<div dir="ltr">Hello, <div><br></div><div>I tried to change this option, change from self-signed to true certificate, change the listeners and even change the DRouting module to Dispatcher. </div><div><br></div><div>Microsoft's documentation says that a SBC must send a packet to them, so they will answer back and will send an OPTIONS packet as soon as the TLS connection was made successfully. </div><div><br></div><div>So, when I send the first packet, I will act as a client TLS user. I thought the 'client domain' part, in module configuration was the problem. But even changing the 'server' part too, the result was the same. </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> /usr/sbin/opensips[676690]: DBG:proto_tls:proto_tls_send: no open tcp connection found, opening new one, async = 1<br> /usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff: getsockopt: snd is initially 16384<br> /usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff: using snd buffer of 416 kb<br> /usr/sbin/opensips[676690]: DBG:core:init_sock_keepalive: TCP keepalive enabled on socket 5<br> /usr/sbin/opensips[676681]: WARNING:core:utimer_ticker: utimer task <tm-utimer> already scheduled 100 ms ago (now 35900 ms), delaying execution<br> /usr/sbin/opensips[676690]: DBG:core:tcp_async_connect: Polling is overdue<br> /usr/sbin/opensips[676690]: DBG:core:tcp_async_connect: Create connection for async connect<br> /usr/sbin/opensips[676690]: DBG:core:print_ip: tcpconn_new: new tcp connection to: 52.114.32.169<br> /usr/sbin/opensips[676690]: DBG:core:tcpconn_new: on port 5061, proto 3<br> /usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found<br> /usr/sbin/opensips[676690]: ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn 0x7f027cb1d070<br>/usr/sbin/opensips[676690]: DBG:core:tcpconn_destroy: delaying (0x7f027cb1d070, flags 0018) ref = -1 ...<br> /usr/sbin/opensips[676690]: ERROR:core:tcp_async_connect: tcp_conn_create failed<br> /usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_send: async TCP connect failed</blockquote><div><br></div><div>Thank you for your help. </div><div><br></div><div>Regards, </div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, Mar 10, 2025 at 4:33 AM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org">bogdan@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<font face="monospace">Hi,<br>
<br>
For the incoming TLS connections, the right TLS server domain is
selected based either on the IP address (of OpenSIPS's listener),
either on the SIP domain (if SNI is used).<br>
<br>
So, maybe SNI is not used in your case, so you should define a
match_ip_address:<br>
<a href="https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address" target="_blank">https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address</a><br>
<br>
Regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
<a href="https://www.siphub.com" target="_blank">https://www.siphub.com</a></pre>
<div>On 07.03.2025 23:10, Thiago Lopes via
Users wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi everyone,
<div><br>
</div>
<div>I'm trying to integrate Ms Teams and Opensips and I'm
having some problems. </div>
<div><br>
</div>
<div>I tried to use self signed and Letsencrypt certificates,
with no success. I always receive a ''no TLS client domain
found'. </div>
<div><br>
</div>
<div> /usr/sbin/opensips[505412]:
ERROR:proto_tls:proto_tls_conn_init: no TLS client domain
found<br>
/usr/sbin/opensips[505412]: ERROR:core:tcp_conn_create:
failed to do proto 3 specific init for conn 0x7f7220f343b0<br>
/usr/sbin/opensips[505412]: ERROR:core:tcp_async_connect:
tcp_conn_create failed<br>
</div>
<div><br>
</div>
<div>Here my opensips.cfg: </div>
<div><br>
</div>
<div>loadmodule "tls_mgm.so"<br>
<br>
/*#first the server domain */<br>
modparam("tls_mgm", "server_domain", "default") <br>
modparam("tls_mgm", "certificate",
"[default]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/fullchain.pem" target="_blank">sbc.mydomain.com/fullchain.pem</a>")
<br>
modparam("tls_mgm", "private_key",
"[default]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/privkey.pem" target="_blank">sbc.mydomain.com/privkey.pem</a>")
<br>
modparam("tls_mgm", "ca_list",
"[default]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/inter.pem" target="_blank">sbc.mydomain.com/inter.pem</a>") <br>
modparam("tls_mgm", "match_sip_domain", "[default]<a href="http://sbc.mydomain.com" target="_blank">sbc.mydomain.com</a>")
<br>
modparam("tls_mgm", "verify_cert", "[default]0")<br>
#modparam("tls_mgm", "require_cert", "[default]1")<br>
#modparam("tls_mgm", "ciphers_list",
"[default]AES128-SHA256:AES256-SHA")<br>
modparam("tls_mgm", "tls_method", "[default]SSLv23")<br>
<br>
<br>
# #and the client domain
<br>
modparam("tls_mgm", "client_domain", "client") <br>
modparam("tls_mgm", "certificate",
"[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/fullchain.pem" target="_blank">sbc.mydomain.com/fullchain.pem</a>")
<br>
modparam("tls_mgm", "private_key",
"[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/privkey.pem" target="_blank">sbc.mydomain.com/privkey.pem</a>")
<br>
modparam("tls_mgm", "ca_list", "[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/inter.pem" target="_blank">sbc.mydomain.com/inter.pem</a>")<br>
#modparam("tls_mgm", "ca_dir", "[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/" target="_blank">sbc.mydomain.com/</a>")
<br>
modparam("tls_mgm", "match_sip_domain", "[client]<a href="http://sbc.mydomain.com" target="_blank">sbc.mydomain.com</a>")<br>
<br>
modparam("tls_mgm", "verify_cert", "[client]0")<br>
# modparam("tls_mgm", "require_cert", "[client]1")<br>
# modparam("tls_mgm", "ciphers_list",
"[client]AES128-SHA256:AES256-SHA")<br>
modparam("tls_mgm", "tls_method", "[client]SSLv23")</div>
<div><br>
</div>
<div>I also changed the certificates, using self signed in
"server domain" only or "client domain" only. Same result. </div>
<div><br>
</div>
<div>Using the openssl the verify the certificates, I receive a
OK in console: </div>
<div><br>
</div>
<div>fullchain.pem: OK</div>
<div><br>
</div>
<div>The inter.pem is the file with the root and
intermediate Letsencrypt certificates. </div>
<div><br>
</div>
<div>On the Ms Teams side, I checked the FQDN used, checked the
firewall ports etc.</div>
<div><br>
</div>
<div>I followed this tutorial: <a href="https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/" target="_blank">https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/</a>
, so I'm using the Dynamic Routing module to send the OPTIONS
packet. The opensips start the communication using TLS, I see
the packets using TLS in 5061 port, but when Opensips will
answer, this message appears on the console and the connection
is closed. </div>
<div><br>
</div>
<div>/usr/sbin/opensips[505398]: ERROR:tm:t_uac: attempt to send
to 'sip:<a href="http://sip.pstnhub.microsoft.com" target="_blank">sip.pstnhub.microsoft.com</a>' failed<br>
/usr/sbin/opensips[505398]:
ERROR:proto_tls:proto_tls_conn_init: no TLS client domain
found<br>
/usr/sbin/opensips[505398]: ERROR:core:tcp_conn_create: failed
to do proto 3 specific init for conn 0x7f7220f4df40<br>
</div>
<div><br>
</div>
<div>What I'm not seeing? Did someone pass through this
problem? </div>
<div>Best regards</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
</blockquote></div>