<div dir="ltr"><div dir="ltr">Hi Bogdan-Andrei, <div><br></div><div>I already did this too. The result in the log file was the same. </div><div><br></div><div>Actually, even with changing the tls_mgm module, or from openssl to wolfssl, I saw that the module who answer with error is proto_tls: </div><div><br></div><div> /usr/sbin/opensips[4634]: DBG:core:init_sock_keepalive: TCP keepalive enabled on socket 5<br> /usr/sbin/opensips[4634]: DBG:core:print_ip: tcpconn_new: new tcp connection to: 52.114.76.76<br> /usr/sbin/opensips[4634]: DBG:core:tcpconn_new: on port 5061, proto 3<br><b> /usr/sbin/opensips[4634]: ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found</b><br> /usr/sbin/opensips[4634]: ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn 0x7f794a63d080<br> /usr/sbin/opensips[4634]: DBG:core:tcpconn_destroy: delaying (0x7f794a63d080, flags 0018) ref = -1 ...<br></div><div><br></div><div>My actual cfg file: </div><div><br></div><div>#loadmodule "tls_openssl.so"<br>loadmodule "tls_wolfssl.so"<br><br>####TLS module<br>loadmodule "tls_mgm.so"<br> /*#first the server domain */<br>modparam("tls_mgm", "server_domain", "default") <br>modparam("tls_mgm", "certificate", "[default]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/fullchain.pem">sbc.mydomain.com/fullchain.pem</a>") <br>modparam("tls_mgm", "private_key", "[default]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/privkey.pem">sbc.mydomain.com/privkey.pem</a>") <br>modparam("tls_mgm", "ca_list", "[default]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/inter.pem">sbc.mydomain.com/inter.pem</a>") <br>modparam("tls_mgm", "match_ip_address", "[default]x.x.x.x:5061")<br>modparam("tls_mgm", "match_sip_domain", "[default]<a href="http://sbc.mydomain.com">sbc.mydomain.com</a>") <br>#modparam("tls_mgm", "verify_cert", "[default]0")<br>#modparam("tls_mgm", "require_cert", "[default]1")<br>#modparam("tls_mgm", "ciphers_list", "[default]AES128-SHA256:AES256-SHA")<br>modparam("tls_mgm", "tls_method", "[default]SSLv23")<br> <br><br> # #and the client domain <br>modparam("tls_mgm", "client_domain", "client") <br>modparam("tls_mgm", "certificate", "[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/fullchain.pem">sbc.mydomain.com/fullchain.pem</a>") <br>modparam("tls_mgm", "private_key", "[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/privkey.pem">sbc.mydomain.com/privkey.pem</a>") <br>modparam("tls_mgm", "ca_list", "[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/inter.pem">sbc.mydomain.com/inter.pem</a>")<br>#modparam("tls_mgm", "ca_dir", "[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/">sbc.mydomain.com/</a>") <br>modparam("tls_mgm", "match_sip_domain", "[client]<a href="http://sbc.mydomain.com">sbc.mydomain.com</a>")<br>modparam("tls_mgm", "match_ip_address", "[client]x.x.x.x:5061")<br> <br>#modparam("tls_mgm", "verify_cert", "[client]0")<br> # modparam("tls_mgm", "require_cert", "[client]1")<br> # modparam("tls_mgm", "ciphers_list", "[client]AES128-SHA256:AES256-SHA")<br>modparam("tls_mgm", "tls_method", "[client]SSLv23")<br> <br> <br><br>modparam("tls_mgm", "tls_library", "wolfssl")<br>#modparam("tls_mgm", "tls_handshake_timeout", 300)<br>modparam("tls_mgm", "client_sip_domain_avp", "<a href="http://sbc.mydomain.com">sbc.mydomain.com</a>")<br>modparam("tls_mgm", "client_tls_domain_avp", "<a href="http://sbc.mydomain.com">sbc.mydomain.com</a>")<br><br>loadmodule "proto_tls.so"<br>#modparam("proto_tls", "tls_async", 0)<br>modparam("proto_tls", "tls_handshake_timeout", 300)<br>modparam("proto_tls", "tls_send_timeout", 2000)<br>modparam("proto_tls", "tls_max_msg_chunks", 8)<br>modparam("proto_tls", "cert_check_on_conn_reusage", 1)<br></div><div><br></div><div><br></div><div>Enable or no the client_sip_domain_avp, client_tls_domain_avp, match_sip_domain and match_ip_address in any order do not show any different results;</div><div><br></div><div>I thought maybe make a rollback, from 3.4.11 to another version where someone did this connection with Teams successfully .</div><div><br></div><div>In past versions here in this list I read that some fellows passed to the same error. But there was an error in the cfg file. I did several alterations in this file, modules and certificates. The only change that I didn't make was changing the version. </div><div><br></div><div>Regards, </div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Tue, Mar 11, 2025 at 6:47 AM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org">bogdan@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<font face="monospace">Hi,<br>
<br>
OK, so your opensips is client from TLS pov. So, you need to help
OpenSIPS to figure out which TLS client domain to use. The
simplest ways to do it is by forcing directly the name of the TLS
client domain (see [1]) or by setting a SIP domain (see [2]) that
matches "match_sip_domain" in your TLS client domain<br>
<br>
[1]
<a href="https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_client_tls_domain_avp" target="_blank">https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_client_tls_domain_avp</a><br>
[2]
<a href="https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_client_sip_domain_avp" target="_blank">https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_client_sip_domain_avp</a><br>
<br>
Regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
<a href="https://www.siphub.com" target="_blank">https://www.siphub.com</a></pre>
<div>On 10.03.2025 18:49, Thiago Lopes
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I tried to change this option, change from self-signed to
true certificate, change the listeners and even change the
DRouting module to Dispatcher. </div>
<div><br>
</div>
<div>Microsoft's documentation says that a SBC must send a
packet to them, so they will answer back and will send an
OPTIONS packet as soon as the TLS connection was made
successfully. </div>
<div><br>
</div>
<div>So, when I send the first packet, I will act as a client
TLS user. I thought the 'client domain' part, in module
configuration was the problem. But even changing the 'server'
part too, the result was the same. </div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> /usr/sbin/opensips[676690]:
DBG:proto_tls:proto_tls_send: no open tcp connection found,
opening new one, async = 1<br>
/usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff:
getsockopt: snd is initially 16384<br>
/usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff:
using snd buffer of 416 kb<br>
/usr/sbin/opensips[676690]: DBG:core:init_sock_keepalive: TCP
keepalive enabled on socket 5<br>
/usr/sbin/opensips[676681]: WARNING:core:utimer_ticker:
utimer task <tm-utimer> already scheduled 100 ms ago
(now 35900 ms), delaying execution<br>
/usr/sbin/opensips[676690]: DBG:core:tcp_async_connect:
Polling is overdue<br>
/usr/sbin/opensips[676690]: DBG:core:tcp_async_connect:
Create connection for async connect<br>
/usr/sbin/opensips[676690]: DBG:core:print_ip: tcpconn_new:
new tcp connection to: 52.114.32.169<br>
/usr/sbin/opensips[676690]: DBG:core:tcpconn_new: on port
5061, proto 3<br>
/usr/sbin/opensips[676690]:
ERROR:proto_tls:proto_tls_conn_init: no TLS client domain
found<br>
/usr/sbin/opensips[676690]: ERROR:core:tcp_conn_create:
failed to do proto 3 specific init for conn 0x7f027cb1d070<br>
/usr/sbin/opensips[676690]: DBG:core:tcpconn_destroy: delaying
(0x7f027cb1d070, flags 0018) ref = -1 ...<br>
/usr/sbin/opensips[676690]: ERROR:core:tcp_async_connect:
tcp_conn_create failed<br>
/usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_send:
async TCP connect failed</blockquote>
<div><br>
</div>
<div>Thank you for your help. </div>
<div><br>
</div>
<div>Regards, </div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Mar 10, 2025 at
4:33 AM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <font face="monospace">Hi,<br>
<br>
For the incoming TLS connections, the right TLS server
domain is selected based either on the IP address (of
OpenSIPS's listener), either on the SIP domain (if SNI is
used).<br>
<br>
So, maybe SNI is not used in your case, so you should
define a match_ip_address:<br>
<a href="https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address" target="_blank">https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address</a><br>
<br>
Regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
<a href="https://www.siphub.com" target="_blank">https://www.siphub.com</a></pre>
<div>On 07.03.2025 23:10, Thiago Lopes via Users wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi everyone,
<div><br>
</div>
<div>I'm trying to integrate Ms Teams and Opensips and
I'm having some problems. </div>
<div><br>
</div>
<div>I tried to use self signed and Letsencrypt
certificates, with no success. I always receive a ''no
TLS client domain found'. </div>
<div><br>
</div>
<div> /usr/sbin/opensips[505412]:
ERROR:proto_tls:proto_tls_conn_init: no TLS client
domain found<br>
/usr/sbin/opensips[505412]:
ERROR:core:tcp_conn_create: failed to do proto 3
specific init for conn 0x7f7220f343b0<br>
/usr/sbin/opensips[505412]:
ERROR:core:tcp_async_connect: tcp_conn_create failed<br>
</div>
<div><br>
</div>
<div>Here my opensips.cfg: </div>
<div><br>
</div>
<div>loadmodule "tls_mgm.so"<br>
<br>
/*#first the server domain */<br>
modparam("tls_mgm", "server_domain", "default")
<br>
modparam("tls_mgm", "certificate",
"[default]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/fullchain.pem" target="_blank">sbc.mydomain.com/fullchain.pem</a>")
<br>
modparam("tls_mgm", "private_key",
"[default]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/privkey.pem" target="_blank">sbc.mydomain.com/privkey.pem</a>")
<br>
modparam("tls_mgm", "ca_list",
"[default]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/inter.pem" target="_blank">sbc.mydomain.com/inter.pem</a>")
<br>
modparam("tls_mgm", "match_sip_domain", "[default]<a href="http://sbc.mydomain.com" target="_blank">sbc.mydomain.com</a>") <br>
modparam("tls_mgm", "verify_cert", "[default]0")<br>
#modparam("tls_mgm", "require_cert", "[default]1")<br>
#modparam("tls_mgm", "ciphers_list",
"[default]AES128-SHA256:AES256-SHA")<br>
modparam("tls_mgm", "tls_method", "[default]SSLv23")<br>
<br>
<br>
# #and the client domain
<br>
modparam("tls_mgm", "client_domain", "client")
<br>
modparam("tls_mgm", "certificate",
"[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/fullchain.pem" target="_blank">sbc.mydomain.com/fullchain.pem</a>")
<br>
modparam("tls_mgm", "private_key",
"[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/privkey.pem" target="_blank">sbc.mydomain.com/privkey.pem</a>")
<br>
modparam("tls_mgm", "ca_list",
"[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/inter.pem" target="_blank">sbc.mydomain.com/inter.pem</a>")<br>
#modparam("tls_mgm", "ca_dir",
"[client]/etc/letsencrypt/live/<a href="http://sbc.mydomain.com/" target="_blank">sbc.mydomain.com/</a>") <br>
modparam("tls_mgm", "match_sip_domain", "[client]<a href="http://sbc.mydomain.com" target="_blank">sbc.mydomain.com</a>")<br>
<br>
modparam("tls_mgm", "verify_cert", "[client]0")<br>
# modparam("tls_mgm", "require_cert", "[client]1")<br>
# modparam("tls_mgm", "ciphers_list",
"[client]AES128-SHA256:AES256-SHA")<br>
modparam("tls_mgm", "tls_method", "[client]SSLv23")</div>
<div><br>
</div>
<div>I also changed the certificates, using self signed
in "server domain" only or "client domain" only. Same
result. </div>
<div><br>
</div>
<div>Using the openssl the verify the certificates, I
receive a OK in console: </div>
<div><br>
</div>
<div>fullchain.pem: OK</div>
<div><br>
</div>
<div>The inter.pem is the file with the root and
intermediate Letsencrypt certificates. </div>
<div><br>
</div>
<div>On the Ms Teams side, I checked the FQDN used,
checked the firewall ports etc.</div>
<div><br>
</div>
<div>I followed this tutorial: <a href="https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/" target="_blank">https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/</a>
, so I'm using the Dynamic Routing module to send the
OPTIONS packet. The opensips start the communication
using TLS, I see the packets using TLS in 5061 port,
but when Opensips will answer, this message appears on
the console and the connection is closed. </div>
<div><br>
</div>
<div>/usr/sbin/opensips[505398]: ERROR:tm:t_uac: attempt
to send to 'sip:<a href="http://sip.pstnhub.microsoft.com" target="_blank">sip.pstnhub.microsoft.com</a>'
failed<br>
/usr/sbin/opensips[505398]:
ERROR:proto_tls:proto_tls_conn_init: no TLS client
domain found<br>
/usr/sbin/opensips[505398]:
ERROR:core:tcp_conn_create: failed to do proto 3
specific init for conn 0x7f7220f4df40<br>
</div>
<div><br>
</div>
<div>What I'm not seeing? Did someone pass through this
problem? </div>
<div>Best regards</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div></div>