Hi Steven, For the NOKIA N97, could you post the entire log (debug 4) for the INVITE part (covering the receiving of the INVITE also) ?
Regards, Bogdan doolin wu wrote: > Hello, > > I'm trying use TLS feature of OpenSIPS-1.5-tls. TLS was > configured and server run successfully. > I tried to make 2 SIP UAs work with my OpenSIPS-1.5-tls, but all of > them are failed. > Here is my settings: > >Server: > tls_verify_server = 0 > tls_verify_client = 0 > tls_require_client_certificate = 0 > tls_method = TLSv1 > tls_certificate = > "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-cert.pem" > tls_private_key = > "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-privkey.pem" > tls_ca_list = > "/usr/local/opensips.1.5.tls//etc/opensips/tls/user/user-calist.pem" > > >Client: > The self-signed rootCA (tls\rootCA\cacert.pem) was imported in to > client successfully > > First one UA is VoIP client on NOKIA N97. Client register to SIP > server with TLS successfully, but when make call from N97 to others I > got error code 477 Send failed (477/TM). > I traced opensips, looks like opensips tried to forward the invite to > callee, but the tls socket failed to send the request. > Logs from opensips here: > > Feb 2 07:19:32 [5779] ERROR:core:tcp_send: failed to send > Feb 2 07:19:32 [5779] ERROR:tm:msg_send: tcp_send failed > Feb 2 07:19:32 [5779] ERROR:tm:t_forward_nonack: sending request > failed > Feb 2 07:19:32 [5779] DBG:tm:t_relay_to: t_forward_nonack > returned error > Feb 2 07:19:32 [5779] DBG:core:parse_headers: flags=ffffffffffffffff > Feb 2 07:19:32 [5779] DBG:core:check_via_address: params > 10.57.52.186, 10.57.52.186, 0 > Feb 2 07:19:32 [5779] DBG:tm:cleanup_uac_timers: RETR/FR timers reset > Feb 2 07:19:32 [5779] DBG:tm:set_timer: relative timeout is 30 > Feb 2 07:19:32 [5779] DBG:tm:insert_timer_unsafe: [0]: 0xb61a180c > (92) > Feb 2 07:19:32 [5779] DBG:core:tcp_send: tcp connection found > (0xb61d7908), acquiring fd > Feb 2 07:19:32 [5779] DBG:core:tcp_send: c= 0xb61d7908, n=8 > Feb 2 07:19:32 [5787] DBG:core:handle_ser_child: read response= > b61f4b48, 2, fd 41 from 16 (5779) > Feb 2 07:19:32 [5787] DBG:core:tcpconn_add: hashes: 719, 4 > Feb 2 07:19:32 [5787] DBG:core:io_watch_add: > io_watch_add(0x817bbc0, 41, 2, 0xb61f4b48), fd_no=31 > Feb 2 07:19:32 [5787] DBG:core:handle_ser_child: read response= > b61f4b48, -2, fd -1 from 16 (5779) > Feb 2 07:19:32 [5787] DBG:core:io_watch_del: io_watch_del > (0x817bbc0, 41, -1, 0x10) fd_no=32 called > Feb 2 07:19:32 [5787] DBG:core:tcpconn_destroy: destroying > connection 0xb61f4b48, flags 0002 > Feb 2 07:19:32 [5787] DBG:core:tls_close: closing SSL connection > Feb 2 07:19:32 [5787] DBG:core:tls_update_fd: New fd is 41 > Feb 2 07:19:32 [5787] DBG:core:tls_shutdown: shutdown successful > Feb 2 07:19:32 [5787] DBG:core:tls_tcpconn_clean: entered > Feb 2 07:19:32 [5787] DBG:core:handle_ser_child: read response= > b61d7908, 1, fd -1 from 16 (5779) > Feb 2 07:19:32 [5779] DBG:core:tcp_send: after receive_fd: c= > 0xb61d7908 n=4 fd=34 > Feb 2 07:19:32 [5779] DBG:core:tcp_send: sending... > Feb 2 07:19:32 [5779] DBG:core:tls_update_fd: New fd is 34 > Feb 2 07:19:32 [5779] DBG:core:tls_write: write was successful > (374 bytes) > Feb 2 07:19:32 [5779] DBG:core:tcp_send: after write: c= > 0xb61d7908 n=374 fd=34 > Feb 2 07:19:32 [5779] DBG:core:tcp_send: buf= > > > Could some one help to have a look the problem? > > > > Meanwhile, I use eyebeam 1.5 as client. Things more bad as the > register failed. > I traced eyebeam and found the eyebeam failed when verify server's > certificate. Here I have something unclear about use the certificates > between client and server. > To configure run opensips with TLS(just talk about the self-signed > case), we should create two certififcates. one is self-signed rootCA > (tls\rootCA\cacert.pem), another one is a certificate signed by rootCA > (tls\user\user-cert.pem). The server hold rootCA by config > tls_ca_list and send certificate (by config tls_certificate) to client > when handshark with client. > My question is how to config certificate in client side. In these two > cases (use N97 and eyebeam), I just imported the rootCA to my client. > Is it right for config certificate on client? N97 seems OK with the > rootCA. But eyebeam failed. The guidline of eyebeam says: > > During the TLS handshke, *the TLS server has to send to the client > the whole chain of certificate excepting the root certificate*; > the client must posses the root certificate otherwise the > authentication cannot happen. > > > Any idea to config opensips send 'the whole chain of certificate > excepting the root certificate' ? > > Thanks for your kindly support. > -- > Steven.W.Doolin > > ------------------------------------------------------------------------ > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Bogdan-Andrei Iancu www.voice-system.ro _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
