Hi Callum,
Thanks for the reply, really appreciate it!
I am getting there slowly, I can get a snom handset to register, however
struggling with Yealink.
I assume once the configuration on the Server is correct, this should be
sufficient for the majority of handsets if they are configured correctly for
TLS?
I now have the following configuration in place;
#Global params
modparam("tls_mgm", "dh_params", "/etc/opensips/tls/rootCA/certs/dhparam.pem")
modparam("tls_mgm", "ec_curve", "secp384r1")
modparam("tls_mgm", "ciphers_list",
"EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")
modparam("tls_mgm", "verify_cert", "0") # Switch off during initial testing to
rule this out
modparam("tls_mgm", "require_cert", "0") # Switch off during initial testing to
rule this out
modparam("tls_mgm", "tls_method", "SSLv23")
modparam("tls_mgm", "certificate",
"/etc/opensips/tls/rootCA/certs/ssl_certificate.pem")
modparam("tls_mgm", "private_key", "/etc/opensips/tls/rootCA/certs/sip.net.pem")
modparam("tls_mgm", "ca_list",
"/etc/opensips/tls/rootCA/certs/IntermediateCA.pem")
modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/")
#server domain
modparam("tls_mgm", "server_domain", "sv_dom=91.X.X.X:5061")
modparam("tls_mgm", "dh_params",
"sv_dom:/etc/opensips/tls/rootCA/certs/dhparam.pem")
modparam("tls_mgm", "ec_curve", "sv_dom:secp384r1")
modparam("tls_mgm", "ciphers_list",
"sv_dom:EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")
modparam("tls_mgm", "verify_cert", "sv_dom:0")
modparam("tls_mgm", "require_cert", "sv_dom:0")
modparam("tls_mgm", "tls_method", "sv_dom:SSLv23")
modparam("tls_mgm", "certificate",
"sv_dom:/etc/opensips/tls/rootCA/certs/ssl_certificate.pem")
modparam("tls_mgm", "private_key",
"sv_dom:/etc/opensips/tls/rootCA/certs/sip.net.pem")
modparam("tls_mgm", "ca_list",
"sv_dom:/etc/opensips/tls/rootCA/certs/IntermediateCA.pem")
modparam("tls_mgm", "ca_dir", "sv_dom:/etc/pki/tls/certs/")
Thanks
Jon
________________________________
From: Users <users-boun...@lists.opensips.org> on behalf of Callum Guy
<callum....@x-on.co.uk>
Sent: 11 September 2017 07:58
To: OpenSIPS users mailling list
Subject: Re: [OpenSIPS-Users] opensips 2.2.5 and TLS configuration
Try turning off certificate verification while you work through the issue.
I have also found that there is a need on opensips 2.2.x to re-specify the
global params under your server/client domains - i have certainly had issues
with that in the past. try issuing all of your global directives a second time,
prefixed with your server domain.
Personally I specify the ciphers list and aim for a higher standard of security
- here's an excerpt:
modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem")
modparam("tls_mgm", "ec_curve", "secp384r1")
modparam("tls_mgm", "ciphers_list",
"EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")
modparam("tls_mgm", "verify_cert", "1") # Switch off during initial testing to
rule this out
modparam("tls_mgm", "require_cert", "1") # Switch off during initial testing to
rule this out
modparam("tls_mgm", "tls_method", "TLSv1_2")
modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/dom.sip.crt")
modparam("tls_mgm", "private_key", "/etc/pki/tls/private/dom.sip.key")
modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt")
modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/")
Note the inclusion of ca_dir and ciphers_list. Looking forward to hearing how
you get on.
On Fri, Sep 8, 2017 at 4:42 PM Jonathan Hunter
<hunter...@hotmail.com<mailto:hunter...@hotmail.com>> wrote:
Hi Guys,
Sorry for the noise.
I am testing SIP over TLS and having some issues getting client devices to
register having upgraded from opensips 1.11 to 2.2.5.
Please see my configuration below;
opensips 2.2.5
listen=tcp:<Public_IP>:5060
listen=tls:<Public_IP>:5061
loadmodule "proto_tcp.so"
loadmodule "proto_udp.so"
loadmodule "proto_tls.so"
loadmodule "tls_mgm.so"
#Global params
modparam("tls_mgm", "tls_method", "SSLv23")
modparam("tls_mgm", "certificate",
"/etc/opensips/tls/rootCA/certs/ssl_certificate.pem")
modparam("tls_mgm", "private_key",
"/etc/opensips/tls/rootCA/certs/sip.provider.net.pem")
modparam("tls_mgm", "ca_list",
"/etc/opensips/tls/rootCA/certs/IntermediateCA.pem")
modparam("tls_mgm", "require_cert", "0")
modparam("tls_mgm", "verify_cert", "1")
#server domain
modparam("tls_mgm", "server_domain", "sv_dom=<Public_IP>:5061")
modparam("tls_mgm", "certificate",
"sv_dom:/etc/opensips/tls/rootCA/certs/ssl_certificate.pem")
modparam("tls_mgm", "private_key",
"sv_dom:/etc/opensips/tls/rootCA/certs/sip.provider.net.pem")
modparam("tls_mgm", "ca_list",
"sv_dom:/etc/opensips/tls/rootCA/certs/IntermediateCA.pem")
modparam("tls_mgm", "tls_method", "sv_dom:SSLv23")
modparam("tls_mgm", "require_cert", "sv_dom:0")
modparam("tls_mgm", "verify_cert", "sv_dom:1")
I am trying to register both Bria client and Yealink and I cant register my
device, opensips logs show no errors;
Sep 8 15:14:56 localhost VU-SIP-Proxy[14664]: INFO:core:probe_max_sock_buff:
using snd buffer of 244 kb
Sep 8 15:14:56 localhost VU-SIP-Proxy[14664]: INFO:core:init_sock_keepalive:
TCP keepalive enabled on socket 37
Sep 8 15:14:56 localhost VU-SIP-Proxy[14649]: INFO:proto_tls:tls_accept: New
TLS connection from 91.151.6.28:10405<http://91.151.6.28:10405> accepted
Sep 8 15:14:56 localhost VU-SIP-Proxy[14649]: INFO:proto_tls:tls_accept:
Client did not present a TLS certificate
Sep 8 15:14:56 localhost VU-SIP-Proxy[14649]:
INFO:proto_tls:tls_dump_cert_info: tls_accept: local TLS server certificate
subject: /CN=sip.provider.net<http://sip.provider.net>, issuer:
/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
And in a wireshark trace when debugging I see using the private key, there is
Client Hello,Server Hello, Certificate, Server Hello Done, then Client Key
Exchange, Change Cipher Spec,Finished, then New Session Ticket, change Cipher
Spec, then finished.
At which point I see Close Notify.
Do I need to specify a Ciphers list?
I appreciate debugging TLS can be complex but having had it working ok in the
testing phase on 1.11 I presume I am just misconfiguring for 2.2?
Many Thanks!
Jon
_______________________________________________
Users mailing list
Users@lists.opensips.org<mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Callum Guy
Head of Information Security
X-on
[http://www.x-on.co.uk/email/footer/banner-surgeryconnect-sept-v3.jpg]
0333 332 0000 | www.x-on.co.uk<http://www.x-on.co.uk> |
[http://www.x-on.co.uk//images/icon/linkedin.png]
<https://www.linkedin.com/company/x-on>
[http://www.x-on.co.uk//images/icon/facebook.png]
<https://www.facebook.com/XonTel>
[http://www.x-on.co.uk//images/icon/twitter.png] <https://twitter.com/xonuk>
X-on is a trading name of Storacall Technology Ltd a limited company registered
in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead,
Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the addressee(s)
only. If you are not the intended recipient, please notify X-on immediately on
+44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not use,
disclose, disseminate, distribute, copy, print or reply to this email. Views or
opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses, addressees
should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
