Can you confirm the contents of 'something.com:/usr/src/ opensips-2.4.1/tls_cnf/tls/rootCA/cacert.pem' and that opensips daemon user has access to the path?
You don't need to setup client and server domains if you are just testing, *but you do need to be using tls_mgm* ( http://www.opensips.org/html/docs/modules/devel/tls_mgm.html): Here is an example strong configuration which might get you started - put the certs where you have them, ensure they are accessible and perhaps comment out the strong ciphers etc while testing, as per the example: listen=tls:your_serv_IP:5061 loadmodule "proto_tls.so" loadmodule "proto_udp.so" loadmodule "tls_mgm.so" # TLS: Default configuration modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/this-domain.sip.crt") modparam("tls_mgm", "private_key", "/etc/pki/tls/private/this-domain.sip.key") modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt") modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/") # Define standards: #modparam("tls_mgm", "ciphers_list", "EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH") #modparam("tls_mgm", "verify_cert", "1") #modparam("tls_mgm", "require_cert", "1") #modparam("tls_mgm", "tls_method", "TLSv1_2") #modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem") #modparam("tls_mgm", "ec_curve", "secp384r1") On Tue, Sep 4, 2018 at 6:57 PM Dominic <[email protected]> wrote: > Hi all, I'm currently trying to setup OpenSIPS to use tls. For this I am > following the steps described here: > http://www.opensips.org/Documentation/Tutorials-TLS-2-2 > > This is a dev box, so for now I just want to get things working, my setup > is as follows: > UACs are registering to Opensips, which is setup as a mid-registrar in > front of asterisk. Rtpproxy is used on a different box to relay the rtp > between the UACs and Asterisk. > > I followed the steps described in the tutorial mentioned above but I > cannot get opensips to startup. So I have a few questions regarding the > tutorial: > > question 1: > If my opensips is only accepting connections (phones registering to it > from the internet), then I presume I only need the server domain part in > the following part of the tutorial?: > > #server domain > modparam("proto_tls", "server_domain", "sv_dom=<your-ip-address>:<port>") > modparam("proto_tls", "certificate", "sv_dom:$CERT_DIR/rootCA/cacert.pem") > modparam("proto_tls", "private_key", > "sv_dom:$CERT_DIR/rootCA/private/cakey.pem") > modparam("proto_tls", "ca_list", "sv_dom:$CERT_DR/rootCA/cacert.pem") > > #client domain > modparam("proto_tls", "client_domain", "cl_dom=<UAS-ip-address>:<port>") > modparam("proto_tls", "certificate", "cl_dom:$CERT_DIR/user/user-cert.pem") > modparam("proto_tls", "private_key", > "cl_dom:$CERT_DIR/user/user-privkey.pem") > modparam("proto_tls", "ca_list", "cl_dom:$CERT_DR/user/user-calist.pem") > > > question 2: > in the above code, I need to replace sv_dom with what exactly something > like blablabla.com? > > question 3: > Do I need to edit the certificates conf files (ca.conf, request.conf, > user.conf), because I just copied the existing files as is, which may be > why I'm having issues. > > So far I tried using the ones generated by the opensipctl tls command and > I am always getting the errors below upon startup. I also tried the builtin > certificaties and I get the same result: > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > INFO:tls_mgm:mod_init: initializing TLS management > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > INFO:tls_mgm:mod_init: openssl version: OpenSSL 1.0.2g 1 Mar 2016 > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > INFO:tls_mgm:mod_init: disabling compression due ZLIB problems > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default' > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > DBG:tls_mgm:init_ssl_ctx_behavior: no DH params file for tls domain > 'default' defined, using default '(null)' > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > NOTICE:tls_mgm:init_ssl_ctx_behavior: No EC curve defined > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > NOTICE:tls_mgm:init_ssl_ctx_behavior: cipher list set to NULL > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > INFO:tls_mgm:init_ssl_ctx_behavior: client verification NOT activated. > Weaker security. > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > ERROR:tls_mgm:load_certificate: unable to load certificate file > 'something.com:/usr/src/opensips-2.4.1/tls_cnf/tls/rootCA/cacert.pem' > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default' > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > ERROR:core:init_mod: failed to initialize module tls_mgm > Sep 04 13:51:32 opensips-test-mtl /usr/local/sbin/opensips[66656]: > ERROR:core:main: error while initializing modules > > If anyone sees something I don't feel free to let me know > Thanks > > > > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Callum Guy Head of Information Security X-on -- *0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | ** <https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
