[OpenSIPS-Users] tls_mgm domain database configuration

Fri, 07 Apr 2023 01:13:47 -0700 

Hi all,

I have an existing opensips 3.3.4 setup that uses modparam to set tls_mgm 
certificates with separate server_domain and client_domain entries. This works 
fine for registration and calling using TLS but I want to be able to update 
certificates with tls_reload so I'm trying to move them to the database instead.

The tls_mgm table schema added by opensips-cli has a domain and type column. 
Does "type" mean client/server or is it something else? I have tried having 
separate entries for client/server certs, or combining them into one row, but I 
can't get it to work. Everything seems to result in "no TLS client domain 
found" as below.

Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: 
ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: 
ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn 
0x7f3c9f1b5e98
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: DBG:core:tcpconn_destroy: 
delaying (0x7f3c9f1b5e98, flags 0018) ref = -1 ...
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: 
ERROR:core:tcp_async_connect: tcp_conn_create failed, closing the socket
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: 
ERROR:proto_tls:proto_tls_send: async TCP connect failed
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:msg_send: send() 
to (PBX IP):5061 for proto tls/3 failed
Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: 
ERROR:tm:t_forward_nonack: sending request failed

Example row in the tls_mgm table:

          domain: (SIP branded hostname)
match_ip_address: (opensips IP):4003
match_sip_domain: *
            type: 1
          method: TLSv1_2-
     verify_cert: 0
    require_cert: 0
     certificate: -----BEGIN CERTIFICATE----- [...]
     private_key: -----BEGIN RSA PRIVATE KEY----- [...]
   crl_check_all: 0
         crl_dir: NULL
         ca_list: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
          ca_dir: NULL
     cipher_list: NULL
       dh_params: NULL
        ec_curve: NULL

Is there any documentation for adding certificates to the tls_mgm table? I 
haven't found anything in the 3.3.x docs, the only examples use modparam. 
Hopefully I have got something really obvious wrong.

Kind regards,

James Nicholls

_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Reply via email to