Great! Thank you.
RODRIGO PIMENTA CARVALHO Inatel Competence Center Software Ph: +55 35 3471 9200 RAMAL 979 ________________________________ De: [email protected] <[email protected]> em nome de Podrigal, Aron <[email protected]> Enviado: quarta-feira, 29 de julho de 2015 11:25 Para: OpenSIPS users mailling list Assunto: Re: [OpenSIPS-Users] TLS - How exactly decide to use require_cert equals to 1 or 0 ? The SIP client must trust the SIP server, not vice-versa. 0 means *do not* force the client to present a certificate where as 1 means *do* ask the client to present a cert. rejected by client interprets as so, Opensips asks the client I need you to present a certificate and the client rejects that request. Cheers. On Wed, Jul 29, 2015 at 9:51 AM, Rodrigo Pimenta Carvalho <[email protected]<mailto:[email protected]>> wrote: Dear OpenSIPS-users, I am configuring my OpenSIPS 2.2 to communicate to SIP clients using TLS. The SIP client must trust the SIP server, but the inverse is not needed. I want to avoid a fake SIP server collecting data from the SIP clients, for example collecting login/ID and passwords. For that, I suspect that I must to use the configuration: modparam("proto_tls","require_cert", "X"). But, what does exactly mean 1 or 0 for X? When I use X equals to 0 and run the test "openssl s_client -showcerts -debug -connect <OpenSIPS_IP>:5061 -no_ssl2 -bugs -CAfile ./cacert.pem", I can see the following OpenSIPS log: -------------------------------------------------------------------------------------------------------------- Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: entered: Creating a whole new ssl connection Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: looking up socket based TLS server domain [<OpenSIPS_IP>:5061] Jul 29 10:02:27 [11929] DBG:proto_tls:tls_find_server_domain: virtual TLS server domain not found, Using default TLS server domain settings Jul 29 10:02:27 [11929] DBG:proto_tls:tls_conn_init: found socket based TLS server domain [0.0.0.0:0<http://0.0.0.0:0>] ... ... Jul 29 10:02:27 [11921] INFO:proto_tls:tls_accept: New TLS connection from <OpenSIPS_IP>:45457 accepted Jul 29 10:02:27 [11921] DBG:proto_tls:tls_accept: new TLS connection from <OpenSIPS_IP>:45457 using TLSv1/SSLv3 AES256-SHA 256 Jul 29 10:02:27 [11921] DBG:proto_tls:tls_accept: local socket: <OpenSIPS_IP>:5061 Jul 29 10:02:27 [11921] INFO:proto_tls:tls_accept: Client did not present a TLS certificate ... ... Jul 29 10:02:31 [11929] DBG:proto_tls:tls_conn_shutdown: first phase of 2-way handshake completed succesfuly ----------------------------------------------------------------------------------------------------------------------- However, when I use X equals to 1, I get: -------------------------------------------------------------------------------------------------------------------------- Jul 29 10:05:36 [11978] ERROR:proto_tls:tls_accept: New TLS connection from <OpenSIPS_IP>:45460 failed to accept: rejected by client Jul 29 10:05:36 [11978] ERROR:proto_tls:tls_read_req: failed to do pre-tls reading -------------------------------------------------------------------------------------------------------------------------- So, It seems that the client refuses the connection from the server. What is happening here? Is the client refusing some cert presented by the server? I'm a bit confused because the TLS Module documentation says that 'require_cert' parameter is used for incoming TLS connections, where OpenSIPS acts as server. So, how could it affect the client side? P.S.: the result of "openssl s_client ..." command is "Verify return code: 0 (ok)". Any hint will be very helpful! Best regards. RODRIGO PIMENTA CARVALHO Inatel Competence CenterVerify return code: 0 (ok) Software Ph: +55 35 3471 9200<tel:%2B55%2035%203471%209200> RAMAL 979 _______________________________________________ Users mailing list [email protected]<mailto:[email protected]> http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- Aron Podrigal - '1000001', '1110010', '1101111', '1101110' '1010000', '1101111', '1100100', '1110010', '1101001', '1100111', '1100001', '1101100' P: '2b', '31', '33', '34', '37', '34', '35', '38', '36', '30', '39', '39'
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
