[OpenSIPS-Users] registrar and mid_registrar modules

[Alberto]

Hi,

I followed pretty much the available tutorials for mid_registrar, but I
can't figure out something:

I have:

loadmodule "registrar.so"
modparam("registrar", "attr_avp", "$avp(avp_json)")
modparam("registrar", "max_contacts", 1)
modparam("registrar", "tcp_persistent_flag", "TCP_PERSIST_DURATION")

loadmodule "mid_registrar.so"
modparam("mid_registrar", "attr_avp", "$avp(avp_json)")
modparam("mid_registrar", "max_contacts", 1)
modparam("mid_registrar", "mode", 0)
modparam("mid_registrar", "tcp_persistent_flag",
"TCP_PERSIST_REGISTRATIONS")

and then:

  if (is_method("REGISTER")) {
$json(x) := "{}";

python_exec("fn_lookup_account", "$rd|$socket_in(proto)");

$avp(avp_json) = $json_compact(x);
mid_registrar_save("location");
switch ($retcode) {
  case 1:
$du = $json(x/remote_dest);
$ru = $json(x/remote_uri);
route(relay);
break;
  case 2:
xlog("L_INFO", "Absorb REGISTER!\n");
break;
  default:
xlog("L_INFO", "Failed to save registration!\n");
break;
}

exit;
  }


I do this because I want to store some configuration in the attr column
that I don't want to retrieve every call.

However, the mid_registrar example then continues with
mid_registrar_lookup, and that works fine for calls originating from the
main registrar going to the uac.
But when the uac starts a call, how do I validate the uac was previously
registered?

I tried with this below, but lookup doesn't work in this scenario.

if (mid_registrar_lookup("location")) {
  $json(x) := $avp(avp_json);
  xlog("L_INFO", "$C(cs)$cfg_file:$cfg_line$C(xx) [$rm] Found
mid_registrar_lookup from $si:$sp to $ru\n");
} else if (lookup("location")) {
  $json(x) := $avp(avp_json);
  xlog("L_INFO", "$C(cs)$cfg_file:$cfg_line$C(xx) [$rm] Found lookup from
$si:$sp to $ru\n");
} else {
  t_reply(404, "Not Found");
  exit;
}


Thanks
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Cannot change Contact header URI in 200 OK reply to MS Teams to be FQDN instead of IP address with topology_hiding and rtpengine

[Ovidiu Sas]

The MS OpenSIPS tutorial doesn't mention topology_hiding. If you
follow the tutorial, you will be able to set up OpenSIPS to connect to
MS.
If you want to use topology_hiding, then you need to take a different
approach because there will be no Route/Record-Route headers to adjust
(that's one of the points of topology hiding). With topology hiding,
you can simply set the FQDN as advertised on the tls socket and
everything should work out of the box.

-ovidiu

On Thu, Feb 10, 2022 at 3:26 AM Peter Draganov
 wrote:
>
> I am new to OpenSIPS and I am trying to configure it as SBC between MS Teams 
> (with TLS connection) and a FreePBX/Asterisk server (with UDP connection) 
> with a private IP address.
>
> In order for MS Teams to send the ACK to 200 OK reply through the same TLS 
> connection it used to send INVITE request I have to configure OpenSIPS to 
> send Contact header with URI containing its FQDN instead of its IP address. 
> Unfortunately topology_hiding module sets IP address, so MS Teams tries to 
> create a new TLS connection and most probably refuses the certificate, 
> because it contains FQDN, not IP address.
>
> I tried several approaches with configuring OpenSIPS:
>
> -  changed socket to be with FQDN and alias with IP address – 
> topology hiding still sets IP address in Contact header
>
> -  tried to add manually second contact header – it was not 
> recognized by MS Teams (it still used the first one and tries to create a new 
> TLS connection) and I could not add thinfo parameter, needed by 
> topology_hiding module
>
>
>
> Is there another module in OpenSIPS which allows modifying Contact URI only 
> of a reply?
>
>
>
>
>
> Also I think that I have to add record-route header in my 200 OK reply, 
> according to OpenSIP how-to:
>
> UPDATE: Starting from 01.07.2020 Microsoft requires Route headers with 
> SBC_FQDN in SIP replies too. Instead of simple record_route() for SIP request 
> from MS servers OpenSIPS should add FQDN, but in different order:
>
> record_route_preset("LAN_IP:5060", "SBC_FQDN:5061;transport=tls");
>
> add_rr_param(";r2=on");
>
> I tried to add it in the main route script before calling topology_hiding() 
> in order for it to be restored on replies, but this didn’t work:
>
> record_route_preset("sbc.tbgit.com:5067;transport=tls");
>
> I noticed that topology_hiding creates a branch, so I tried to add the same 
> record_route_preset in the branch_route also, but this didn’t help – I just 
> receive:
>
> ERROR:rr:w_record_route_preset: Double attempt to record-route
>
>
>
> Any help is welcome.
>
>
>
> Peter
>
>
>
> Data Classification: Confidential
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users



-- 
VoIP Embedded, Inc.
http://www.voipembedded.com

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] mid_registrar TLS

[Bogdan-Andrei Iancu]

Yes, doing a wildcard for SIP/IP matching in the TLS domain definition 
is the correct approach if you plan to use only one certificate.


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS eBootcamp
  https://www.opensips.org/Training/Bootcamp

On 2/10/22 1:09 PM, Alberto wrote:
I was confused because I use a wildcard cert, so I only have one cert 
for server/client and any possible subdomain. I don't need to match 
server/client requests to different certs.

So I ended up with this config and it seems to work fine.
Thanks

loadmodule "tls_mgm.so"
modparam("tls_mgm", "tls_library", "wolfssl")

modparam("tls_mgm", "server_domain", "sd_1")
modparam("tls_mgm", "ca_list", "[sd_1]/etc/letsencrypt/fullchain.pem")
modparam("tls_mgm", "certificate", "[sd_1]/etc/letsencrypt/cert.pem")
modparam("tls_mgm", "private_key", "[sd_1]/etc/letsencrypt/privkey.pem")
modparam("tls_mgm", "require_cert", "[sd_1]0")
modparam("tls_mgm", "tls_method", "[sd_1]TLSv1-")
modparam("tls_mgm", "verify_cert", "[sd_1]0")
modparam("tls_mgm", "match_sip_domain", "[sd_1]*")
modparam("tls_mgm", "match_ip_address", "[sd_1]*")

modparam("tls_mgm", "client_domain", "cd_1")
modparam("tls_mgm", "ca_list", "[cd_1]/etc/letsencrypt/fullchain.pem")
modparam("tls_mgm", "certificate", "[cd_1]/etc/letsencrypt/cert.pem")
modparam("tls_mgm", "private_key", "[cd_1]/etc/letsencrypt/privkey.pem")
modparam("tls_mgm", "require_cert", "[cd_1]0")
modparam("tls_mgm", "tls_method", "[cd_1]TLSv1-")
modparam("tls_mgm", "verify_cert", "[cd_1]0")
modparam("tls_mgm", "match_sip_domain", "[cd_1]*")
modparam("tls_mgm", "match_ip_address", "[cd_1]*")


On Thu, 10 Feb 2022 at 07:59, Bogdan-Andrei Iancu > wrote:


Hi Alberto,

When OpenSIPS is about the create a new TLS connection, it has to
know what TSL certificate (client) to use for it.

There are 2 way of indicating that :

* use "match_ip_address" [1] to map the TLS client domain to some
IPs you want to connect to via TLS

* use "client_tls_domain_avp" [2] to manually select from script
which TLS domain to be used - set the AVP before the t_relay() to
the TLS destination.


[1]

https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address



[2]

https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp



Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com  
OpenSIPS eBootcamp
   https://www.opensips.org/Training/Bootcamp  


On 2/4/22 2:40 PM, Alberto wrote:

Hi,
I have a sip client connecting to opensips using tls, all
requests are then routed to an asterisk server using mid_registrar.

UDP to UDP and TCP to TCP work fine, but TLS doesn't.

This is the error, but I'm having a hard time understanding it.

Feb  4 12:29:32 [3406] //etc/opensips/opensips.cfg:453 Forward
REGISTER for sip:tls-1001@10.0.0.252:5061
 to
10.0.0.153:5061;transport=tls
Feb  4 12:29:32 [3406] ERROR:proto_tls:proto_tls_conn_init: no
TLS client domain found
Feb  4 12:29:32 [3406] ERROR:core:tcp_conn_create: failed to do
proto 3 specific init for conn 0x7ff9be1810f8
Feb  4 12:29:32 [3406] ERROR:core:tcp_async_connect:
tcp_conn_create failed, closing the socket
Feb  4 12:29:32 [3406] ERROR:proto_tls:proto_tls_send: async TCP
connect failed
Feb  4 12:29:32 [3406] ERROR:tm:msg_send: send() to
10.0.0.153:5061  for proto tls/3 failed
Feb  4 12:29:32 [3406] ERROR:tm:t_forward_nonack: sending request
failed
Feb  4 12:29:32 [3406] ERROR:tm:w_t_relay: t_forward_nonack failed


My configuration:
#
loadmodule "mid_registrar.so"
modparam("mid_registrar", "attr_avp", "$avp(avp_json)")
modparam("mid_registrar", "max_contacts", 1)
modparam("mid_registrar", "mode", 0)
modparam("mid_registrar", "tcp_persistent_flag",
"TCP_PERSIST_REGISTRATIONS")

loadmodule "tls_mgm.so"
modparam("tls_mgm", "tls_library", "wolfssl")
modparam("tls_mgm", "server_domain", "dom1")
modparam("tls_mgm", "ca_list",
"[dom1]/etc/letsencrypt/fullchain.pem")
modparam("tls_mgm", "certificate", "[dom1]/etc/letsencrypt/cert.pem")
modparam("tls_mgm", "private_key",
"[dom1]/etc/letsencrypt/privkey.pem")
modparam("tls_mgm", "require_cert", "[dom1]0")
modparam("tls_mgm", "tls_method", "[dom1]TLSv1-")
modparam("tls_mgm", "verify_cert", "[dom1]0")

loadmodule "proto_tls.so"

###
$ru = "sip:10.0.0.153:5061;transport=tls";

Re: [OpenSIPS-Users] mid_registrar TLS

[Alberto]

I was confused because I use a wildcard cert, so I only have one cert for
server/client and any possible subdomain. I don't need to match
server/client requests to different certs.
So I ended up with this config and it seems to work fine.
Thanks

loadmodule "tls_mgm.so"
modparam("tls_mgm", "tls_library", "wolfssl")

modparam("tls_mgm", "server_domain", "sd_1")
modparam("tls_mgm", "ca_list", "[sd_1]/etc/letsencrypt/fullchain.pem")
modparam("tls_mgm", "certificate", "[sd_1]/etc/letsencrypt/cert.pem")
modparam("tls_mgm", "private_key", "[sd_1]/etc/letsencrypt/privkey.pem")
modparam("tls_mgm", "require_cert", "[sd_1]0")
modparam("tls_mgm", "tls_method", "[sd_1]TLSv1-")
modparam("tls_mgm", "verify_cert", "[sd_1]0")
modparam("tls_mgm", "match_sip_domain", "[sd_1]*")
modparam("tls_mgm", "match_ip_address", "[sd_1]*")

modparam("tls_mgm", "client_domain", "cd_1")
modparam("tls_mgm", "ca_list", "[cd_1]/etc/letsencrypt/fullchain.pem")
modparam("tls_mgm", "certificate", "[cd_1]/etc/letsencrypt/cert.pem")
modparam("tls_mgm", "private_key", "[cd_1]/etc/letsencrypt/privkey.pem")
modparam("tls_mgm", "require_cert", "[cd_1]0")
modparam("tls_mgm", "tls_method", "[cd_1]TLSv1-")
modparam("tls_mgm", "verify_cert", "[cd_1]0")
modparam("tls_mgm", "match_sip_domain", "[cd_1]*")
modparam("tls_mgm", "match_ip_address", "[cd_1]*")


On Thu, 10 Feb 2022 at 07:59, Bogdan-Andrei Iancu 
wrote:

> Hi Alberto,
>
> When OpenSIPS is about the create a new TLS connection, it has to know
> what TSL certificate (client) to use for it.
>
> There are 2 way of indicating that :
>
> * use "match_ip_address" [1] to map the TLS client domain to some IPs you
> want to connect to via TLS
>
> * use "client_tls_domain_avp" [2] to manually select from script which TLS
> domain to be used - set the AVP before the t_relay() to the TLS destination.
>
>
> [1]
> https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address
>
> [2]
> https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp
>
> Best regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com
> OpenSIPS eBootcamp
>   https://www.opensips.org/Training/Bootcamp
>
> On 2/4/22 2:40 PM, Alberto wrote:
>
> Hi,
> I have a sip client connecting to opensips using tls, all requests are
> then routed to an asterisk server using mid_registrar.
>
> UDP to UDP and TCP to TCP work fine, but TLS doesn't.
>
> This is the error, but I'm having a hard time understanding it.
>
> Feb  4 12:29:32 [3406] //etc/opensips/opensips.cfg:453 Forward REGISTER
> for sip:tls-1001@10.0.0.252:5061 to 10.0.0.153:5061;transport=tls
> Feb  4 12:29:32 [3406] ERROR:proto_tls:proto_tls_conn_init: no TLS client
> domain found
> Feb  4 12:29:32 [3406] ERROR:core:tcp_conn_create: failed to do proto 3
> specific init for conn 0x7ff9be1810f8
> Feb  4 12:29:32 [3406] ERROR:core:tcp_async_connect: tcp_conn_create
> failed, closing the socket
> Feb  4 12:29:32 [3406] ERROR:proto_tls:proto_tls_send: async TCP connect
> failed
> Feb  4 12:29:32 [3406] ERROR:tm:msg_send: send() to 10.0.0.153:5061 for
> proto tls/3 failed
> Feb  4 12:29:32 [3406] ERROR:tm:t_forward_nonack: sending request failed
> Feb  4 12:29:32 [3406] ERROR:tm:w_t_relay: t_forward_nonack failed
>
>
> My configuration:
> #
> loadmodule "mid_registrar.so"
> modparam("mid_registrar", "attr_avp", "$avp(avp_json)")
> modparam("mid_registrar", "max_contacts", 1)
> modparam("mid_registrar", "mode", 0)
> modparam("mid_registrar", "tcp_persistent_flag",
> "TCP_PERSIST_REGISTRATIONS")
>
> loadmodule "tls_mgm.so"
> modparam("tls_mgm", "tls_library", "wolfssl")
> modparam("tls_mgm", "server_domain", "dom1")
> modparam("tls_mgm", "ca_list", "[dom1]/etc/letsencrypt/fullchain.pem")
> modparam("tls_mgm", "certificate", "[dom1]/etc/letsencrypt/cert.pem")
> modparam("tls_mgm", "private_key", "[dom1]/etc/letsencrypt/privkey.pem")
> modparam("tls_mgm", "require_cert", "[dom1]0")
> modparam("tls_mgm", "tls_method", "[dom1]TLSv1-")
> modparam("tls_mgm", "verify_cert", "[dom1]0")
>
> loadmodule "proto_tls.so"
>
> ###
> $ru = "sip:10.0.0.153:5061;transport=tls";
> setflag("TCP_PERSISTENT");
> route(relay);
>
>
> Thanks
>
> ___
> Users mailing 
> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] Cannot change Contact header URI in 200 OK reply to MS Teams to be FQDN instead of IP address with topology_hiding and rtpengine

[Peter Draganov]

I am new to OpenSIPS and I am trying to configure it as SBC between MS Teams 
(with TLS connection) and a FreePBX/Asterisk server (with UDP connection) with 
a private IP address.
In order for MS Teams to send the ACK to 200 OK reply through the same TLS 
connection it used to send INVITE request I have to configure OpenSIPS to send 
Contact header with URI containing its FQDN instead of its IP address. 
Unfortunately topology_hiding module sets IP address, so MS Teams tries to 
create a new TLS connection and most probably refuses the certificate, because 
it contains FQDN, not IP address.
I tried several approaches with configuring OpenSIPS:

-  changed socket to be with FQDN and alias with IP address - topology 
hiding still sets IP address in Contact header

-  tried to add manually second contact header - it was not recognized 
by MS Teams (it still used the first one and tries to create a new TLS 
connection) and I could not add thinfo parameter, needed by topology_hiding 
module

Is there another module in OpenSIPS which allows modifying Contact URI only of 
a reply?


Also I think that I have to add record-route header in my 200 OK reply, 
according to OpenSIP how-to:

UPDATE: Starting from 01.07.2020 Microsoft requires Route headers with SBC_FQDN 
in SIP replies too. Instead of simple record_route() for SIP request from MS 
servers OpenSIPS should add FQDN, but in different order:

record_route_preset("LAN_IP:5060", "SBC_FQDN:5061;transport=tls");

add_rr_param(";r2=on");
I tried to add it in the main route script before calling topology_hiding() in 
order for it to be restored on replies, but this didn't work:
record_route_preset("sbc.tbgit.com:5067;transport=tls");
I noticed that topology_hiding creates a branch, so I tried to add the same 
record_route_preset in the branch_route also, but this didn't help - I just 
receive:
ERROR:rr:w_record_route_preset: Double attempt to record-route

Any help is welcome.

Peter


Data Classification: Confidential

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] WARNING:drouting:dr_recv_sync_packet errors after dr_reload

[Bogdan-Andrei Iancu]

Hi Kingsley,

I suspect that the 2 instances of OpenSIPS (part of your cluster) do not 
have the same set of DR data (same gateways or carriers). And when the 
DR data (status of gws and carriers) is sync'ed from one node to the 
other, the receiving node will generate those warnings when trying to 
update the status of a GW/Carrier it does not have.


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS eBootcamp
  https://www.opensips.org/Training/Bootcamp

On 2/5/22 3:10 PM, Kingsley Tart wrote:

Hi,

When I do a dr_reload it seems to work OK but I get lots of warnings 
in the logs. For example, I did dr_reload on node 3. Node 4 logged this:


Feb  5 12:58:33 ipx-d /usr/sbin/opensips[428]: 
INFO:clusterer:handle_sync_request: Received sync request for capability 
'drouting-status-repl' from node 3, cluster 1
Feb  5 12:58:33 ipx-d /usr/sbin/opensips[428]: INFO:clusterer:send_sync_repl: 
Sent all sync packets for capability 'drouting-status-repl' to node 3, cluster 1

Node 3 (the one I'd done a reload on) logged this:

Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23767]: INFO:drouting:dr_reload_cmd: 
dr_reload MI command received!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23767]: 
INFO:drouting:dr_reload_data_head: loading drouting data!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23767]: 
INFO:drouting:dr_reload_data_head: loading drouting data!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23767]: INFO:clusterer:send_sync_req: 
Sent sync request for capability 'drouting-status-repl' to node 4, cluster 1
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23803]: 
INFO:clusterer:handle_sync_packet: Received all sync packets for capability 
'drouting-status-repl' in cluster 1
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23803]: 
INFO:drouting:receive_dr_cluster_event: Synchronized carriers and gateways 
status from cluster
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c /usr/sbin/opensips[23770]: 
WARNING:drouting:dr_recv_sync_packet: failed to process sync chunk!
Feb  5 12:58:33 ipx-c 

Re: [OpenSIPS-Users] mid_registrar TLS

[Bogdan-Andrei Iancu]

Hi Alberto,

When OpenSIPS is about the create a new TLS connection, it has to know 
what TSL certificate (client) to use for it.


There are 2 way of indicating that :

* use "match_ip_address" [1] to map the TLS client domain to some IPs 
you want to connect to via TLS


* use "client_tls_domain_avp" [2] to manually select from script which 
TLS domain to be used - set the AVP before the t_relay() to the TLS 
destination.



[1] 
https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_match_ip_address


[2] 
https://opensips.org/html/docs/modules/3.2.x/tls_mgm.html#param_client_tls_domain_avp


Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS eBootcamp
  https://www.opensips.org/Training/Bootcamp

On 2/4/22 2:40 PM, Alberto wrote:

Hi,
I have a sip client connecting to opensips using tls, all requests are 
then routed to an asterisk server using mid_registrar.


UDP to UDP and TCP to TCP work fine, but TLS doesn't.

This is the error, but I'm having a hard time understanding it.

Feb  4 12:29:32 [3406] //etc/opensips/opensips.cfg:453 Forward 
REGISTER for sip:tls-1001@10.0.0.252:5061 
 to 10.0.0.153:5061;transport=tls
Feb  4 12:29:32 [3406] ERROR:proto_tls:proto_tls_conn_init: no TLS 
client domain found
Feb  4 12:29:32 [3406] ERROR:core:tcp_conn_create: failed to do proto 
3 specific init for conn 0x7ff9be1810f8
Feb  4 12:29:32 [3406] ERROR:core:tcp_async_connect: tcp_conn_create 
failed, closing the socket
Feb  4 12:29:32 [3406] ERROR:proto_tls:proto_tls_send: async TCP 
connect failed
Feb  4 12:29:32 [3406] ERROR:tm:msg_send: send() to 10.0.0.153:5061 
 for proto tls/3 failed

Feb  4 12:29:32 [3406] ERROR:tm:t_forward_nonack: sending request failed
Feb  4 12:29:32 [3406] ERROR:tm:w_t_relay: t_forward_nonack failed


My configuration:
#
loadmodule "mid_registrar.so"
modparam("mid_registrar", "attr_avp", "$avp(avp_json)")
modparam("mid_registrar", "max_contacts", 1)
modparam("mid_registrar", "mode", 0)
modparam("mid_registrar", "tcp_persistent_flag", 
"TCP_PERSIST_REGISTRATIONS")


loadmodule "tls_mgm.so"
modparam("tls_mgm", "tls_library", "wolfssl")
modparam("tls_mgm", "server_domain", "dom1")
modparam("tls_mgm", "ca_list", "[dom1]/etc/letsencrypt/fullchain.pem")
modparam("tls_mgm", "certificate", "[dom1]/etc/letsencrypt/cert.pem")
modparam("tls_mgm", "private_key", "[dom1]/etc/letsencrypt/privkey.pem")
modparam("tls_mgm", "require_cert", "[dom1]0")
modparam("tls_mgm", "tls_method", "[dom1]TLSv1-")
modparam("tls_mgm", "verify_cert", "[dom1]0")

loadmodule "proto_tls.so"

###
$ru = "sip:10.0.0.153:5061;transport=tls";
setflag("TCP_PERSISTENT");
route(relay);


Thanks

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users