Hello OpenSips Users: I'm trying to configure a OpenSips v2.4 proxy with TLS and certificate validation but I do not understand how to provision TLS using DB.
With files everything works, the phone works well and validates the TLS certificate using a certificate signed by one of my authorized CAs on my ca_list file. But when I try to provision using DB with the same contents (CA_list, certificate, ciphers_list and private_key) I receive a "certificate verify failed" error. I counld not find any good documentation about using this in v2.4, and the TLS_MGM module documentation does not explain in deep how to get this working: https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html Is there any extended documentation about how to use DB provisioning in TLS_MGM module? I'm trying to use only the default domain with the following parameters (private data is obfuscated) `id`, `domain`, `address`, `type`, `method`, `verify_cert`, `require_cert`, `certificate`, `private_key`, `crl_check_all`, `crl_dir`, `ca_list`, `ca_dir`, `cipher_list`, `dh_params`, `ec_curve` "8" "default" "0.0.0.0:5061" "1" "SSLv23" "1" "0" "-MY_CERTIFICATE" "MY_PRIVATE_KEY" "0" \N "MY_CA_LIST" \N "MY_CIPHER_LIST" \N \N "12" "default" "0.0.0.0:5061" "2" "SSLv23" "1" "0" "-MY_CERTIFICATE" "MY_PRIVATE_KEY" "0" \N "MY_CA_LIST" \N "MY_CIPHER_LIST" \N \N The CA of the cisco-linksys phones is on MY_CA_LIST (works if using files) but do not work if using DB. Only a note, as my ca_list is quite large, I had to modify tls_mgm table structure and use VARCHAR(1024) instead CHAR(255), but for my tests I think his is not the cause of the problem. This is the complete SSL error when I try to use DB. The macs and serial numbers are obfuscated. NOTICE:tls_mgm:verify_callback: depth = 0 NOTICE:tls_mgm:verify_callback: subject = /C=US/ST=0000000000/L=CBTXXXXXXXX/O=Cisco Systems/OU=cisco.com/CN=SPA508G, MAC: 0000000000, Serial: CBTXXXXXXXX/emailAddress= [email protected] NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local issuer certificate NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error code is 20 (check x509_vfy.h) NOTICE:tls_mgm:verify_callback: verify return:0 ERROR:proto_tls:tls_accept: New TLS connection from 1.1.1.1:51757 failed to accept ERROR:proto_tls:tls_print_errstack: TLS errstack: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed ERROR:proto_tls:tls_read_req: failed to do pre-tls reading Somebody can explain more deeply how to make tls_mgm work with DB? thanks and regrds, Carlos Oliva
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
