Thank you Nick. I've read these docs lots of times and didn't pay attention on it.
Em seg., 10 de mai. de 2021 às 11:44, Nick Altmann <[email protected]> escreveu: > Yes. You can use avp for this. > https://opensips.org/docs/modules/3.1.x/tls_mgm.html#param_client_sip_domain_avp > > -- > Nick > > пн, 10 мая 2021 г. в 16:09, Carlos Eduardo <[email protected]>: > >> Hey all, >> >> About using the right certificate, is it possible to ensure opensips is >> going to use the right one when multiple are set in tls_mgm? >> >> Em seg., 10 de mai. de 2021 às 04:41, Răzvan Crainea <[email protected]> >> escreveu: >> >>> Hi, Miha! >>> >>> According to your logs, opensips is 100% sending the OPTIONS through >>> tls, but I am not sure it is using the right certificate. >>> You can try to setup sip trace and see the communication between >>> opensips and MSTeams. >>> >>> Best regards, >>> >>> Răzvan Crainea >>> OpenSIPS Core Developer >>> http://www.opensips-solutions.com >>> >>> On 5/10/21 9:54 AM, Miha via Users wrote: >>> > Hello >>> > >>> > I have used letsenrypt for generating certs for Opensips. >>> > >>> > Regarding configuration i have fallowed your configuration steps on >>> > OpenSips blog. >>> > >>> > socket=udp:xxx.xxx.xxx.xxx:5060 # CUSTOMIZE ME >>> > socket=tls:xxx.xxx.xxx.xxx:5061 >>> > >>> > >>> > >>> > >>> > ### Proto TLS >>> > loadmodule "proto_tls.so" >>> > modparam("proto_tls", "tls_handshake_timeout", 300) >>> > #### TLS module >>> > loadmodule "tls_mgm.so" >>> > #modparam("tls_mgm", "db_url", "mysql://root:xxxx@localhost/opensips") >>> > modparam("tls_mgm", "client_sip_domain_avp", "mtsbcs.test.com") >>> > modparam("tls_mgm", "server_domain", "mt") >>> > #modparam("tls_mgm", "match_ip_address", "[mt]xxx.xxx.xxx.xxx:5061") >>> > #modparam("tls_mgm", "match_sip_domain", "[mt]mtsbcs.test.com") >>> > modparam("tls_mgm", "certificate", >>> > "[mt]/etc/letsencrypt/live/mtsbcs.test.com/cert.pem") >>> > modparam("tls_mgm", "private_key", >>> > "[mt]/etc/letsencrypt/live/mtsbcs.test.com/privkey.pem") >>> > modparam("tls_mgm", "ca_list", >>> "[mt]/etc/ssl/certs/ca-certificates.crt") >>> > modparam("tls_mgm", "ca_dir", "[mt]/etc/ssl/certs/") >>> > modparam("tls_mgm","verify_cert", "[mt]1") >>> > modparam("tls_mgm","require_cert", "[mt]1") >>> > modparam("tls_mgm","tls_method", "[mt]TLSv1_2") >>> > modparam("proto_tls", "tls_max_msg_chunks", 8) >>> > #modparam("tls_mgm", "tls_handshake_timeout", 300) >>> > >>> > if(is_method("OPTIONS") && is_domain_local("$rd") && >>> > check_source_address(0)) { >>> > xlog("L_INFO", "[MS TEAMS] OPTIONS In"); >>> > send_reply(200, "OK"); >>> > exit; >>> > } >>> > >>> > >>> > local_route { >>> > $var(dst) = "pstnhub.microsoft.com"; >>> > xlog("L_INFO","promding TEST"); >>> > xlog("TESTING"); >>> > if (is_method("OPTIONS") && ($(ru{s.index, $var(dst)}) != NULL)) >>> > append_hf("Contact: <sip:mtsbcs.test.com:5061 >>> ;transport=tls>\r\n"); >>> > xlog("L_INFO", "SEDING OPTIONS TO SBC"); >>> > } >>> > >>> > >>> > I thnk that the main issue is that OPENSIPS does not send encrypted >>> > OPTION to MS teams. >>> > >>> > Logs: >>> > >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:tm:t_uac: >>> > next_hop=<sip:sip.pstnhub.microsoft.com> >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:mk_proxy: doing DNS >>> lookup... >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:sip_resolvehost: no >>> port, >>> > has proto -> do SRV lookup! >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:do_srv_lookup: >>> resolving >>> > [sip.pstnhub.microsoft.com] >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:do_srv_lookup: >>> > SRV(_sips._tcp.sip.pstnhub.microsoft.com) = >>> sip.pstnhub.microsoft.com:5061 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:a2dns_node: storing >>> > sip2.pstnhub.microsoft.com:5061 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:a2dns_node: storing >>> > sip3.pstnhub.microsoft.com:5061 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:tm:t_uac: sending socket is >>> > 212.13.249.132 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:tm:print_request_uri: >>> > sip:sip.pstnhub.microsoft.com >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:tm:run_local_route: building >>> > sip_msg from buffer >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_msg: SIP Request: >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_msg: method: >>> <OPTIONS> >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_msg: uri: >>> > <sip:sip.pstnhub.microsoft.com> >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_msg: version: >>> <SIP/2.0> >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_headers: >>> > flags=ffffffffffffffff >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_via_param: found >>> > param type 232, <branch> = <z9hG4bK8d8a.3706b135.0>; state=16 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_via: end of >>> header >>> > reached, state=5 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_headers: via >>> found, >>> > flags=ffffffffffffffff >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_headers: this is >>> > the first via >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:_parse_to: end of >>> header >>> > reached, state=9 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:_parse_to: display={}, >>> > ruri={sip:sip.pstnhub.microsoft.com} >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:get_hdr_field: <To> >>> [31]; >>> > uri=[sip:sip.pstnhub.microsoft.com] >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:get_hdr_field: to body >>> > [sip:sip.pstnhub.microsoft.com#015#012 >>> <http://sip.pstnhub.microsoft.com#015%23012>] >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:get_hdr_field: cseq >>> > <CSeq>: <14> <OPTIONS> >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:get_hdr_field: >>> > content_length=0 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:get_hdr_field: found >>> end >>> > of header >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_headers: >>> > flags=ffffffffffffffff >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_headers: flags=78 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_headers: >>> > flags=ffffffffffffffff >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:tm:run_local_route: Change >>> in >>> > local route -> rebuilding buffer >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_headers: >>> flags=2000 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:parse_headers: >>> > flags=ffffffffffffffff >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:extract_ftc_hdrs: flags >>> = 15 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:extract_ftc_hdrs: hdr 2 >>> > extracted as <To: sip:sip.pstnhub.microsoft.com#015#012 >>> <http://sip.pstnhub.microsoft.com#015%23012>> >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:extract_ftc_hdrs: hdr 1 >>> > extracted as <From: >>> > <sip:prober@localhost >>> >;tag=a665d66adab06c7308a33b8567de92d6-f627#015#012> >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:extract_ftc_hdrs: hdr 8 >>> > extracted as <Call-ID: [email protected]#015#012 >>> <http://[email protected]#015%23012>> >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:proto_tls:proto_tls_send: no >>> > open tcp connection found, opening new one >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:probe_max_sock_buff: >>> > getsockopt: snd is initially 16384 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:probe_max_sock_buff: >>> > using snd buffer of 416 kb >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:init_sock_keepalive: >>> TCP >>> > keepalive enabled on socket 5 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:print_ip: tcpconn_new: >>> > new tcp connection to: 52.114.75.24 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:tcpconn_new: on port >>> > 5061, proto 3 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:proto_tls:tls_conn_init: >>> > Creating a whole new ssl connection >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:core:tcpconn_destroy: >>> > destroying connection 0x7f45d7e08078, flags 0018 >>> > May 10 08:53:10 mtsbc opensips[1020]: DBG:tm:insert_timer_unsafe: [0]: >>> > 0x7f45d7e066b0 (1625) >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:timer_routine: timer >>> > routine:0,tl=0x7f45d7e066b0 next=(nil), timeout=1625 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:final_response_handler: >>> > Cancel sent out, sending 408 (0x7f45d7e06460) >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:t_should_relay_response: >>> > T_code=0, new_code=408 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:t_pick_branch: picked >>> > branch 0, code 408 (prio=800) >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:is_3263_failure: >>> > dns-failover test: branch=0, last_recv=408, flags=0 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:t_should_relay_response: >>> > trying DNS-based failover >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:do_dns_failover: new >>> > destination available >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:parse_headers: >>> flags=2000 >>> > May 10 08:53:15 mtsbc opensips[1020]: >>> > DBG:core:build_req_buf_from_sip_req: id added: <;i=0>, rcv proto=3 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:parse_headers: >>> > flags=ffffffffffffffff >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:proto_tls:proto_tls_send: no >>> > open tcp connection found, opening new one >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:probe_max_sock_buff: >>> > getsockopt: snd is initially 16384 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:probe_max_sock_buff: >>> > using snd buffer of 416 kb >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:init_sock_keepalive: >>> TCP >>> > keepalive enabled on socket 5 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:print_ip: tcpconn_new: >>> > new tcp connection to: 52.114.132.46 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:tcpconn_new: on port >>> > 5061, proto 3 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:proto_tls:tls_conn_init: >>> > Creating a whole new ssl connection >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:tcpconn_destroy: >>> > destroying connection 0x7f45d7e08078, flags 0018 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:proto_tls:proto_tls_send: no >>> > open tcp connection found, opening new one >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:probe_max_sock_buff: >>> > getsockopt: snd is initially 16384 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:probe_max_sock_buff: >>> > using snd buffer of 416 kb >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:init_sock_keepalive: >>> TCP >>> > keepalive enabled on socket 5 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:print_ip: tcpconn_new: >>> > new tcp connection to: 52.114.14.70 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:tcpconn_new: on port >>> > 5061, proto 3 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:proto_tls:tls_conn_init: >>> > Creating a whole new ssl connection >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:core:tcpconn_destroy: >>> > destroying connection 0x7f45d7e08078, flags 0018 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:local_reply: branch=0, >>> > save=0, winner=0 >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:local_reply: local >>> > transaction completed >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:run_trans_callbacks: >>> > trans=0x7f45d7e06460, callback type 256, id 0 entered >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:insert_timer_unsafe: [2]: >>> > 0x7f45d7e064e0 (1630) >>> > May 10 08:53:15 mtsbc opensips[1020]: DBG:tm:final_response_handler: >>> done >>> > >>> > >>> > >>> > Thank you >>> > miha >>> > >>> > >>> > _______________________________________________ >>> > Users mailing list >>> > [email protected] >>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> > >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >> >> >> -- >> *Carlos E. Wagner* >> *Tecnólogo em Telecomunicações, Opensips Certified Professional* >> >> *Fone: +55 48 99981-0894* >> *E-mail:* [email protected] >> *LinkedIn:* https://www.linkedin.com/in/carlos-eduardo-wagner-96bbb433/ >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- *Carlos E. Wagner* *Tecnólogo em Telecomunicações, Opensips Certified Professional* *Fone: +55 48 99981-0894* *E-mail:* [email protected] *LinkedIn:* https://www.linkedin.com/in/carlos-eduardo-wagner-96bbb433/
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
