I think there is no more default server domain concept (I think there used to
be). So for the server side you have to define either match_ip_address [1] or
match_sip_domain [2] in order for the incoming connection to be matched to the
correct TLS domain.
It seems in this case you probably want something like:
modparam("tls_mgm", "match_ip_address", "[server]<server_ip>:TLS_PORT")
Also, it is not shown but I assume you have also configured a TLS socket
listening on the port? [3]
socket = tls:<server_ip>:TLS_PORT
[1] https://opensips.org/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address
[2] https://opensips.org/docs/modules/3.4.x/tls_mgm.html#param_match_sip_domain
[3] https://www.opensips.org/Documentation/Script-CoreParameters-3-4#socket
Ben Newlin
From: Users <[email protected]> on behalf of Ihor Olkhovskyi
<[email protected]>
Date: Friday, June 14, 2024 at 2:15 PM
To: [email protected] <[email protected]>
Subject: Re: [OpenSIPS-Users] SSL error
EXTERNAL EMAIL - Please use caution with links and attachments
________________________________
Hello,
I'll paste a working 3.4 config of TLS from my project, hope you can adopt this
one
loadmodule "proto_tls.so"
modparam("proto_tls", "tls_port", TLS_PORT)
modparam("proto_tls", "tls_handshake_timeout", 3000)
modparam("proto_tls", "tls_send_timeout", 3000)
modparam("proto_tls", "tls_async_local_connect_timeout", 3000)
modparam("proto_tls", "tls_async_handshake_timeout", 3000)
# WebSocket part
loadmodule "proto_wss.so"
modparam("proto_wss", "wss_handshake_timeout", 3000)
modparam("proto_wss", "wss_tls_handshake_timeout", 3000)
modparam("proto_wss", "require_origin", no)
loadmodule "tls_openssl.so"
loadmodule "tls_mgm.so"
modparam("tls_mgm", "client_domain", "client")
modparam("tls_mgm", "certificate",
"[client]/etc/ssl/certs/ssl-cert-snakeoil.pem")
modparam("tls_mgm", "private_key",
"[client]/etc/ssl/private/ssl-cert-snakeoil.key")
modparam("tls_mgm", "ca_list", "[client]/etc/ssl/certs/ca-certificates.crt")
modparam("tls_mgm", "verify_cert", "[client]0")
modparam("tls_mgm", "require_cert", "[client]0")
modparam("tls_mgm", "server_domain", "server")
modparam("tls_mgm", "certificate",
"[server]/etc/ssl/certs/ssl-cert-snakeoil.pem")
modparam("tls_mgm", "private_key",
"[server]/etc/ssl/private/ssl-cert-snakeoil.key")
modparam("tls_mgm", "ca_list", "[server]/etc/ssl/certs/ca-certificates.crt")
modparam("tls_mgm", "verify_cert", "[server]0")
modparam("tls_mgm", "require_cert", "[server]0")
Le 13/06/2024 à 00:49, Pa Ka a écrit :
Hello Team, sorry to bother you again, opensips ssl certificate are not working
on port 5061. I check with an SSL Checker and returns No SSL certificates were
found on [server:5061]
I’m using version 3.2.18 (it was the same issue with 3.4.5) certificate are
generated with letsencrypt
This is the modparam
modparam("tls_mgm","tls_library", "openssl")
modparam("tls_mgm","server_domain", "dom")
modparam("tls_mgm","match_ip_address", "[dom]*")
modparam("tls_mgm","verify_cert", "[dom]1")
modparam("tls_mgm","require_cert", "[dom]1")
modparam("tls_mgm","tls_method", "[dom]-TLSv1_2")
modparam("tls_mgm","certificate", "[dom]/etc/opensips/tls/user/user-cert.pem")
modparam("tls_mgm","private_key",
"[dom]/etc/opensips/tls/user/user-privkey.pem")
modparam("tls_mgm","ca_list", "[dom]/etc/opensips/tls/user/user-calist.pem")
modparam("tls_mgm", "require_cert", "1")
modparam("tls_mgm", "verify_cert", "1")
I tried this
modparam("tls_mgm","certificate",
"[dom]/etc/letsencrypt/live/domain/fullchain.pem")
modparam("tls_mgm","private_key",
"[dom]/etc/letsencrypt/live/domain/privkey.pem")
modparam("tls_mgm","ca_list", "[dom]/etc/letsencrypt/live/domain/chain.pem")
but returns permission error message and couldn’t start opensips (even if I set
the permission of all files in etc/letsencryt to opensips user and group as
well.)
Thank you. P.K
_______________________________________________
Users mailing list
[email protected]<mailto:[email protected]>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
