm", "client_domain", "client") <br>
modparam("tls_mgm", "certificate",
"[client]/etc/letsencrypt/live/<a
href="http://sbc.mydomain.com/fullchain.pem"
moz-do-not-send="true">sbc.mydomain.com/fullchain.pem</a>")
<br>
modparam("tls_mgm", "private_key",
"[client]/etc/letsencrypt/live/<a
href="http://sbc.mydomain.com/privkey.pem"
moz-do-not-send="true">sbc.mydomain.com/privkey.pem</a>")
<br>
modparam("tls_mgm", "ca_list", "[client]/etc/letsencrypt/live/<a
href="http://sbc.mydomain.com/inter.pem"
moz-do-not-send="true">sbc.mydomain.com/inter.pem</a>")<br>
#modparam("tls_mgm", "ca_dir", "[client]/etc/letsencrypt/live/<a
href="http://sbc.mydomain.com/" moz-do-not-send="true">sbc.mydomain.com/</a>")
<br>
modparam("tls_mgm", "match_sip_domain", "[client]<a
href="http://sbc.mydomain.com" moz-do-not-send="true">sbc.mydomain.com</a>")<br>
<br>
modparam("tls_mgm", "verify_cert", "[client]0")<br>
# modparam("tls_mgm", "require_cert", "[client]1")<br>
# modparam("tls_mgm", "ciphers_list",
"[client]AES128-SHA256:AES256-SHA")<br>
modparam("tls_mgm", "tls_method", "[client]SSLv23")</div>
<div><br>
</div>
<div>I also changed the certificates, using self signed in
"server domain" only or "client domain" only. Same result. </div>
<div><br>
</div>
<div>Using the openssl the verify the certificates, I receive a
OK in console: </div>
<div><br>
</div>
<div>fullchain.pem: OK</div>
<div><br>
</div>
<div>The inter.pem is the file with the root and
intermediate Letsencrypt certificates. </div>
<div><br>
</div>
<div>On the Ms Teams side, I checked the FQDN used, checked the
firewall ports etc.</div>
<div><br>
</div>
<div>I followed this tutorial: <a
href="https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/"
moz-do-not-send="true" class="moz-txt-link-freetext">https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/</a>
, so I'm using the Dynamic Routing module to send the OPTIONS
packet. The opensips start the communication using TLS, I see
the packets using TLS in 5061 port, but when Opensips will
answer, this message appears on the console and the connection
is closed. </div>
<div><br>
</div>
<div>/usr/sbin/opensips[505398]: ERROR:tm:t_uac: attempt to send
to 'sip:<a href="http://sip.pstnhub.microsoft.com"
moz-do-not-send="true">sip.pstnhub.microsoft.com</a>' failed<br>
/usr/sbin/opensips[505398]:
ERROR:proto_tls:proto_tls_conn_init: no TLS client domain
found<br>
/usr/sbin/opensips[505398]: ERROR:core:tcp_conn_create: failed
to do proto 3 specific init for conn 0x7f7220f4df40<br>
</div>
<div><br>
</div>
<div>What I'm not seeing? Did someone pass through this
problem? </div>
<div>Best regards</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>