Re: [OpenSIPS-Users] Teams TLS Error

Vlad Patrascu Mon, 16 Nov 2020 12:45:24 -0800

Hi Mark,

Can you post the actual errors that you get in the OpenSIPS logs, ifthat is the case?


Regards,

--
Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com

On 16.11.2020 11:04, Mark Farmer wrote:

Good morning all

Can anyone clarify whether the TLS domain in SAN is supported or notplease?


Many thanks
Mark.

On Fri, 13 Nov 2020 at 15:59, Kevin Vines <kevin.vi...@gmail.com<mailto:kevin.vi...@gmail.com>> wrote:


    You got me there... the doc states

    OpenSIPS offers SIP service for multiple
    219     domains, e.g.atlanta.com  <http://atlanta.com>  andbiloxi.com  
<http://biloxi.com>. Altough both domains
    220     will be hosted on a single SIP proxy, the SIP proxy needs 2
    221     certificates: One foratlanta.com  <http://atlanta.com>  and one 
forbiloxi.com  <http://biloxi.com>. For
    222     incoming TLS connections

    If you need one cert per domain, maybe it implies that you need to
    have the domain as the CN instead of a SAN?

    Kevin

    *From:* farm...@gmail.com <mailto:farm...@gmail.com>
    *Sent:* November 13, 2020 10:43 a.m.
    *To:* users@lists.opensips.org <mailto:users@lists.opensips.org>
    *Reply to:* users@lists.opensips.org <mailto:users@lists.opensips.org>
    *Subject:* Re: [OpenSIPS-Users] Teams TLS Error


    OK so now I have this:

    modparam("tls_mgm","certificate", "[my.domain.name
    <http://my.domain.name>]/usr/local/etc/opensips/tls/myCert.pem
    <http://myCert.pem>")
    modparam("tls_mgm","private_key", "[my.domain.name
    <http://my.domain.name>]/usr/local/etc/opensips/tls/myKey.key
    <http://myKey.key>")
    modparam("tls_mgm","ca_dir", "/etc/ssl/certs")
    modparam("tls_mgm","verify_cert", "[my.domain.name
    <http://my.domain.name>]1")
    modparam("tls_mgm","require_cert", "[my.domain.name
    <http://my.domain.name>]1")
    modparam("tls_mgm","tls_method", "[my.domain.name
    <http://my.domain.name>]TLSv1_2")
    modparam("tls_mgm", "match_sip_domain", "my.domain.name
    <http://my.domain.name>")

    But now it claims that my.domain.name <http://my.domain.name> is
    not defined in myCert.pem <http://myCert.pem>
    I know it is - it is in a SAN within the certificate.

    Any suggestions?
    Many thanks
    Mark.


    On Fri, 13 Nov 2020 at 15:12, Kevin Vines <kevin.vi...@gmail.com
    <mailto:kevin.vi...@gmail.com>> wrote:

        Hi Mark,

        Based on some googling it looks like you need to specify the
        domain eg:

        modparam("tls_mgm","verify_cert", "[domain.com
        <http://domain.com>]1")

        https://fossies.org/linux/opensips/modules/tls_mgm/README

        Kevin

        *From:* farm...@gmail.com <mailto:farm...@gmail.com>
        *Sent:* November 13, 2020 9:49 a.m.
        *To:* users@lists.opensips.org <mailto:users@lists.opensips.org>
        *Reply to:* users@lists.opensips.org
        <mailto:users@lists.opensips.org>
        *Subject:* [OpenSIPS-Users] Teams TLS Error


        Hi everyone

        OpenSIPS 3.1.0

        I am following the OpenSIPS as Teams SBC guide and have added
        the TLS config:

        modparam("tls_mgm","verify_cert", "1")
        modparam("tls_mgm","require_cert", "1")
        modparam("tls_mgm","tls_method", "TLSv1_2")
        modparam("tls_mgm","certificate",
        "/usr/local/etc/opensips/tls/myCert.pem <http://myCert.pem>")
        modparam("tls_mgm","private_key",
        "/usr/local/etc/opensips/tls/myKey.key <http://myKey.key>")
        modparam("tls_mgm", "ca_dir", "/etc/ssl/certs")

        But I am seeing a TLS domain error:

        Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS
        domain name
        Nov 13 14:36:50 [175314] Traceback (last included file at the
        bottom):
        Nov 13 14:36:50 [175314]  0.
        /usr/local//etc/opensips/opensips.cfg <http://opensips.cfg>
        Nov 13 14:36:50 [175314] CRITICAL:core:yyerror: parse error in
        /usr/local//etc/opensips/opensips.cfg:191
        <http://opensips.cfg:191>:19-20: Parameter <verify_cert> not
        found in module <tls_mgm> - can't set
        Nov 13 14:36:50 [175314] #modparam("tls_mgm", "require_cert",
        "[dom4]1")
        Nov 13 14:36:50 [175314]
        Nov 13 14:36:50 [175314] modparam("tls_mgm","verify_cert", "1")
        Nov 13 14:36:50 [175314] ^~
        Nov 13 14:36:50 [175314] modparam("tls_mgm","require_cert", "1")
        Nov 13 14:36:50 [175314] modparam("tls_mgm","tls_method",
        "TLSv1_2")
        Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: tls_mgm
        matches module tls_mgm
        Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: found
        <require_cert> in module tls_mgm
        [/usr/local/lib64/opensips/modules/]
        Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS
        domain name

        Can anyone tell me what I might be missing please?

        Many thanks
        Mark.

        _______________________________________________
        Users mailing list
        Users@lists.opensips.org <mailto:Users@lists.opensips.org>
        http://lists.opensips.org/cgi-bin/mailman/listinfo/users

--Mark Farmer

    farm...@gmail.com <mailto:farm...@gmail.com>
    _______________________________________________
    Users mailing list
    Users@lists.opensips.org <mailto:Users@lists.opensips.org>
    http://lists.opensips.org/cgi-bin/mailman/listinfo/users



--
Mark Farmer
farm...@gmail.com <mailto:farm...@gmail.com>

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Teams TLS Error

Reply via email to