Thanks very much Callum, seeing a working example with separate client/server tls_mgm rows really helped get us sorted.
I notice that you set verify_cert (and require_cert) to 0, is there any reason for that? I won't go into too much detail because it's probably worth another thread, but we're seeing problems with TLS calling when it's on, opensips doesn't like my 3CX instance that uses a Lets Encrypt cert. Kind regards, James ________________________________ From: Callum Guy <[email protected]> Sent: 07 April 2023 14:43 To: James Nicholls <[email protected]>; OpenSIPS users mailling list <[email protected]> Subject: Re: [OpenSIPS-Users] tls_mgm domain database configuration Hi James, It could certainly be clearer! Here's an extract from my script and some example inserts for a client and server record. https://gist.github.com/spacetourist/788ea722901e81d355850842e2b17cda INSERT INTO opensips_dev.tls_mgm (id, domain, match_ip_address, match_sip_domain, type, method, verify_cert, require_cert, certificate, private_key, crl_check_all, crl_dir, ca_list, ca_dir, cipher_list, dh_params, ec_curve) VALUES (5, 'default', '*', '*', 1, 'TLSv1_2', 0, 0, 0x2D2D2D2D2D424547494E20434...2D2D2D2D0A, 0x2D2D2D2D2D424547494...B45592D2D2D2D2D0A, 0, null, null, null, 'EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH,!RSA,!SHA', 0x2D2D2D2D2D4245...D2D2D0A, 'secp384r1'); INSERT INTO opensips_dev.tls_mgm (id, domain, match_ip_address, match_sip_domain, type, method, verify_cert, require_cert, certificate, private_key, crl_check_all, crl_dir, ca_list, ca_dir, cipher_list, dh_params, ec_curve) VALUES (15, 'default', '*', '*', 2, 'TLSv1_2', 0, 0, 0x2D2D2D2...D2D0A, 0x2D2D2D2D2...D2D2D0A, 0, null, null, null, 'EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH,!RSA,!SHA', 0x2D2D2D2D2D42454...2D0A, 'secp384r1'); Hope that helps get you moving! Callum On Fri, 7 Apr 2023 at 09:12, James Nicholls via Users <[email protected]<mailto:[email protected]>> wrote: Hi all, I have an existing opensips 3.3.4 setup that uses modparam to set tls_mgm certificates with separate server_domain and client_domain entries. This works fine for registration and calling using TLS but I want to be able to update certificates with tls_reload so I'm trying to move them to the database instead. The tls_mgm table schema added by opensips-cli has a domain and type column. Does "type" mean client/server or is it something else? I have tried having separate entries for client/server certs, or combining them into one row, but I can't get it to work. Everything seems to result in "no TLS client domain found" as below. Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn 0x7f3c9f1b5e98 Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: DBG:core:tcpconn_destroy: delaying (0x7f3c9f1b5e98, flags 0018) ref = -1 ... Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_async_connect: tcp_conn_create failed, closing the socket Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_send: async TCP connect failed Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:msg_send: send() to (PBX IP):5061 for proto tls/3 failed Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:t_forward_nonack: sending request failed Example row in the tls_mgm table: domain: (SIP branded hostname) match_ip_address: (opensips IP):4003 match_sip_domain: * type: 1 method: TLSv1_2- verify_cert: 0 require_cert: 0 certificate: -----BEGIN CERTIFICATE----- [...] private_key: -----BEGIN RSA PRIVATE KEY----- [...] crl_check_all: 0 crl_dir: NULL ca_list: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ca_dir: NULL cipher_list: NULL dh_params: NULL ec_curve: NULL Is there any documentation for adding certificates to the tls_mgm table? I haven't found anything in the 3.3.x docs, the only examples use modparam. Hopefully I have got something really obvious wrong. Kind regards, James Nicholls _______________________________________________ Users mailing list [email protected]<mailto:[email protected]> http://lists.opensips.org/cgi-bin/mailman/listinfo/users [https://www.x-on.co.uk/email/footer/banner-03-2023.jpg] 0333 332 0000 | x-on.co.uk<https://www.x-on.co.uk> | [http://www.x-on.co.uk//images/icon/linkedin.png] <https://www.linkedin.com/company/x-on> [http://www.x-on.co.uk//images/icon/facebook.png] <https://www.facebook.com/XonTel> [http://www.x-on.co.uk//images/icon/twitter.png] <https://twitter.com/xonuk> | Practice Index Reviews<https://practiceindex.co.uk/gp/x-on> Our new office address: 22 Riduna Park, Melton IP12 1QT. X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Glebe Farm, Down Street, Dummer, Basingstoke, Hampshire, England RG25 2AD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
