date:20210812

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

2021-08-12 Thread Vlad Patrascu


Hi Adrian,

The wolfSSL implementation does not support a TLS method range, such as 
"TLSv1-", so that could be one of the causes. What seems strange is that 
there is no warning message: "WARNING:tls_wolfssl:tls_get_method: 
wolfSSL does not support method range specification" which should be 
thrown in such cases.


Regards,

--
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com

On 12.08.2021 20:12, Adrian Georgescu wrote:

Hi,

I am using the latest 3.2.0 build with the old TLS configuration, with the aim 
to try out Wolf SSL stack.

But while the config check passed, the server does not start with the old 
configuration:

loadmodule “tls_mgm.so"
loadmodule “tls_wolfssl.so"
modparam("tls_mgm", "client_tls_domain_avp", "tls_client_domain")
modparam("tls_mgm", "tls_library", "auto”)

modparam("tls_mgm", "server_domain","ag-projects-server")
modparam("tls_mgm", "match_ip_address", "[ag-projects-server]*")
modparam("tls_mgm", "match_sip_domain", "[ag-projects-server]ag-projects.com")
modparam("tls_mgm", "tls_method",   "[ag-projects-server]TLSv1-")
modparam("tls_mgm", "certificate",  
"[ag-projects-server]/etc/opensips/tls/ag-projects.crt")
modparam("tls_mgm", "private_key",  
"[ag-projects-server]/etc/opensips/tls/ag-projects.key")
modparam("tls_mgm", "ca_list",  
"[ag-projects-server]/etc/opensips/tls/ca-list.pem")
modparam("tls_mgm", "ca_dir",   "[ag-projects-server]/etc/ssl/certs")
modparam("tls_mgm", "verify_cert",  "[ag-projects-server]1")
modparam("tls_mgm", "require_cert", "[ag-projects-server]0")

modparam("tls_mgm", "client_domain","ag-projects-client")
modparam("tls_mgm", "match_ip_address", "[ag-projects-client]*")
modparam("tls_mgm", "match_sip_domain", "[ag-projects-client]ag-projects.com")
modparam("tls_mgm", "tls_method",   "[ag-projects-client]TLSv1-")
modparam("tls_mgm", "certificate",  
"[ag-projects-client]/etc/opensips/tls/ag-projects.crt")
modparam("tls_mgm", "private_key",  
"[ag-projects-client]/etc/opensips/tls/ag-projects.key")
modparam("tls_mgm", "ca_list",  
"[ag-projects-client]/etc/opensips/tls/ca-list.pem")
modparam("tls_mgm", "ca_dir",   "[ag-projects-client]/etc/ssl/certs")
modparam("tls_mgm", "verify_cert",  "[ag-projects-client]1")
modparam("tls_mgm", "require_cert", "[ag-projects-client]0”)


Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm
Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
DBG:core:set_mod_param_regex: found  in module tls_mgm 
[/usr/lib/x86_64-linux-gnu/opensips/modules/]
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
tls_wolfssl
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
tls_openssl
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:solve_module_dependencies: module tls_mgm soft-depends on module 
tls_openssl, and it was not loaded -- continuing
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:solve_module_dependencies: solving dependency proto_tls -> module 
tls_mgm
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:init_mod: initializing module tls_mgm
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
INFO:tls_mgm:mod_init: initializing TLS management
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:tls_mgm:load_info: 0 rows found in tls_mgm
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:tls_mgm:load_info: 0 records found in tls_mgm
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'ag-projects-server'
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:tls_mgm:init_tls_dom: no DH params file for tls domain 'ag-projects-server' 
defined, using default '(null)'
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:tls_mgm:init_tls_dom: cipher list null ... setting default
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'ag-projects-server'
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
ERROR:core:init_mod: failed to initialize module tls_mgm

Any ideas what am I doing wrong?

Adrian



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

2021-08-12 Thread Ovidiu Sas

I loaded both modules and I just switch between them via the
tls_library parameter and it loads ok:
loadmodule "tls_openssl.so"
loadmodule "tls_wolfssl.so"
loadmodule "tls_mgm.so"
  modparam("tls_mgm", "tls_library", "openssl")
# modparam("tls_mgm", "tls_library", "wolfssl")

I did not test with the latest opensips version ...
I also had some issues with the wolfssl library: is_peer_verified()
doesn't seem to work properly. Because of that I'm still using the
openssl library.

-ovidiu

On Thu, Aug 12, 2021 at 3:17 PM Adrian Georgescu  wrote:
>
> H Ovidiu,
>
> I set it up explicitly now but I get the same result, I tried different 
> domains or combination but any definition fails to load.
>
> Aug 12 21:10:30 live01 /usr/sbin/opensips[10920]: 
> ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'msteams-server'
> Aug 12 21:10:30 live01 /usr/sbin/opensips[10920]: ERROR:core:init_mod: failed 
> to initialize module tls_mgm
> Aug 12 21:10:30 live01 /usr/sbin/opensips[10920]: ERROR:core:main: error 
> while initializing modules
>
> loadmodule "tls_mgm.so"
> modparam("tls_mgm", "tls_library", "wolfssl")
>
> Regards,
> Adrian
>
> > On 12 Aug 2021, at 16:03, Ovidiu Sas  wrote:
> >
> > Hello Adrian,
> >
> > I managed to use wolfssl by forcing it:
> >  modparam("tls_mgm", "tls_library", "wolfssl")
> >
> > I haven't tested the auto mode ...
> >
> > -ovidiu
> >
> > On Thu, Aug 12, 2021 at 2:59 PM Adrian Georgescu  
> > wrote:
> >>
> >> After more digging I discovered that this behaviour does not happen when 
> >> loading tls_openssl module.
> >>
> >> tls_openssl loads fine this configuration but tls_wolfssl does not.
> >>
> >>> On 12 Aug 2021, at 14:12, Adrian Georgescu  wrote:
> >>>
> >>> Hi,
> >>>
> >>> I am using the latest 3.2.0 build with the old TLS configuration, with 
> >>> the aim to try out Wolf SSL stack.
> >>>
> >>> But while the config check passed, the server does not start with the old 
> >>> configuration:
> >>>
> >>> loadmodule “tls_mgm.so"
> >>> loadmodule “tls_wolfssl.so"
> >>> modparam("tls_mgm", "client_tls_domain_avp", "tls_client_domain")
> >>> modparam("tls_mgm", "tls_library", "auto”)
> >>>
> >>> modparam("tls_mgm", "server_domain","ag-projects-server")
> >>> modparam("tls_mgm", "match_ip_address", "[ag-projects-server]*")
> >>> modparam("tls_mgm", "match_sip_domain", 
> >>> "[ag-projects-server]ag-projects.com")
> >>> modparam("tls_mgm", "tls_method",   "[ag-projects-server]TLSv1-")
> >>> modparam("tls_mgm", "certificate",  
> >>> "[ag-projects-server]/etc/opensips/tls/ag-projects.crt")
> >>> modparam("tls_mgm", "private_key",  
> >>> "[ag-projects-server]/etc/opensips/tls/ag-projects.key")
> >>> modparam("tls_mgm", "ca_list",  
> >>> "[ag-projects-server]/etc/opensips/tls/ca-list.pem")
> >>> modparam("tls_mgm", "ca_dir",   
> >>> "[ag-projects-server]/etc/ssl/certs")
> >>> modparam("tls_mgm", "verify_cert",  "[ag-projects-server]1")
> >>> modparam("tls_mgm", "require_cert", "[ag-projects-server]0")
> >>>
> >>> modparam("tls_mgm", "client_domain","ag-projects-client")
> >>> modparam("tls_mgm", "match_ip_address", "[ag-projects-client]*")
> >>> modparam("tls_mgm", "match_sip_domain", 
> >>> "[ag-projects-client]ag-projects.com")
> >>> modparam("tls_mgm", "tls_method",   "[ag-projects-client]TLSv1-")
> >>> modparam("tls_mgm", "certificate",  
> >>> "[ag-projects-client]/etc/opensips/tls/ag-projects.crt")
> >>> modparam("tls_mgm", "private_key",  
> >>> "[ag-projects-client]/etc/opensips/tls/ag-projects.key")
> >>> modparam("tls_mgm", "ca_list",  
> >>> "[ag-projects-client]/etc/opensips/tls/ca-list.pem")
> >>> modparam("tls_mgm", "ca_dir",   
> >>> "[ag-projects-client]/etc/ssl/certs")
> >>> modparam("tls_mgm", "verify_cert",  "[ag-projects-client]1")
> >>> modparam("tls_mgm", "require_cert", "[ag-projects-client]0”)
> >>>
> >>>
> >>> Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
> >>> DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm
> >>> Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
> >>> DBG:core:set_mod_param_regex: found  in module tls_mgm 
> >>> [/usr/lib/x86_64-linux-gnu/opensips/modules/]
> >>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> >>> DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
> >>> tls_wolfssl
> >>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> >>> DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
> >>> tls_openssl
> >>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> >>> DBG:core:solve_module_dependencies: module tls_mgm soft-depends on module 
> >>> tls_openssl, and it was not loaded -- continuing
> >>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> >>> DBG:core:solve_module_dependencies: solving dependency proto_tls -> 
> >>> module tls_mgm
> >>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> >>>

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

2021-08-12 Thread Liviu Chircu


On 12.08.2021 22:17, Adrian Georgescu wrote:

I set it up explicitly now but I get the same result, I tried different domains 
or combination but any definition fails to load.


Hi gents,

IIRC (Vlad: please correct me if I'm wrong), this initial version of the 
tls_wolfssl module does not have full feature parity with tls_openssl, 
as it is currently only equipped to provide TLS communication for 
modules such as proto_tls and proto_wss.


So when it comes to configuring domains via tls_mgm on top of 
tls_wolfssl, the module MAY lack the required API function 
implementations, hence the errors you are getting.


PS: there seem to be some hints about the above in the module docs [1] 
as well.


[1]: https://opensips.org/docs/modules/3.2.x/tls_wolfssl.html#overview

Cheers,

--
Liviu Chircu
www.twitter.com/liviuchircu | www.opensips-solutions.com
OpenSIPS Summit 2021 Distributed | www.opensips.org/events


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

2021-08-12 Thread Adrian Georgescu

H Ovidiu,

I set it up explicitly now but I get the same result, I tried different domains 
or combination but any definition fails to load.

Aug 12 21:10:30 live01 /usr/sbin/opensips[10920]: 
ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'msteams-server'
Aug 12 21:10:30 live01 /usr/sbin/opensips[10920]: ERROR:core:init_mod: failed 
to initialize module tls_mgm
Aug 12 21:10:30 live01 /usr/sbin/opensips[10920]: ERROR:core:main: error while 
initializing modules

loadmodule "tls_mgm.so"
modparam("tls_mgm", "tls_library", "wolfssl")

Regards,
Adrian

> On 12 Aug 2021, at 16:03, Ovidiu Sas  wrote:
> 
> Hello Adrian,
> 
> I managed to use wolfssl by forcing it:
>  modparam("tls_mgm", "tls_library", "wolfssl")
> 
> I haven't tested the auto mode ...
> 
> -ovidiu
> 
> On Thu, Aug 12, 2021 at 2:59 PM Adrian Georgescu  wrote:
>> 
>> After more digging I discovered that this behaviour does not happen when 
>> loading tls_openssl module.
>> 
>> tls_openssl loads fine this configuration but tls_wolfssl does not.
>> 
>>> On 12 Aug 2021, at 14:12, Adrian Georgescu  wrote:
>>> 
>>> Hi,
>>> 
>>> I am using the latest 3.2.0 build with the old TLS configuration, with the 
>>> aim to try out Wolf SSL stack.
>>> 
>>> But while the config check passed, the server does not start with the old 
>>> configuration:
>>> 
>>> loadmodule “tls_mgm.so"
>>> loadmodule “tls_wolfssl.so"
>>> modparam("tls_mgm", "client_tls_domain_avp", "tls_client_domain")
>>> modparam("tls_mgm", "tls_library", "auto”)
>>> 
>>> modparam("tls_mgm", "server_domain","ag-projects-server")
>>> modparam("tls_mgm", "match_ip_address", "[ag-projects-server]*")
>>> modparam("tls_mgm", "match_sip_domain", 
>>> "[ag-projects-server]ag-projects.com")
>>> modparam("tls_mgm", "tls_method",   "[ag-projects-server]TLSv1-")
>>> modparam("tls_mgm", "certificate",  
>>> "[ag-projects-server]/etc/opensips/tls/ag-projects.crt")
>>> modparam("tls_mgm", "private_key",  
>>> "[ag-projects-server]/etc/opensips/tls/ag-projects.key")
>>> modparam("tls_mgm", "ca_list",  
>>> "[ag-projects-server]/etc/opensips/tls/ca-list.pem")
>>> modparam("tls_mgm", "ca_dir",   
>>> "[ag-projects-server]/etc/ssl/certs")
>>> modparam("tls_mgm", "verify_cert",  "[ag-projects-server]1")
>>> modparam("tls_mgm", "require_cert", "[ag-projects-server]0")
>>> 
>>> modparam("tls_mgm", "client_domain","ag-projects-client")
>>> modparam("tls_mgm", "match_ip_address", "[ag-projects-client]*")
>>> modparam("tls_mgm", "match_sip_domain", 
>>> "[ag-projects-client]ag-projects.com")
>>> modparam("tls_mgm", "tls_method",   "[ag-projects-client]TLSv1-")
>>> modparam("tls_mgm", "certificate",  
>>> "[ag-projects-client]/etc/opensips/tls/ag-projects.crt")
>>> modparam("tls_mgm", "private_key",  
>>> "[ag-projects-client]/etc/opensips/tls/ag-projects.key")
>>> modparam("tls_mgm", "ca_list",  
>>> "[ag-projects-client]/etc/opensips/tls/ca-list.pem")
>>> modparam("tls_mgm", "ca_dir",   
>>> "[ag-projects-client]/etc/ssl/certs")
>>> modparam("tls_mgm", "verify_cert",  "[ag-projects-client]1")
>>> modparam("tls_mgm", "require_cert", "[ag-projects-client]0”)
>>> 
>>> 
>>> Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
>>> DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm
>>> Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
>>> DBG:core:set_mod_param_regex: found  in module tls_mgm 
>>> [/usr/lib/x86_64-linux-gnu/opensips/modules/]
>>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
>>> DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
>>> tls_wolfssl
>>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
>>> DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
>>> tls_openssl
>>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
>>> DBG:core:solve_module_dependencies: module tls_mgm soft-depends on module 
>>> tls_openssl, and it was not loaded -- continuing
>>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
>>> DBG:core:solve_module_dependencies: solving dependency proto_tls -> module 
>>> tls_mgm
>>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
>>> DBG:core:init_mod: initializing module tls_mgm
>>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
>>> INFO:tls_mgm:mod_init: initializing TLS management
>>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
>>> DBG:tls_mgm:load_info: 0 rows found in tls_mgm
>>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
>>> DBG:tls_mgm:load_info: 0 records found in tls_mgm
>>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
>>> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'ag-projects-server'
>>> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
>>> DBG:tls_mgm:init_tls_dom: no DH params file for tls domain 
>>> 'ag-projects-server' defined, using default '(null)'
>>>

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-12 Thread Liviu Chircu


On 12.08.2021 22:04, Adrian Georgescu wrote:


What can be the reason for this?

This exact issue seems to be the object of two identical GitHub issues: 
[1], [2].  Will take a look at this tomorrow and see if I can reproduce.


[1]: https://github.com/OpenSIPS/opensips/issues/2586
[2]: https://github.com/OpenSIPS/opensips/issues/2593

Cheers,

--
Liviu Chircu
www.twitter.com/liviuchircu | www.opensips-solutions.com
OpenSIPS Summit 2021 Distributed | www.opensips.org/events


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-12 Thread Adrian Georgescu

After removing the ha1b column, I am now getting the following errors and 
authentication does not work:

Aug 12 20:51:59 live01 /usr/sbin/opensips[10064]: 
ERROR:db_mysql:db_mysql_store_result: driver error: Commands out of sync; you 
can't run this command now
Aug 12 20:51:59 live01 /usr/sbin/opensips[10064]: ERROR:auth_db:get_ha1: failed 
to query database
Aug 12 20:52:00 live01 /usr/sbin/opensips[10057]: 
ERROR:db_mysql:db_mysql_store_result: driver error: Commands out of sync; you 
can't run this command now
Aug 12 20:52:00 live01 /usr/sbin/opensips[10057]: ERROR:auth_db:get_ha1: failed 
to query database

auth_db module configuration:

modparam("auth_db", "calculate_ha1", 0)
modparam("auth_db", "password_column",   "ha1")
modparam("auth_db", "user_column",   "username")
modparam("auth_db", "domain_column", "domain”)

What can be the reason for this?

Regards,
Adrian



> On 12 Aug 2021, at 13:04, Liviu Chircu  wrote:
> 
> On 12.08.2021 18:36, Adrian Georgescu wrote:
>> The auth_db module has some dramatic changes which are either undocumented 
>> or not backwards compatible and is unclear how to handle this.
>> 
>> https://opensips.org/docs/modules/3.1.x/auth_db.html#param_password_column_2 
>> Hi
>>  Adrian,
> 
> Indeed, with the addition of RFC 8760 support (support for SHA-256 and 
> SHA-512-256 auth algorithms), me and Maksym Sobolyev decided to try and 
> remove the "ha1b" feature, originally designed to accommodate some broken SIP 
> UAs who cannot follow the basic SIP authentication spec.  The feature had 
> been in there since the very beginnings, and we were not sure if anyone is 
> really benefiting from it anymore nowadays.
> 
> A strong reason for removing "ha1b" was the sheer number of hashes to be 
> stored per subscriber.  Since we now have 3 algorithms (MD5, SHA-256, 
> SHA-512-256), there are 3 hash-columns to store.  With the "ha1b" feature, 
> there would be 2 x 3 = 6 hashes in total to store, per user.  So you can see 
> where this is going: "Can we get away with dropping ha1b and storing half the 
> data per user?" ... was the big question.
> 
> Still, we agreed that if there is still enough traction for the "ha1b" 
> feature from the community, we can easily re-add the ha1b logic and 3 more 
> columns to the table and backport everything to 3.2.  It's a trivial task, 
> frankly.
> 
> The big question is: on your platform(s), can you control the software in all 
> SIP UAs that incorrectly include "realm" information in the "username" field 
> (which should really be just the user's name!) and fix the problem on the 
> phone side?
> 
> PS: I noticed the 3.2 migration page is missing any info on ha1b.  Will get 
> it fixed soon, depending on the outcome of the discussion.
> 
> Best Regards,
> 
> -- 
> Liviu Chircu
> www.twitter.com/liviuchircu  | 
> www.opensips-solutions.com 
> OpenSIPS Summit 2021 Distributed | www.opensips.org/events 
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

2021-08-12 Thread Ovidiu Sas

Hello Adrian,

I managed to use wolfssl by forcing it:
  modparam("tls_mgm", "tls_library", "wolfssl")

I haven't tested the auto mode ...

-ovidiu

On Thu, Aug 12, 2021 at 2:59 PM Adrian Georgescu  wrote:
>
> After more digging I discovered that this behaviour does not happen when 
> loading tls_openssl module.
>
> tls_openssl loads fine this configuration but tls_wolfssl does not.
>
> > On 12 Aug 2021, at 14:12, Adrian Georgescu  wrote:
> >
> > Hi,
> >
> > I am using the latest 3.2.0 build with the old TLS configuration, with the 
> > aim to try out Wolf SSL stack.
> >
> > But while the config check passed, the server does not start with the old 
> > configuration:
> >
> > loadmodule “tls_mgm.so"
> > loadmodule “tls_wolfssl.so"
> > modparam("tls_mgm", "client_tls_domain_avp", "tls_client_domain")
> > modparam("tls_mgm", "tls_library", "auto”)
> >
> > modparam("tls_mgm", "server_domain","ag-projects-server")
> > modparam("tls_mgm", "match_ip_address", "[ag-projects-server]*")
> > modparam("tls_mgm", "match_sip_domain", 
> > "[ag-projects-server]ag-projects.com")
> > modparam("tls_mgm", "tls_method",   "[ag-projects-server]TLSv1-")
> > modparam("tls_mgm", "certificate",  
> > "[ag-projects-server]/etc/opensips/tls/ag-projects.crt")
> > modparam("tls_mgm", "private_key",  
> > "[ag-projects-server]/etc/opensips/tls/ag-projects.key")
> > modparam("tls_mgm", "ca_list",  
> > "[ag-projects-server]/etc/opensips/tls/ca-list.pem")
> > modparam("tls_mgm", "ca_dir",   
> > "[ag-projects-server]/etc/ssl/certs")
> > modparam("tls_mgm", "verify_cert",  "[ag-projects-server]1")
> > modparam("tls_mgm", "require_cert", "[ag-projects-server]0")
> >
> > modparam("tls_mgm", "client_domain","ag-projects-client")
> > modparam("tls_mgm", "match_ip_address", "[ag-projects-client]*")
> > modparam("tls_mgm", "match_sip_domain", 
> > "[ag-projects-client]ag-projects.com")
> > modparam("tls_mgm", "tls_method",   "[ag-projects-client]TLSv1-")
> > modparam("tls_mgm", "certificate",  
> > "[ag-projects-client]/etc/opensips/tls/ag-projects.crt")
> > modparam("tls_mgm", "private_key",  
> > "[ag-projects-client]/etc/opensips/tls/ag-projects.key")
> > modparam("tls_mgm", "ca_list",  
> > "[ag-projects-client]/etc/opensips/tls/ca-list.pem")
> > modparam("tls_mgm", "ca_dir",   
> > "[ag-projects-client]/etc/ssl/certs")
> > modparam("tls_mgm", "verify_cert",  "[ag-projects-client]1")
> > modparam("tls_mgm", "require_cert", "[ag-projects-client]0”)
> >
> >
> > Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
> > DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm
> > Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
> > DBG:core:set_mod_param_regex: found  in module tls_mgm 
> > [/usr/lib/x86_64-linux-gnu/opensips/modules/]
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
> > tls_wolfssl
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
> > tls_openssl
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > DBG:core:solve_module_dependencies: module tls_mgm soft-depends on module 
> > tls_openssl, and it was not loaded -- continuing
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > DBG:core:solve_module_dependencies: solving dependency proto_tls -> module 
> > tls_mgm
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > DBG:core:init_mod: initializing module tls_mgm
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > INFO:tls_mgm:mod_init: initializing TLS management
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > DBG:tls_mgm:load_info: 0 rows found in tls_mgm
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > DBG:tls_mgm:load_info: 0 records found in tls_mgm
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > INFO:tls_mgm:init_tls_dom: Processing TLS domain 'ag-projects-server'
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > DBG:tls_mgm:init_tls_dom: no DH params file for tls domain 
> > 'ag-projects-server' defined, using default '(null)'
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > DBG:tls_mgm:init_tls_dom: cipher list null ... setting default
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 
> > 'ag-projects-server'
> > Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> > ERROR:core:init_mod: failed to initialize module tls_mgm
> >
> > Any ideas what am I doing wrong?
> >
> > Adrian
> >
> >
>
>
>

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

2021-08-12 Thread Adrian Georgescu

This line looks suspicious as I have not loaded or specified anywhere 
tls_openssl.

Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:solve_module_dependencies: module tls_mgm soft-depends on module 
tls_openssl, and it was not loaded — continuing

Adrian


> On 12 Aug 2021, at 14:12, Adrian Georgescu  wrote:
> 
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> DBG:core:solve_module_dependencies: module tls_mgm soft-depends on module 
> tls_openssl, and it was not loaded -- continuing

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

2021-08-12 Thread Adrian Georgescu

After more digging I discovered that this behaviour does not happen when 
loading tls_openssl module. 

tls_openssl loads fine this configuration but tls_wolfssl does not.

> On 12 Aug 2021, at 14:12, Adrian Georgescu  wrote:
> 
> Hi,
> 
> I am using the latest 3.2.0 build with the old TLS configuration, with the 
> aim to try out Wolf SSL stack.
> 
> But while the config check passed, the server does not start with the old 
> configuration:
> 
> loadmodule “tls_mgm.so"
> loadmodule “tls_wolfssl.so"
> modparam("tls_mgm", "client_tls_domain_avp", "tls_client_domain")
> modparam("tls_mgm", "tls_library", "auto”)
> 
> modparam("tls_mgm", "server_domain","ag-projects-server")
> modparam("tls_mgm", "match_ip_address", "[ag-projects-server]*")
> modparam("tls_mgm", "match_sip_domain", "[ag-projects-server]ag-projects.com")
> modparam("tls_mgm", "tls_method",   "[ag-projects-server]TLSv1-")
> modparam("tls_mgm", "certificate",  
> "[ag-projects-server]/etc/opensips/tls/ag-projects.crt")
> modparam("tls_mgm", "private_key",  
> "[ag-projects-server]/etc/opensips/tls/ag-projects.key")
> modparam("tls_mgm", "ca_list",  
> "[ag-projects-server]/etc/opensips/tls/ca-list.pem")
> modparam("tls_mgm", "ca_dir",   "[ag-projects-server]/etc/ssl/certs")
> modparam("tls_mgm", "verify_cert",  "[ag-projects-server]1")
> modparam("tls_mgm", "require_cert", "[ag-projects-server]0")
> 
> modparam("tls_mgm", "client_domain","ag-projects-client")
> modparam("tls_mgm", "match_ip_address", "[ag-projects-client]*")
> modparam("tls_mgm", "match_sip_domain", "[ag-projects-client]ag-projects.com")
> modparam("tls_mgm", "tls_method",   "[ag-projects-client]TLSv1-")
> modparam("tls_mgm", "certificate",  
> "[ag-projects-client]/etc/opensips/tls/ag-projects.crt")
> modparam("tls_mgm", "private_key",  
> "[ag-projects-client]/etc/opensips/tls/ag-projects.key")
> modparam("tls_mgm", "ca_list",  
> "[ag-projects-client]/etc/opensips/tls/ca-list.pem")
> modparam("tls_mgm", "ca_dir",   "[ag-projects-client]/etc/ssl/certs")
> modparam("tls_mgm", "verify_cert",  "[ag-projects-client]1")
> modparam("tls_mgm", "require_cert", "[ag-projects-client]0”)
> 
> 
> Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
> DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm
> Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
> DBG:core:set_mod_param_regex: found  in module tls_mgm 
> [/usr/lib/x86_64-linux-gnu/opensips/modules/]
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
> tls_wolfssl
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
> tls_openssl
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> DBG:core:solve_module_dependencies: module tls_mgm soft-depends on module 
> tls_openssl, and it was not loaded -- continuing
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> DBG:core:solve_module_dependencies: solving dependency proto_tls -> module 
> tls_mgm
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> DBG:core:init_mod: initializing module tls_mgm
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> INFO:tls_mgm:mod_init: initializing TLS management
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> DBG:tls_mgm:load_info: 0 rows found in tls_mgm
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> DBG:tls_mgm:load_info: 0 records found in tls_mgm
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'ag-projects-server'
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> DBG:tls_mgm:init_tls_dom: no DH params file for tls domain 
> 'ag-projects-server' defined, using default '(null)'
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> DBG:tls_mgm:init_tls_dom: cipher list null ... setting default
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'ag-projects-server'
> Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
> ERROR:core:init_mod: failed to initialize module tls_mgm
> 
> Any ideas what am I doing wrong?
> 
> Adrian
> 
> 


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

2021-08-12 Thread Adrian Georgescu

Hi,

I am using the latest 3.2.0 build with the old TLS configuration, with the aim 
to try out Wolf SSL stack.

But while the config check passed, the server does not start with the old 
configuration:

loadmodule “tls_mgm.so"
loadmodule “tls_wolfssl.so"
modparam("tls_mgm", "client_tls_domain_avp", "tls_client_domain")
modparam("tls_mgm", "tls_library", "auto”)

modparam("tls_mgm", "server_domain","ag-projects-server")
modparam("tls_mgm", "match_ip_address", "[ag-projects-server]*")
modparam("tls_mgm", "match_sip_domain", "[ag-projects-server]ag-projects.com")
modparam("tls_mgm", "tls_method",   "[ag-projects-server]TLSv1-")
modparam("tls_mgm", "certificate",  
"[ag-projects-server]/etc/opensips/tls/ag-projects.crt")
modparam("tls_mgm", "private_key",  
"[ag-projects-server]/etc/opensips/tls/ag-projects.key")
modparam("tls_mgm", "ca_list",  
"[ag-projects-server]/etc/opensips/tls/ca-list.pem")
modparam("tls_mgm", "ca_dir",   "[ag-projects-server]/etc/ssl/certs")
modparam("tls_mgm", "verify_cert",  "[ag-projects-server]1")
modparam("tls_mgm", "require_cert", "[ag-projects-server]0")

modparam("tls_mgm", "client_domain","ag-projects-client")
modparam("tls_mgm", "match_ip_address", "[ag-projects-client]*")
modparam("tls_mgm", "match_sip_domain", "[ag-projects-client]ag-projects.com")
modparam("tls_mgm", "tls_method",   "[ag-projects-client]TLSv1-")
modparam("tls_mgm", "certificate",  
"[ag-projects-client]/etc/opensips/tls/ag-projects.crt")
modparam("tls_mgm", "private_key",  
"[ag-projects-client]/etc/opensips/tls/ag-projects.key")
modparam("tls_mgm", "ca_list",  
"[ag-projects-client]/etc/opensips/tls/ca-list.pem")
modparam("tls_mgm", "ca_dir",   "[ag-projects-client]/etc/ssl/certs")
modparam("tls_mgm", "verify_cert",  "[ag-projects-client]1")
modparam("tls_mgm", "require_cert", "[ag-projects-client]0”)


Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm
Aug 12 18:51:14 live01 opensips[6455]: Aug 12 18:51:14 [6455] 
DBG:core:set_mod_param_regex: found  in module tls_mgm 
[/usr/lib/x86_64-linux-gnu/opensips/modules/]
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
tls_wolfssl
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:solve_module_dependencies: solving dependency tls_mgm -> module 
tls_openssl
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:solve_module_dependencies: module tls_mgm soft-depends on module 
tls_openssl, and it was not loaded -- continuing
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:solve_module_dependencies: solving dependency proto_tls -> module 
tls_mgm
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:core:init_mod: initializing module tls_mgm
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
INFO:tls_mgm:mod_init: initializing TLS management
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:tls_mgm:load_info: 0 rows found in tls_mgm
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:tls_mgm:load_info: 0 records found in tls_mgm
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'ag-projects-server'
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:tls_mgm:init_tls_dom: no DH params file for tls domain 'ag-projects-server' 
defined, using default '(null)'
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
DBG:tls_mgm:init_tls_dom: cipher list null ... setting default
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'ag-projects-server'
Aug 12 18:51:15 live01 opensips[6455]: Aug 12 18:51:15 [6455] 
ERROR:core:init_mod: failed to initialize module tls_mgm

Any ideas what am I doing wrong?

Adrian



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-12 Thread Liviu Chircu


On 12.08.2021 18:36, Adrian Georgescu wrote:
The auth_db module has some dramatic changes which are either 
undocumented or not backwards compatible and is unclear how to handle 
this.


https://opensips.org/docs/modules/3.1.x/auth_db.html#param_password_column_2 



Hi Adrian,

Indeed, with the addition of RFC 8760 support (support for SHA-256 and 
SHA-512-256 auth algorithms), me and Maksym Sobolyev decided to try and 
remove the "ha1b" feature, originally designed to accommodate some 
broken SIP UAs who cannot follow the basic SIP authentication spec.  The 
feature had been in there since the very beginnings, and we were not 
sure if anyone is really benefiting from it anymore nowadays.


A strong reason for removing "ha1b" was the sheer number of hashes to be 
stored per subscriber.  Since we now have 3 algorithms (MD5, SHA-256, 
SHA-512-256), there are 3 hash-columns to store.  With the "ha1b" 
feature, there would be 2 x 3 = 6 hashes in total to store, per user.  
So you can see where this is going: /"Can we get away with dropping ha1b 
and storing half the data per user?"/ ... was the big question.


Still, we agreed that if there is still enough traction for the "ha1b" 
feature from the community, we can easily re-add the ha1b logic and 3 
more columns to the table and backport everything to 3.2.  It's a 
trivial task, frankly.


The big question is: on your platform(s), can you control the software 
in all SIP UAs that incorrectly include "realm" information in the 
"username" field (which should really be just the *user**'s **name*!) 
and fix the problem on the phone side?


PS: I noticed the 3.2 migration page is missing any info on ha1b.  Will 
get it fixed soon, depending on the outcome of the discussion.


Best Regards,

--
Liviu Chircu
www.twitter.com/liviuchircu | www.opensips-solutions.com
OpenSIPS Summit 2021 Distributed | www.opensips.org/events

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] auth_db module in 3.2.2

2021-08-12 Thread Adrian Georgescu

The auth_db module has some dramatic changes which are either undocumented or 
not backwards compatible and is unclear how to handle this.

https://opensips.org/docs/modules/3.1.x/auth_db.html#param_password_column_2 


Aug 12 17:34:10 [3179] CRITICAL:core:yyerror: parse error in 
/etc/opensips/opensips.cfg.tmp:1170:20-21: Parameter  not 
found in module  - can't set
Aug 12 17:34:10 [3179] modparam("auth_db", "calculate_ha1", 0)
Aug 12 17:34:10 [3179] modparam("auth_db", "password_column",   "ha1")
Aug 12 17:34:10 [3179] modparam("auth_db", "password_column_2", "ha1b")
Aug 12 17:34:10 [3179] ^~
Aug 12 17:34:10 [3179] modparam("auth_db", "user_column",   "username")
Aug 12 17:34:10 [3179] modparam("auth_db", "domain_column", "domain")
Aug 12 17:34:10 [3179] ERROR:core:parse_opensips_cfg: bad config file (1 errors)

password_column_2 parameter has vanished in 3.2.2 and we relied heavily on its 
presence as it contained a recalculate hash including the domain name.

How should we deal with this?

Regards,
Adrian

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

Re: [OpenSIPS-Users] auth_db module in 3.2.2

Re: [OpenSIPS-Users] auth_db module in 3.2.2

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

Re: [OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

[OpenSIPS-Users] 3.2.0 TLS MGM module does not load 3.1.0 domain configuration

Re: [OpenSIPS-Users] auth_db module in 3.2.2

[OpenSIPS-Users] auth_db module in 3.2.2

12 matches

Site Navigation

Mail list logo

Footer information