Hello, I tried to get help from users group, but seems nobody can help me. So, I foward the email to developers group and hope get answer here. Thanks!
Steven.W.D ---------- Forwarded message ---------- From: doolin wu <[email protected]> Date: Tue, Feb 2, 2010 at 3:09 PM Subject: TLS call failed To: [email protected] Hello, I'm trying use TLS feature of OpenSIPS-1.5-tls. TLS was configured and server run successfully. I tried to make 2 SIP UAs work with my OpenSIPS-1.5-tls, but all of them are failed. Here is my settings: >Server: tls_verify_server = 0 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate = "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-cert.pem" tls_private_key = "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-privkey.pem" tls_ca_list = "/usr/local/opensips.1.5.tls//etc/opensips/tls/user/user-calist.pem" >Client: The self-signed rootCA (tls\rootCA\cacert.pem) was imported in to client successfully First one UA is VoIP client on NOKIA N97. Client register to SIP server with TLS successfully, but when make call from N97 to others I got error code 477 Send failed (477/TM). I traced opensips, looks like opensips tried to forward the invite to callee, but the tls socket failed to send the request. Logs from opensips here: Feb 2 07:19:32 [5779] ERROR:core:tcp_send: failed to send Feb 2 07:19:32 [5779] ERROR:tm:msg_send: tcp_send failed Feb 2 07:19:32 [5779] ERROR:tm:t_forward_nonack: sending request failed Feb 2 07:19:32 [5779] DBG:tm:t_relay_to: t_forward_nonack returned error Feb 2 07:19:32 [5779] DBG:core:parse_headers: flags=ffffffffffffffff Feb 2 07:19:32 [5779] DBG:core:check_via_address: params 10.57.52.186, 10.57.52.186, 0 Feb 2 07:19:32 [5779] DBG:tm:cleanup_uac_timers: RETR/FR timers reset Feb 2 07:19:32 [5779] DBG:tm:set_timer: relative timeout is 30 Feb 2 07:19:32 [5779] DBG:tm:insert_timer_unsafe: [0]: 0xb61a180c (92) Feb 2 07:19:32 [5779] DBG:core:tcp_send: tcp connection found (0xb61d7908), acquiring fd Feb 2 07:19:32 [5779] DBG:core:tcp_send: c= 0xb61d7908, n=8 Feb 2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61f4b48, 2, fd 41 from 16 (5779) Feb 2 07:19:32 [5787] DBG:core:tcpconn_add: hashes: 719, 4 Feb 2 07:19:32 [5787] DBG:core:io_watch_add: io_watch_add(0x817bbc0, 41, 2, 0xb61f4b48), fd_no=31 Feb 2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61f4b48, -2, fd -1 from 16 (5779) Feb 2 07:19:32 [5787] DBG:core:io_watch_del: io_watch_del (0x817bbc0, 41, -1, 0x10) fd_no=32 called Feb 2 07:19:32 [5787] DBG:core:tcpconn_destroy: destroying connection 0xb61f4b48, flags 0002 Feb 2 07:19:32 [5787] DBG:core:tls_close: closing SSL connection Feb 2 07:19:32 [5787] DBG:core:tls_update_fd: New fd is 41 Feb 2 07:19:32 [5787] DBG:core:tls_shutdown: shutdown successful Feb 2 07:19:32 [5787] DBG:core:tls_tcpconn_clean: entered Feb 2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61d7908, 1, fd -1 from 16 (5779) Feb 2 07:19:32 [5779] DBG:core:tcp_send: after receive_fd: c= 0xb61d7908 n=4 fd=34 Feb 2 07:19:32 [5779] DBG:core:tcp_send: sending... Feb 2 07:19:32 [5779] DBG:core:tls_update_fd: New fd is 34 Feb 2 07:19:32 [5779] DBG:core:tls_write: write was successful (374 bytes) Feb 2 07:19:32 [5779] DBG:core:tcp_send: after write: c= 0xb61d7908 n=374 fd=34 Feb 2 07:19:32 [5779] DBG:core:tcp_send: buf= Could some one help to have a look the problem? Meanwhile, I use eyebeam 1.5 as client. Things more bad as the register failed. I traced eyebeam and found the eyebeam failed when verify server's certificate. Here I have something unclear about use the certificates between client and server. To configure run opensips with TLS(just talk about the self-signed case), we should create two certififcates. one is self-signed rootCA (tls\rootCA\cacert.pem), another one is a certificate signed by rootCA (tls\user\user-cert.pem). The server hold rootCA by config tls_ca_list and send certificate (by config tls_certificate) to client when handshark with client. My question is how to config certificate in client side. In these two cases (use N97 and eyebeam), I just imported the rootCA to my client. Is it right for config certificate on client? N97 seems OK with the rootCA. But eyebeam failed. The guidline of eyebeam says: During the TLS handshke, *the TLS server has to send to the client the whole chain of certificate excepting the root certificate*; the client must posses the root certificate otherwise the authentication cannot happen. Any idea to config opensips send 'the whole chain of certificate excepting the root certificate' ? Thanks for your kindly support. -- Steven.W.Doolin -- Steven Wu Teleca Mobile Solution
_______________________________________________ Devel mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
