You are right: I used 3.0-devel branch instead of master. Maybe it's a good idea to get rid of 3.0 devel branch.
-----Original Message----- From: Users <[email protected]> On Behalf Of Razvan Crainea Sent: Thursday, March 14, 2019 10:45 AM To: [email protected] Subject: Re: [OpenSIPS-Users] opensips 2.4.4: bug in tls_mgm Hi, Johan! Are you sure you are using the latest 3.0 sources? I am asking because this should have already been resolved long time ago. Moreover, your error is reported at line 118 in modules/tls_mgm/tls_conn_ops.h, but the master sources have something else at that line[1]. [1] https://github.com/OpenSIPS/opensips/blob/master/modules/tls_mgm/tls_conn_ops.h#L118 Best regards, Răzvan On 3/12/19 7:34 PM, johan de clercq wrote: > Having pulled the lates 3.0-devel version, I have the following error > when trying to compile proto-tls > > ../tls_mgm/tls_conn_ops.h:118:29: error: dereferencing pointer to > incomplete type ‘SSL {aka struct ssl_st}’ > > if ( ((SSL *)c->extra_data)->kssl_ctx ) { > > Can you please correct ? > > *From:*Users <[email protected]> *On Behalf Of *Vlad > Patrascu > *Sent:* Thursday, March 7, 2019 11:46 AM > *To:* [email protected] > *Subject:* Re: [OpenSIPS-Users] opensips 2.4.4: bug in tls_mgm > > Hi Johan, > > The issue is probably caused by the fact that OpenSIPS tries to > initialize a 'default' client and server domain and the certificate > file is inexistent at the default path > ('/usr/local/opensips//etc/opensips/tls/cert.pem'). So even if you > define your "sv_dom" custom server domain, OpenSIPS still tries to > create default domains for fallback purposes. When you omit the > '[sv_dom]' prefix for the domain settings in your second test, you > overwrite the default ones (with a valid path for the certificate this > time). > > In conclusion, either specify your custom domain _and_ default domains > separately (set the modparams multiple times) or make sure the > certificate is found at the default path. Also, note that it's not > necessary to define a custom server domain if you only intend to use a > single one, as the default will match any socket. > > Regards, > > Vlad Patrascu > > OpenSIPS Developer > > http://www.opensips-solutions.com > > On 02/17/2019 01:35 PM, johan de clercq wrote: > > Hi, > > I believe that I have found a bug in tls_mgm: > > Using opensips default certificates: > > /usr/local/opensips/etc/opensips/tls# ls -lu > > total 24 > > -rw-r--r-- 1 root staff 2049 Feb 17 12:13 ca.conf > > -rw-r--r-- 1 root staff 1048 Feb 17 12:13 README > > -rw-r--r-- 1 root staff 1127 Feb 17 12:13 request.conf > > drwxr-sr-x 4 root staff 4096 Feb 17 12:16 rootCA > > drwxr-sr-x 2 root staff 4096 Feb 17 12:13 user > > -rw-r--r-- 1 root staff 591 Feb 17 12:13 user.conf > > /usr/local/opensips/etc/opensips/tls/rootCA# ls > > cacert.pem certs index.txt private serial > > Tls params: > > loadmodule "tls_mgm.so" > > modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061") > > modparam("tls_mgm", "require_cert", "[sv_dom]0") > > modparam("tls_mgm", "verify_cert", "[sv_dom]0") > > modparam("tls_mgm", "tls_method", "[sv_dom]SSLv23") > > modparam("tls_mgm", "certificate", > "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") > > modparam("tls_mgm", "private_key", > > "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem > ") > > > modparam("tls_mgm", "ca_list", > "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") > > #### PROTO_TLS module > > loadmodule "proto_tls.so" > > modparam("proto_tls", "trace_destination", "hep_dest") > > modparam("proto_tls", "trace_on", 1) > > I removed the passphrase: > > mv etc/tls/rootCA/private/cakey.pem > etc/tls/rootCA/private/cakey.pem.protected > > openssl rsa -in etc/tls/rootCA/private/cakey.pem.protected -out > etc/tls/rootCA/private/cakey.pem > > and then tried to run opensips from cmdline : ./opensips -f > /usr/local/opensips/etc/opensips/opensips.cfg > > syslog output: > > Feb 17 12:22:01 ns3012072 ./opensips[28673]: > ERROR:tls_mgm:load_certificate: unable to load certificate file > '/usr/local/opensips//etc/opensips/tls/cert.pem' > > Feb 17 12:22:01 ns3012072 ./opensips[28673]: > ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default' > > Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:init_mod: > failed to initialize module tls_mgm > > Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:main: error > while initializing modules > > Feb 17 12:22:01 ns3012072 ./opensips[28673]: CRITICAL:core:sig_usr: > segfault in attendant (starter) process! > > Feb 17 12:22:01 ns3012072 kernel: [ 4024.678398] opensips[28673]: > segfault at 7fcb76dbf850 ip 00007fcb76546f69 sp 00007ffe803ac150 > error 4 in libcrypto.so.1.1[7fcb763df000+265000] > > Next I tried with: > > loadmodule "tls_mgm.so" > > #modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061") > > modparam("tls_mgm", "require_cert", "0") > > modparam("tls_mgm", "verify_cert", "0") > > modparam("tls_mgm", "tls_method", "SSLv23") > > modparam("tls_mgm", "certificate", > "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") > > modparam("tls_mgm", "private_key", > "/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem") > > modparam("tls_mgm", "ca_list", > "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") > > #### PROTO_TLS module > > loadmodule "proto_tls.so" > > modparam("proto_tls", "trace_destination", "hep_dest") > > modparam("proto_tls", "trace_on", 1) > > and then opensips starts… > > Can you please explain what I am doing wrong ? > > cid:F3100D46-F00D-4610-87ED-3E91DA790A82 > > Johan De Clercq, Managing Director > Democon bvba - Ooigemstraat 41 - 8780 Oostrozebeke > > Tel +3256980990 – GSM +32478720104 > > > > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Răzvan Crainea OpenSIPS Core Developer http://www.opensips-solutions.com Meet the OpenSIPS team at the next OpenSIPS Summit: https://www.opensips.org/events _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
