[OpenSIPS-Devel] OCS Opensisp certificate issues using TLS
We try to integrate OCS 2007 and opensisps using TLS SCENARIO: [wesip] Sending register to OCS Seas EDGE -- OCS [Opensips] Issue: Opensisps cannot connect to EDGE server and in details opensisps send always a the certificate to the client any idea to avoid to opensisps to send the always certificate. EDGE: CertVerifyCertificateChainPolicy retuned a failure in CERT_CHAIN_POLICY_STATUS OPENSIPS:Jan 17 16:06:12 [30303] DBG:core:tls_dump_cert_info: tls_connect: local (client) certificate issuer: /CN=Your_NAME/ST=Your_ST ATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME Jan 17 16:06:12 [30303] DBG:core:tls_write: write was successful (791 bytes) Jan 17 16:06:12 [30303] DBG:core:tcp_send: after write: c= 0xb612fcf8 n=791 fd=23 Jan 17 16:06:12 [30303] DBG:core:tcp_send: buf= REGISTER sip:hmcint.local:5060;transport=tcp SIP/2.0 Via: SIP/2.0/TLS 192.168.5.59:5061;branch=z9hG4bKd863.89657825.0;i=2 Via: SIP/2.0/TCP 192.168.5.59;branch=z9hG4bKd863.79657825.0 To: sip:max.ambr...@hmcint.local;transport=tcp From: sip:max.ambr...@hmcint.local;transport=tcp;tag=BB479256370FF64C226AA6220F2364DD CSeq: 1 REGISTER Call-ID: 24d8315a8ebb948a4dd4f1a3518e4...@192.168.5.59 Content-Length: 0 Max-Forwards: 70 Contact: sip:192.168.5.59:5060;transport=tcp;AppId=.sip2msipGW;methods=INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY , ACK, REFER;proxy=replace;+sip.instance=urn:uuid:787C69C1-2A21-441f-B792-A908ABFF5010 Supported: gruu-10,adhoclist,msrtc-event-categories,ms-forking ms-keep-alive: UAC;hop-hop=yes Event: registration X-WeSIP-SPIRAL: true Jan 17 16:06:12 [30303] DBG:tm:set_timer: relative timeout is 30 Jan 17 16:06:12 [30303] DBG:tm:insert_timer_unsafe: [0]: 0xb610d020 (300) Jan 17 16:06:12 [30303] DBG:tm:t_relay_to: new transaction fwd'ed Jan 17 16:06:12 [30303] DBG:tm:t_unref: UNREF_UNSAFE: after is 0 Jan 17 16:06:12 [30303] DBG:core:destroy_avp_list: destroying list (nil) Jan 17 16:06:12 [30303] DBG:core:receive_msg: cleaning up Jan 17 16:06:12 [30304] DBG:core:tls_update_fd: New fd is 23 Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in SSL: 5 Jan 17 16:06:12 [30304] ERROR:core:tcp_read_req: failed to read Jan 17 16:06:12 [30304] DBG:core:io_watch_del: io_watch_del (0x8164160, 23, -1, 0x10) fd_no=2 called Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: releasing con 0xb612fcf8, state -2, fd=23, id=9 Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: extra_data 0xb613fe10 Jan 17 16:06:12 [30311] DBG:core:handle_tcp_child: reader response= b612fcf8, -2 from 1 Jan 17 16:06:12 [30311] DBG:core:tcpconn_destroy: destroying connection 0xb612fcf8, flags 0002 Jan 17 16:06:12 [30311] DBG:core:tls_close: closing SSL connection The opensips.cfg is configured as following: disable_tls = no listen = tls:##OPENSIPSIP##:5061 tls_verify_server = 0 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_ca_list = /product/opensips//etc/opensips/tls/dario/dario-calist.pem tls_certificate = /product/opensips//etc/opensips/tls/user/user-cert.pem tls_private_key = /product/opensips//etc/opensips/tls/user/user-privkey.pem tls_ciphers_list=RC4-MD5 route{ if(is_present_hf(X-WeSIP-SPIRAL)){ log(\nSPIRAL!!!\n); t_relay(tls:EDGEIP:5061); exit;} (on WESIP SPIRAL is equal TRUE) OPENSIPSIP is the CLIENT e EDGEIP is the SERVER Using Open SSL the connection is OK openssl s_client -connect EDGEIP:5061 -ssl2 -CAfile /product/opensips_dev/etc/opensips/tls/user/user-calist.pem -cipher RC4-MD5 New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: E70807E4CC591AA8982939C17298FBEDF72E749C010EFFC39FBEB2D143A6 Session-ID-ctx: Master-Key: 5835CA1877799D4B507AA31DB8DEA5F11D27DD077FE43F52DC9606ABF296AF6043402938E384FFF7B1485DC77D4D13D7 Key-Arg : None Krb5 Principal: None Start Time: 1232205185 Timeout : 7200 (sec) Verify return code: 0 (ok) Regards _ Quali sono le più cliccate della settimana? http://livesearch.it.msn.com/___ Devel mailing list Devel@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
Re: [OpenSIPS-Devel] [OpenSIPS-Users] OCS Opensisp certificate issues using TLS
We have reproduced the problem, the issue appears when the opensips as client send the certificate to the EDGE (server) we have to avoid this client certificate invoce. Best regards Gianluca Date: Tue, 20 Jan 2009 17:21:43 +0200 From: bog...@voice-system.ro To: gianluca.more...@hotmail.it CC: us...@lists.opensips.org; devel@lists.opensips.org Subject: Re: [OpenSIPS-Users] OCS Opensisp certificate issues using TLS Probably we should try to get more info about the error at runtime . Let me do some checks to see how we can squize more info about the error and to print it. Regards, Bogdan gianluca moretti wrote: Bogdan, the error is ok, how can i solve the problem. The update to this issue is if the client send the his certificate to the server and this cause the problem.Ciao Best regardsDate: Tue, 20 Jan 2009 15:04:48 +0200 From: bog...@voice-system.ro To: gianluca.more...@hotmail.it CC: us...@lists.opensips.org; devel@lists.opensips.org Subject: Re: [OpenSIPS-Users] OCS Opensisp certificate issues using TLS Hi Gianluca, You get this: Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in SSL: 5 5 is SSL_ERROR_SYSCALL . See: http://openssl.org/docs/ssl/SSL_get_error.html Regards, Bogdan gianluca moretti wrote:We try to integrate OCS 2007 and opensisps using TLS SCENARIO: [wesip] Sending register to OCSSeas EDGE -- OCS [Opensips] Issue: Opensisps cannot connect to EDGE server and in detailsopensisps send always a the certificate to the clientany idea to avoid to opensisps to send the always certificate. EDGE: CertVerifyCertificateChainPolicy retuned a failure in CERT_CHAIN_POLICY_STATUSOPENSIPS:Jan 17 16:06:12 [30303] DBG:core:tls_dump_cert_info: tls_connect:local (client) certificate issuer: /CN=Your_NAME/ST=Your_ST ATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAMEJan 17 16:06:12 [30303] DBG:core:tls_write: write was successful (791bytes)Jan 17 16:06:12 [30303] DBG:core:tcp_send: after write: c= 0xb612fcf8n=791 fd=23Jan 17 16:06:12 [30303] DBG:core:tcp_send: buf=REGISTER sip:hmcint.local:5060;transport=tcp SIP/2.0Via: SIP/2.0/TLS 192.168.5.59:5061;branch=z9hG4bKd863.89657825.0;i=2Via: SIP/2.0/TCP 192.168.5.59;branch=z9hG4bKd863.79657825.0To: sip:max.ambr...@hmcint.local;transport=tcpFrom: sip:max.ambr...@hmcint.local;transport=tcp;tag=BB479256370FF64C226AA6220F2364DD CSeq: 1 REGISTERCall-ID: 24d8315a8ebb948a4dd4f1a3518e4...@192.168.5.59 mailto:24d8315a8ebb948a4dd4f1a3518e4...@192.168.5.59Content-Length: 0Max-Forwards: 70Contact: sip:192.168.5.59:5060;transport=tcp;AppId=.sip2msipGW;methods=INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER;proxy=replace;+sip.instance=urn:uuid:787C69C1-2A21-441f-B792-A908ABFF5010 Supported: gruu-10,adhoclist,msrtc-event-categories,ms-forking ms-keep-alive: UAC;hop-hop=yesEvent: registration X-WeSIP-SPIRAL: true Jan 17 16:06:12 [30303] DBG:tm:set_timer: relative timeout is 30Jan 17 16:06:12 [30303] DBG:tm:insert_timer_unsafe: [0]: 0xb610d020 (300)Jan 17 16:06:12 [30303] DBG:tm:t_relay_to: new transaction fwd'edJan 17 16:06:12 [30303] DBG:tm:t_unref: UNREF_UNSAFE: after is 0Jan 17 16:06:12 [30303] DBG:core:destroy_avp_list: destroying list (nil)Jan 17 16:06:12 [30303] DBG:core:receive_msg: cleaning upJan 17 16:06:12 [30304] DBG:core:tls_update_fd: New fd is 23Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in SSL: 5Jan 17 16:06:12 [30304] ERROR:core:tcp_read_req: failed to readJan 17 16:06:12 [30304] DBG:core:io_watch_del: io_watch_del(0x8164160, 23, -1, 0x10) fd_no=2 calledJan 17 16:06:12 [30304] DBG:core:release_tcpconn: releasing con 0xb612fcf8, state -2, fd=23, id=9Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: extra_data 0xb613fe10Jan 17 16:06:12 [30311] DBG:core:handle_tcp_child: reader response=b612fcf8, -2 from 1 Jan 17 16:06:12 [30311] DBG:core:tcpconn_destroy: destroying connection 0xb612fcf8, flags 0002Jan 17 16:06:12 [30311] DBG:core:tls_close: closing SSL connection The opensips.cfg is configured as following:disable_tls = nolisten = tls:##OPENSIPSIP##:5061tls_verify_server = 0tls_verify_client = 0tls_require_client_certificate = 0tls_method = TLSv1 tls_ca_list = /product/opensips//etc/opensips/tls/dario/dario-calist.pem tls_certificate = /product/opensips//etc/opensips/tls/user/user-cert.pemtls_private_key =/product/opensips//etc/opensips/tls/user/user-privkey.pem tls_ciphers_list=RC4-MD5 route{ if(is_present_hf(X-WeSIP-SPIRAL)){log(\nSPIRAL!!!\n); t_relay(tls:EDGEIP:5061);exit;}(on WESIP SPIRAL is equal TRUE) OPENSIPSIP is the CLIENT e
[OpenSIPS-Devel] Content type substitution
Hi,I made a substitution on the Content-Type header of incoming SIP Messages to my OpenSips 1.4.3 instance using textops functions.If I send the message to WeSip after the elaboration I saw that the original (and not the modified one) is sent by OpenSips.To use the modified message I use the forward function to send again the message to OpenSips, this time it has the correct header and I can send it to WeSip.My question is, there is a way to avoid the forwarding of the SIP message and send the modified version directly to WeSip?Thanks in advance,Gianluca _ Quali sono le più cliccate della settimana? http://livesearch.it.msn.com/___ Devel mailing list Devel@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/devel