Re: [OpenSIPS-Users] mid_registrar TLS

Thu, 10 Feb 2022 03:17:58 -0800

Yes, doing a wildcard for SIP/IP matching in the TLS domain definition is the correct approach if you plan to use only one certificate. 

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS eBootcamp
  https://www.opensips.org/Training/Bootcamp

On 2/10/22 1:09 PM, Alberto wrote:
I was confused because I use a wildcard cert, so I only have one cert for server/client and any possible subdomain. I don't need to match server/client requests to different certs. 
So I ended up with this config and it seems to work fine.
Thanks

loadmodule "tls_mgm.so"
modparam("tls_mgm", "tls_library", "wolfssl")

modparam("tls_mgm", "server_domain", "sd_1")
modparam("tls_mgm", "ca_list", "[sd_1]/etc/letsencrypt/fullchain.pem")
modparam("tls_mgm", "certificate", "[sd_1]/etc/letsencrypt/cert.pem")
modparam("tls_mgm", "private_key", "[sd_1]/etc/letsencrypt/privkey.pem")
modparam("tls_mgm", "require_cert", "[sd_1]0")
modparam("tls_mgm", "tls_method", "[sd_1]TLSv1-")
modparam("tls_mgm", "verify_cert", "[sd_1]0")
modparam("tls_mgm", "match_sip_domain", "[sd_1]*")
modparam("tls_mgm", "match_ip_address", "[sd_1]*")

modparam("tls_mgm", "client_domain", "cd_1")
modparam("tls_mgm", "ca_list", "[cd_1]/etc/letsencrypt/fullchain.pem")
modparam("tls_mgm", "certificate", "[cd_1]/etc/letsencrypt/cert.pem")
modparam("tls_mgm", "private_key", "[cd_1]/etc/letsencrypt/privkey.pem")
modparam("tls_mgm", "require_cert", "[cd_1]0")
modparam("tls_mgm", "tls_method", "[cd_1]TLSv1-")
modparam("tls_mgm", "verify_cert", "[cd_1]0")
modparam("tls_mgm", "match_sip_domain", "[cd_1]*")
modparam("tls_mgm", "match_ip_address", "[cd_1]*")
On Thu, 10 Feb 2022 at 07:59, Bogdan-Andrei Iancu <[email protected] <mailto:[email protected]>> wrote: 

    Hi Alberto,

    When OpenSIPS is about the create a new TLS connection, it has to
    know what TSL certificate (client) to use for it.

    There are 2 way of indicating that :

    * use "match_ip_address" [1] to map the TLS client domain to some
    IPs you want to connect to via TLS

    * use "client_tls_domain_avp" [2] to manually select from script
    which TLS domain to be used - set the AVP before the t_relay() to
    the TLS destination.


    [1]
    
https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address
    
<https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address>

    [2]
    
https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp
    
<https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp>

    Best regards,

    Bogdan-Andrei Iancu

    OpenSIPS Founder and Developer
       https://www.opensips-solutions.com  <https://www.opensips-solutions.com>
    OpenSIPS eBootcamp
       https://www.opensips.org/Training/Bootcamp  
<https://www.opensips.org/Training/Bootcamp>

    On 2/4/22 2:40 PM, Alberto wrote:

    Hi,
    I have a sip client connecting to opensips using tls, all
    requests are then routed to an asterisk server using mid_registrar.

    UDP to UDP and TCP to TCP work fine, but TLS doesn't.

    This is the error, but I'm having a hard time understanding it.

    Feb  4 12:29:32 [3406] //etc/opensips/opensips.cfg:453 Forward
    REGISTER for sip:[email protected]:5061
    <http://sip:[email protected]:5061> to
    10.0.0.153:5061;transport=tls
    Feb  4 12:29:32 [3406] ERROR:proto_tls:proto_tls_conn_init: no
    TLS client domain found
    Feb  4 12:29:32 [3406] ERROR:core:tcp_conn_create: failed to do
    proto 3 specific init for conn 0x7ff9be1810f8
    Feb  4 12:29:32 [3406] ERROR:core:tcp_async_connect:
    tcp_conn_create failed, closing the socket
    Feb  4 12:29:32 [3406] ERROR:proto_tls:proto_tls_send: async TCP
    connect failed
    Feb  4 12:29:32 [3406] ERROR:tm:msg_send: send() to
    10.0.0.153:5061 <http://10.0.0.153:5061> for proto tls/3 failed
    Feb  4 12:29:32 [3406] ERROR:tm:t_forward_nonack: sending request
    failed
    Feb  4 12:29:32 [3406] ERROR:tm:w_t_relay: t_forward_nonack failed


    My configuration:
    #############
    loadmodule "mid_registrar.so"
    modparam("mid_registrar", "attr_avp", "$avp(avp_json)")
    modparam("mid_registrar", "max_contacts", 1)
    modparam("mid_registrar", "mode", 0)
    modparam("mid_registrar", "tcp_persistent_flag",
    "TCP_PERSIST_REGISTRATIONS")

    loadmodule "tls_mgm.so"
    modparam("tls_mgm", "tls_library", "wolfssl")
    modparam("tls_mgm", "server_domain", "dom1")
    modparam("tls_mgm", "ca_list",
    "[dom1]/etc/letsencrypt/fullchain.pem")
    modparam("tls_mgm", "certificate", "[dom1]/etc/letsencrypt/cert.pem")
    modparam("tls_mgm", "private_key",
    "[dom1]/etc/letsencrypt/privkey.pem")
    modparam("tls_mgm", "require_cert", "[dom1]0")
    modparam("tls_mgm", "tls_method", "[dom1]TLSv1-")
    modparam("tls_mgm", "verify_cert", "[dom1]0")

    loadmodule "proto_tls.so"

    ###############
    $ru = "sip:10.0.0.153:5061;transport=tls";
    setflag("TCP_PERSISTENT");
    route(relay);


    Thanks

    _______________________________________________
    Users mailing list
    [email protected]  <mailto:[email protected]>
    http://lists.opensips.org/cgi-bin/mailman/listinfo/users  
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>





_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Reply via email to