Hi Pratik, We managed to get it working with the following in the tls_mgm table (client then server):
+--------+------------------+------------------+------+----------+-------------+--------------+---------------+---------+-------------+-----------+----------+---------------------------------------------------+ | domain | match_ip_address | match_sip_domain | type | method | verify_cert | require_cert | crl_check_all | crl_dir | cipher_list | dh_params | ec_curve | ca_list | +--------+------------------+------------------+------+----------+-------------+--------------+---------------+---------+-------------+-----------+----------+---------------------------------------------------+ | <fqdn> | * | <fqdn> | 1 | TLSv1_2- | 0 | 0 | 0 | NULL | NULL | NULL | NULL | /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | | <fqdn> | <sbc_ip>:4003 | <fqdn>,*.<fqdn> | 2 | TLSv1_2- | 0 | 0 | 0 | NULL | NULL | NULL | NULL | /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | +--------+------------------+------------------+------+----------+-------------+--------------+---------------+---------+-------------+-----------+----------+---------------------------------------------------+ This works fine as is (replace <fqdn> and <sbc_ip> and add certificate/private_key) and TLS calling works but it doesn't manage to verify certs properly if we set verify_cert=1. Kind regards, James ________________________________ From: Pratik Patel <[email protected]> Sent: 07 April 2023 15:10 To: James Nicholls <[email protected]>; OpenSIPS users mailling list <[email protected]> Subject: Re: [OpenSIPS-Users] tls_mgm domain database configuration Hi James, Can you please share what parameters you have configured for TLS in opensips 3.3? Because I have also facing same issue for wss connection. I have try same certificate in freeswitch and check that WSS url in piesocket that connect established. But when I configured same certificate in opensips and check in piesocket then connection not established. So if you share what you have configured I will try same on my side to solve my issue. On Fri, Apr 7, 2023, 13:43 James Nicholls via Users <[email protected]<mailto:[email protected]>> wrote: Hi all, I have an existing opensips 3.3.4 setup that uses modparam to set tls_mgm certificates with separate server_domain and client_domain entries. This works fine for registration and calling using TLS but I want to be able to update certificates with tls_reload so I'm trying to move them to the database instead. The tls_mgm table schema added by opensips-cli has a domain and type column. Does "type" mean client/server or is it something else? I have tried having separate entries for client/server certs, or combining them into one row, but I can't get it to work. Everything seems to result in "no TLS client domain found" as below. Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_conn_create: failed to do proto 3 specific init for conn 0x7f3c9f1b5e98 Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: DBG:core:tcpconn_destroy: delaying (0x7f3c9f1b5e98, flags 0018) ref = -1 ... Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:core:tcp_async_connect: tcp_conn_create failed, closing the socket Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:proto_tls:proto_tls_send: async TCP connect failed Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:msg_send: send() to (PBX IP):5061 for proto tls/3 failed Apr 05 16:02:34 (hostname) /usr/sbin/opensips[22277]: ERROR:tm:t_forward_nonack: sending request failed Example row in the tls_mgm table: domain: (SIP branded hostname) match_ip_address: (opensips IP):4003 match_sip_domain: * type: 1 method: TLSv1_2- verify_cert: 0 require_cert: 0 certificate: -----BEGIN CERTIFICATE----- [...] private_key: -----BEGIN RSA PRIVATE KEY----- [...] crl_check_all: 0 crl_dir: NULL ca_list: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ca_dir: NULL cipher_list: NULL dh_params: NULL ec_curve: NULL Is there any documentation for adding certificates to the tls_mgm table? I haven't found anything in the 3.3.x docs, the only examples use modparam. Hopefully I have got something really obvious wrong. Kind regards, James Nicholls _______________________________________________ Users mailing list [email protected]<mailto:[email protected]> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
