Hi, Johan!
Are you sure you are using the latest 3.0 sources? I am asking because
this should have already been resolved long time ago. Moreover, your
error is reported at line 118 in modules/tls_mgm/tls_conn_ops.h, but the
master sources have something else at that line[1].
[1]
https://github.com/OpenSIPS/opensips/blob/master/modules/tls_mgm/tls_conn_ops.h#L118
Best regards,
Răzvan
On 3/12/19 7:34 PM, johan de clercq wrote:
Having pulled the lates 3.0-devel version, I have the following error
when trying to compile proto-tls
../tls_mgm/tls_conn_ops.h:118:29: error: dereferencing pointer to
incomplete type ‘SSL {aka struct ssl_st}’
if ( ((SSL *)c->extra_data)->kssl_ctx ) {
Can you please correct ?
*From:*Users <users-boun...@lists.opensips.org> *On Behalf Of *Vlad Patrascu
*Sent:* Thursday, March 7, 2019 11:46 AM
*To:* users@lists.opensips.org
*Subject:* Re: [OpenSIPS-Users] opensips 2.4.4: bug in tls_mgm
Hi Johan,
The issue is probably caused by the fact that OpenSIPS tries to
initialize a 'default' client and server domain and the certificate file
is inexistent at the default path
('/usr/local/opensips//etc/opensips/tls/cert.pem'). So even if you
define your "sv_dom" custom server domain, OpenSIPS still tries to
create default domains for fallback purposes. When you omit the
'[sv_dom]' prefix for the domain settings in your second test, you
overwrite the default ones (with a valid path for the certificate this
time).
In conclusion, either specify your custom domain _and_ default domains
separately (set the modparams multiple times) or make sure the
certificate is found at the default path. Also, note that it's not
necessary to define a custom server domain if you only intend to use a
single one, as the default will match any socket.
Regards,
Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com
On 02/17/2019 01:35 PM, johan de clercq wrote:
Hi,
I believe that I have found a bug in tls_mgm:
Using opensips default certificates:
/usr/local/opensips/etc/opensips/tls# ls -lu
total 24
-rw-r--r-- 1 root staff 2049 Feb 17 12:13 ca.conf
-rw-r--r-- 1 root staff 1048 Feb 17 12:13 README
-rw-r--r-- 1 root staff 1127 Feb 17 12:13 request.conf
drwxr-sr-x 4 root staff 4096 Feb 17 12:16 rootCA
drwxr-sr-x 2 root staff 4096 Feb 17 12:13 user
-rw-r--r-- 1 root staff 591 Feb 17 12:13 user.conf
/usr/local/opensips/etc/opensips/tls/rootCA# ls
cacert.pem certs index.txt private serial
Tls params:
loadmodule "tls_mgm.so"
modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")
modparam("tls_mgm", "require_cert", "[sv_dom]0")
modparam("tls_mgm", "verify_cert", "[sv_dom]0")
modparam("tls_mgm", "tls_method", "[sv_dom]SSLv23")
modparam("tls_mgm", "certificate",
"[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
modparam("tls_mgm", "private_key",
"[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")
modparam("tls_mgm", "ca_list",
"[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
#### PROTO_TLS module
loadmodule "proto_tls.so"
modparam("proto_tls", "trace_destination", "hep_dest")
modparam("proto_tls", "trace_on", 1)
I removed the passphrase:
mv etc/tls/rootCA/private/cakey.pem
etc/tls/rootCA/private/cakey.pem.protected
openssl rsa -in etc/tls/rootCA/private/cakey.pem.protected -out
etc/tls/rootCA/private/cakey.pem
and then tried to run opensips from cmdline : ./opensips -f
/usr/local/opensips/etc/opensips/opensips.cfg
syslog output:
Feb 17 12:22:01 ns3012072 ./opensips[28673]:
ERROR:tls_mgm:load_certificate: unable to load certificate file
'/usr/local/opensips//etc/opensips/tls/cert.pem'
Feb 17 12:22:01 ns3012072 ./opensips[28673]:
ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'
Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:init_mod:
failed to initialize module tls_mgm
Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:main: error
while initializing modules
Feb 17 12:22:01 ns3012072 ./opensips[28673]: CRITICAL:core:sig_usr:
segfault in attendant (starter) process!
Feb 17 12:22:01 ns3012072 kernel: [ 4024.678398] opensips[28673]:
segfault at 7fcb76dbf850 ip 00007fcb76546f69 sp 00007ffe803ac150
error 4 in libcrypto.so.1.1[7fcb763df000+265000]
Next I tried with:
loadmodule "tls_mgm.so"
#modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")
modparam("tls_mgm", "require_cert", "0")
modparam("tls_mgm", "verify_cert", "0")
modparam("tls_mgm", "tls_method", "SSLv23")
modparam("tls_mgm", "certificate",
"/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
modparam("tls_mgm", "private_key",
"/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")
modparam("tls_mgm", "ca_list",
"/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
#### PROTO_TLS module
loadmodule "proto_tls.so"
modparam("proto_tls", "trace_destination", "hep_dest")
modparam("proto_tls", "trace_on", 1)
and then opensips starts…
Can you please explain what I am doing wrong ?
cid:F3100D46-F00D-4610-87ED-3E91DA790A82
Johan De Clercq, Managing Director
Democon bvba - Ooigemstraat 41 - 8780 Oostrozebeke
Tel +3256980990 – GSM +32478720104
_______________________________________________
Users mailing list
Users@lists.opensips.org <mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Răzvan Crainea
OpenSIPS Core Developer
http://www.opensips-solutions.com
Meet the OpenSIPS team at the next OpenSIPS Summit:
https://www.opensips.org/events
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users