[OpenSIPS-Devel] OCS Opensisp certificate issues using TLS
We try to integrate OCS 2007 and opensisps using TLS
SCENARIO:
[wesip] Sending register to OCS
Seas EDGE -- OCS
[Opensips]
Issue: Opensisps cannot connect to EDGE server and in details opensisps send
always a the certificate to the client
any idea to avoid to opensisps to send the always certificate.
EDGE: CertVerifyCertificateChainPolicy retuned a failure in
CERT_CHAIN_POLICY_STATUS
OPENSIPS:Jan 17 16:06:12 [30303] DBG:core:tls_dump_cert_info: tls_connect:
local (client) certificate issuer: /CN=Your_NAME/ST=Your_ST
ATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
Jan 17 16:06:12 [30303] DBG:core:tls_write: write was successful (791 bytes)
Jan 17 16:06:12 [30303] DBG:core:tcp_send: after write: c= 0xb612fcf8 n=791
fd=23
Jan 17 16:06:12 [30303] DBG:core:tcp_send: buf=
REGISTER sip:hmcint.local:5060;transport=tcp SIP/2.0
Via: SIP/2.0/TLS 192.168.5.59:5061;branch=z9hG4bKd863.89657825.0;i=2
Via: SIP/2.0/TCP 192.168.5.59;branch=z9hG4bKd863.79657825.0
To: sip:max.ambr...@hmcint.local;transport=tcp
From:
sip:max.ambr...@hmcint.local;transport=tcp;tag=BB479256370FF64C226AA6220F2364DD
CSeq: 1 REGISTER
Call-ID: 24d8315a8ebb948a4dd4f1a3518e4...@192.168.5.59
Content-Length: 0
Max-Forwards: 70
Contact:
sip:192.168.5.59:5060;transport=tcp;AppId=.sip2msipGW;methods=INVITE,
MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY
, ACK,
REFER;proxy=replace;+sip.instance=urn:uuid:787C69C1-2A21-441f-B792-A908ABFF5010
Supported: gruu-10,adhoclist,msrtc-event-categories,ms-forking
ms-keep-alive: UAC;hop-hop=yes
Event: registration
X-WeSIP-SPIRAL: true
Jan 17 16:06:12 [30303] DBG:tm:set_timer: relative timeout is 30
Jan 17 16:06:12 [30303] DBG:tm:insert_timer_unsafe: [0]: 0xb610d020 (300)
Jan 17 16:06:12 [30303] DBG:tm:t_relay_to: new transaction fwd'ed
Jan 17 16:06:12 [30303] DBG:tm:t_unref: UNREF_UNSAFE: after is 0
Jan 17 16:06:12 [30303] DBG:core:destroy_avp_list: destroying list (nil)
Jan 17 16:06:12 [30303] DBG:core:receive_msg: cleaning up
Jan 17 16:06:12 [30304] DBG:core:tls_update_fd: New fd is 23
Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in SSL: 5
Jan 17 16:06:12 [30304] ERROR:core:tcp_read_req: failed to read
Jan 17 16:06:12 [30304] DBG:core:io_watch_del: io_watch_del (0x8164160, 23, -1,
0x10) fd_no=2 called
Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: releasing con 0xb612fcf8,
state -2, fd=23, id=9
Jan 17 16:06:12 [30304] DBG:core:release_tcpconn: extra_data 0xb613fe10
Jan 17 16:06:12 [30311] DBG:core:handle_tcp_child: reader response= b612fcf8,
-2 from 1
Jan 17 16:06:12 [30311] DBG:core:tcpconn_destroy: destroying connection
0xb612fcf8, flags 0002
Jan 17 16:06:12 [30311] DBG:core:tls_close: closing SSL connection
The opensips.cfg is configured as following:
disable_tls = no
listen = tls:##OPENSIPSIP##:5061
tls_verify_server = 0
tls_verify_client = 0
tls_require_client_certificate = 0
tls_method = TLSv1
tls_ca_list = /product/opensips//etc/opensips/tls/dario/dario-calist.pem
tls_certificate = /product/opensips//etc/opensips/tls/user/user-cert.pem
tls_private_key = /product/opensips//etc/opensips/tls/user/user-privkey.pem
tls_ciphers_list=RC4-MD5
route{
if(is_present_hf(X-WeSIP-SPIRAL)){
log(\nSPIRAL!!!\n);
t_relay(tls:EDGEIP:5061);
exit;}
(on WESIP SPIRAL is equal TRUE) OPENSIPSIP is the CLIENT e EDGEIP is the SERVER
Using Open SSL the connection is OK
openssl s_client -connect EDGEIP:5061 -ssl2 -CAfile
/product/opensips_dev/etc/opensips/tls/user/user-calist.pem -cipher RC4-MD5
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher: RC4-MD5
Session-ID: E70807E4CC591AA8982939C17298FBEDF72E749C010EFFC39FBEB2D143A6
Session-ID-ctx:
Master-Key:
5835CA1877799D4B507AA31DB8DEA5F11D27DD077FE43F52DC9606ABF296AF6043402938E384FFF7B1485DC77D4D13D7
Key-Arg : None
Krb5 Principal: None
Start Time: 1232205185
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Regards
_
Quali sono le più cliccate della settimana?
http://livesearch.it.msn.com/___
Devel mailing list
Devel@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
Re: [OpenSIPS-Devel] [OpenSIPS-Users] OCS Opensisp certificate issues using TLS
We have reproduced the problem, the issue appears when the opensips as client
send the certificate to the EDGE (server) we have to avoid this client
certificate invoce.
Best regards
Gianluca Date: Tue, 20 Jan 2009 17:21:43 +0200 From: bog...@voice-system.ro
To: gianluca.more...@hotmail.it CC: us...@lists.opensips.org;
devel@lists.opensips.org Subject: Re: [OpenSIPS-Users] OCS Opensisp
certificate issues using TLS Probably we should try to get more info about
the error at runtime . Let me do some checks to see how we can squize more
info about the error and to print it. Regards, Bogdan gianluca moretti
wrote: Bogdan, the error is ok, how can i solve the problem. The update
to this issue is if the client send the his certificate to the server and
this cause the problem.Ciao Best regardsDate: Tue, 20
Jan 2009 15:04:48 +0200 From: bog...@voice-system.ro To:
gianluca.more...@hotmail.it CC: us...@lists.opensips.org;
devel@lists.opensips.org Subject: Re: [OpenSIPS-Users] OCS Opensisp
certificate issues using TLS Hi Gianluca, You get this:
Jan 17 16:06:12 [30304] ERROR:core:_tls_read: something wrong in SSL: 5
5 is SSL_ERROR_SYSCALL . See:
http://openssl.org/docs/ssl/SSL_get_error.html Regards, Bogdan
gianluca moretti wrote:We try to integrate OCS 2007 and
opensisps using TLS SCENARIO: [wesip] Sending
register to OCSSeas EDGE -- OCS
[Opensips] Issue: Opensisps cannot connect to EDGE
server and in detailsopensisps send always a the certificate to the
clientany idea to avoid to opensisps to send the always certificate.
EDGE: CertVerifyCertificateChainPolicy retuned a failure in
CERT_CHAIN_POLICY_STATUSOPENSIPS:Jan 17 16:06:12 [30303]
DBG:core:tls_dump_cert_info: tls_connect:local (client) certificate
issuer: /CN=Your_NAME/ST=Your_ST
ATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAMEJan 17 16:06:12 [30303]
DBG:core:tls_write: write was successful (791bytes)Jan 17
16:06:12 [30303] DBG:core:tcp_send: after write: c= 0xb612fcf8n=791
fd=23Jan 17 16:06:12 [30303] DBG:core:tcp_send: buf=REGISTER
sip:hmcint.local:5060;transport=tcp SIP/2.0Via: SIP/2.0/TLS
192.168.5.59:5061;branch=z9hG4bKd863.89657825.0;i=2Via: SIP/2.0/TCP
192.168.5.59;branch=z9hG4bKd863.79657825.0To:
sip:max.ambr...@hmcint.local;transport=tcpFrom:
sip:max.ambr...@hmcint.local;transport=tcp;tag=BB479256370FF64C226AA6220F2364DD
CSeq: 1 REGISTERCall-ID:
24d8315a8ebb948a4dd4f1a3518e4...@192.168.5.59
mailto:24d8315a8ebb948a4dd4f1a3518e4...@192.168.5.59Content-Length:
0Max-Forwards: 70Contact:
sip:192.168.5.59:5060;transport=tcp;AppId=.sip2msipGW;methods=INVITE,
MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK,
REFER;proxy=replace;+sip.instance=urn:uuid:787C69C1-2A21-441f-B792-A908ABFF5010
Supported: gruu-10,adhoclist,msrtc-event-categories,ms-forking
ms-keep-alive: UAC;hop-hop=yesEvent: registration
X-WeSIP-SPIRAL: true Jan 17 16:06:12 [30303] DBG:tm:set_timer:
relative timeout is 30Jan 17 16:06:12 [30303]
DBG:tm:insert_timer_unsafe: [0]: 0xb610d020 (300)Jan 17 16:06:12
[30303] DBG:tm:t_relay_to: new transaction fwd'edJan 17 16:06:12
[30303] DBG:tm:t_unref: UNREF_UNSAFE: after is 0Jan 17 16:06:12 [30303]
DBG:core:destroy_avp_list: destroying list (nil)Jan 17 16:06:12
[30303] DBG:core:receive_msg: cleaning upJan 17 16:06:12 [30304]
DBG:core:tls_update_fd: New fd is 23Jan 17 16:06:12 [30304]
ERROR:core:_tls_read: something wrong in SSL: 5Jan 17 16:06:12
[30304] ERROR:core:tcp_read_req: failed to readJan 17 16:06:12 [30304]
DBG:core:io_watch_del: io_watch_del(0x8164160, 23, -1, 0x10) fd_no=2
calledJan 17 16:06:12 [30304] DBG:core:release_tcpconn: releasing con
0xb612fcf8, state -2, fd=23, id=9Jan 17 16:06:12 [30304]
DBG:core:release_tcpconn: extra_data 0xb613fe10Jan 17 16:06:12
[30311] DBG:core:handle_tcp_child: reader response=b612fcf8, -2 from 1
Jan 17 16:06:12 [30311] DBG:core:tcpconn_destroy: destroying
connection 0xb612fcf8, flags 0002Jan 17 16:06:12 [30311]
DBG:core:tls_close: closing SSL connection The
opensips.cfg is configured as following:disable_tls = nolisten
= tls:##OPENSIPSIP##:5061tls_verify_server = 0tls_verify_client
= 0tls_require_client_certificate = 0tls_method = TLSv1
tls_ca_list = /product/opensips//etc/opensips/tls/dario/dario-calist.pem
tls_certificate =
/product/opensips//etc/opensips/tls/user/user-cert.pemtls_private_key
=/product/opensips//etc/opensips/tls/user/user-privkey.pem
tls_ciphers_list=RC4-MD5 route{
if(is_present_hf(X-WeSIP-SPIRAL)){log(\nSPIRAL!!!\n);
t_relay(tls:EDGEIP:5061);exit;}(on WESIP SPIRAL is equal
TRUE) OPENSIPSIP is the CLIENT e
[OpenSIPS-Devel] Content type substitution
Hi,I made a substitution on the Content-Type header of incoming SIP Messages to my OpenSips 1.4.3 instance using textops functions.If I send the message to WeSip after the elaboration I saw that the original (and not the modified one) is sent by OpenSips.To use the modified message I use the forward function to send again the message to OpenSips, this time it has the correct header and I can send it to WeSip.My question is, there is a way to avoid the forwarding of the SIP message and send the modified version directly to WeSip?Thanks in advance,Gianluca _ Quali sono le più cliccate della settimana? http://livesearch.it.msn.com/___ Devel mailing list Devel@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
