Hi Martin,
The relevant log is:
Feb 3 06:18:36 [3626] ERROR:core:tls_accept: New TLS connection from
123.12.28.14(my_ip):50761 failed to accept: rejected by client
So, the client opens a connection to OpenSIPS, OpenSIPS accepts the
connection, but the connection setup fails as the client rejects the
certificate sent by OpenSIPS.
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
On 03.02.2015 05:24, martin-n martin-n wrote:
Hello. I'am pretty new with opensips, so installed the latest opensips
version *opensips 2.1.1dev-tls (x86_64/linux), *to make a sip server.
I configured it to use tls. I generated the certificates according to
this tutorial:
https://github.com/antonraharja/book-opensips-101/blob/master/content/3.2.%20SIP%20TLS%20Secure%20Calling.mediawiki
Then i did setup the blink. I took *cacert.pem* from rootCA folder and
set it up as a *Certificate Authority File. *In the account options i
did setup the certificate file, *server-calist.pem*. I also did add
the private key to the client version of *server-calist.pem* file.
But when i try to log-in to my server i get:
Feb 3 06:18:36 [3630] DBG:core:probe_max_sock_buff: getsockopt: snd
is initially 425984
Feb 3 06:18:36 [3630] INFO:core:probe_max_sock_buff: using snd buffer
of 416 kb
Feb 3 06:18:36 [3630] INFO:core:init_sock_keepalive: -- TCP keepalive
enabled on socket
Feb 3 06:18:36 [3630] DBG:core:print_ip: tcpconn_new: new tcp
connection to: 123.12.28.14(my_ip)
Feb 3 06:18:36 [3630] DBG:core:tcpconn_new: on port 50761, type 3
Feb 3 06:18:36 [3630] DBG:core:tls_tcpconn_init: entered: Creating a
whole new ssl connection
Feb 3 06:18:36 [3630] DBG:core:tls_tcpconn_init: looking up socket
based TLS server domain [my_server_ip:7061]
Feb 3 06:18:36 [3630] DBG:core:tls_find_server_domain: virtual TLS
server domain not found, Using default TLS server domain settings
Feb 3 06:18:36 [3630] DBG:core:tls_tcpconn_init: found socket based
TLS server domain [0.0.0.0:0]
Feb 3 06:18:36 [3630] DBG:core:tls_tcpconn_init: Setting in ACCEPT
mode (server)
Feb 3 06:18:36 [3630] DBG:core:tcpconn_add: hashes: 795, 1
Feb 3 06:18:36 [3630] DBG:core:handle_new_connect: new connection:
0x7fb5b3e82170 25 flags: 0002
Feb 3 06:18:36 [3630] DBG:core:send2child: to tcp child 0 0(3626),
0x7fb5b3e82170 rw 1
Feb 3 06:18:36 [3626] DBG:core:handle_io: We have received conn
0x7fb5b3e82170 with rw 1
Feb 3 06:18:36 [3626] DBG:core:io_watch_add: [TCP_worker]
io_watch_add op on 21 (0x89a400, 21, 8, 0x7fb5b3e82170,1), fd_no=2
Feb 3 06:18:36 [3626] DBG:core:tcp_read_req: Using the global ( per
process ) buff
Feb 3 06:18:36 [3626] DBG:core:tls_update_fd: New fd is 21
Feb 3 06:18:36 [3626] ERROR:core:tls_accept: New TLS connection from
123.12.28.14(my_ip):50761 failed to accept: rejected by client
Feb 3 06:18:36 [3626] DBG:core:io_watch_del: [TCP_worker]
io_watch_del op on index 1 21 (0x89a400, 21, 1, 0x10,0x3) fd_no=3 called
Feb 3 06:18:36 [3626] INFO:core:io_watch_del: [TCP_worker] size=3, fd
array is 17 21 3
Feb 3 06:18:36 [3626] INFO:core:io_watch_del: [TCP_worker] size=3,
prio array is 2 2 3
Feb 3 06:18:36 [3626] INFO:core:io_watch_del: [TCP_worker] size=2, fd
array is 17 3
Feb 3 06:18:36 [3626] INFO:core:io_watch_del: [TCP_worker] size=3,
prio array is 1 1 2
Feb 3 06:18:36 [3626] DBG:core:release_tcpconn: releasing con
0x7fb5b3e82170, state -2, fd=21, id=1
Feb 3 06:18:36 [3626] DBG:core:release_tcpconn: extra_data
0x7fb5b3e822f0
Feb 3 06:18:36 [3630] DBG:core:handle_tcp_child: reader response=
7fb5b3e82170, -2 from 0
Feb 3 06:18:36 [3630] DBG:core:tcpconn_destroy: destroying connection
0x7fb5b3e82170, flags 0002
Feb 3 06:18:36 [3630] DBG:core:tls_close: closing TLS connection
Feb 3 06:18:36 [3630] DBG:core:tls_update_fd: New fd is 25
Feb 3 06:18:36 [3630] DBG:core:tls_shutdown: shutdown successful
Feb 3 06:18:36 [3630] DBG:core:tls_tcpconn_clean: entered
My config looks like so:
auto_aliases=no
listen=udp:my_server_ip:7060 # CUSTOMIZE ME
disable_tcp=no
disable_tls=no
listen=tls:my_server_ip:7061 # CUSTOMIZE ME
tls_verify_server= 0
tls_verify_client = 1
tls_require_client_certificate = 1
#tls_method = TLSv1
tls_method = SSLv23
tls_certificate = "/usr/local/etc/opensips/tls/server/server-cert.pem"
tls_private_key = "/usr/local/etc/opensips/tls/server/server-privkey.pem"
tls_ca_list = "/usr/local/etc/opensips/tls/server/server-calist.pem"
Basically i want to verify if the client has right certificate. Can
you help me?
Thanks.
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
