Re: [OpenSIPS-Users] How to TLS ?
Hi Hamid,
As the ERROR says, the SIP packet came into OpenSIPS in more than 4
chunks, making opensips to close the TCP connection (this is an action
against potential TCP connect based attacks). For more see :
http://www.opensips.org/Documentation/Script-CoreParameters-1-11#toc96
(tcp_max_msg_chunks global param)
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
On 16.02.2016 15:28, Hamid Hashmi wrote:
Now I am facing following ERROR. What can be the reason ?
|Feb 16 13:11:43 ec2-siplb SIPLB[30844]:
NOTICE:proto_tls:verify_callback: depth = 2 Feb 16 13:11:43 ec2-siplb
SIPLB[30844]: NOTICE:proto_tls:verify_callback: preverify is good:
verify return: 1 Feb 16 13:11:43 ec2-siplb SIPLB[30844]:
NOTICE:proto_tls:verify_callback: depth = 1 Feb 16 13:11:43 ec2-siplb
SIPLB[30844]: NOTICE:proto_tls:verify_callback: preverify is good:
verify return: 1 Feb 16 13:11:43 ec2-siplb SIPLB[30844]:
NOTICE:proto_tls:verify_callback: depth = 0 Feb 16 13:11:43 ec2-siplb
SIPLB[30844]: NOTICE:proto_tls:verify_callback: preverify is good:
verify return: 1 Feb 16 13:11:43 ec2-siplb SIPLB[30844]:
INFO:proto_tls:tls_accept: New TLS connection from 103.255.5.39:64219
accepted Feb 16 13:11:43 ec2-siplb SIPLB[30844]:
INFO:proto_tls:tls_dump_cert_info: tls_accept: client TLS certificate
subject: *** Feb 16 13:11:43 ec2-siplb SIPLB[30844]:
INFO:proto_tls:tls_dump_cert_info: tls_accept: local TLS server
certificate subject: *** Feb 16 13:11:43 ec2-siplb SIPLB[30844]:
ERROR:proto_tls:tcp_handle_req: Made 4 read attempts but message is
not complete yet - closing connection |
*/Hamid R. Hashmi/*
Software Engineer - VoIP
Vopium A/S
Date: Fri, 12 Feb 2016 08:03:44 +
Subject: Re: [OpenSIPS-Users] How to TLS ?
From: nabeelshik...@gmail.com
To: users@lists.opensips.org; hamid2kv...@hotmail.com
Hi,
That option is only required if you want to enable "Mutual (two-way)
client authentication' and is not normally necessary when using TLS.
Most of these clients don't seem to support two way authentication.
You can have this option disabled:
modparam("proto_tls","require_cert", "0").
477 error in my experience is usually a temporary connection error
related to TLS, but not directly related to configuration.
Nabeel
On 12 Feb 2016 6:45 am, "Hamid Hashmi" <hamid2kv...@hotmail.com
<mailto:hamid2kv...@hotmail.com>> wrote:
Nabeel
I dont know how to present a certificate from client. I have tried
using Xoiper (Android - Free), SFLphone (Ubuntu) and CsipSimple
(Android) but there was no options set a public key.
Now I am using CA signed certificates in opensips with disabled
flags of verify_cert and require_cert, having an error of *477
Send failed (477/TM). *
*/Hamid R. Hashmi/*
Software Engineer - VoIP
Vopium A/S
Date: Tue, 9 Feb 2016 08:48:41 +
From: nabeelshik...@gmail.com <mailto:nabeelshik...@gmail.com>
To: users@lists.opensips.org <mailto:users@lists.opensips.org>
Subject: Re: [OpenSIPS-Users] How to TLS ?
Hi,
Does the client present a client certificate? If not, then with
modparam("proto_tls","require_cert", "1"), OpenSIPS misleadingly logs:
'failed to accept: rejected by client'. What it actually means is
that the client failed to present a certificate.
On 9 Feb 2016 6:06 am, "Hamid Hashmi" <hamid2kv...@hotmail.com
<mailto:hamid2kv...@hotmail.com>> wrote:
It will be a great help if you please help me in configuring
TLS. I have followed this
<http://www.opensips.org/Documentation/Tutorials-TLS-2-1> to
configure TLS but could not able to verify certificates.
its working if disable following flags
modparam("proto_tls","verify_cert", "0")
modparam("proto_tls","require_cert", "0")
BUT not verifying certificates. Please see logs
<http://pastebin.com/qmXZjSy2> if enabled
modparam("proto_tls","verify_cert", "1")
modparam("proto_tls","require_cert", "1")
then have following ERROR
|Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29867]:
[udp:keepalive@192.168.26.181:8000
<http://192.168.26.181:8000>]: Receive request OPTIONS from
local server [192.168.26.181] Feb 9 05:57:14
comoyo-dev-ec2-siplb SIPLB[29868]: ERROR:proto_tls:tls_accept:
New TLS connection from 115.186.93.1:47015
<http://115.186.93.1:47015> failed to accept: rejected by
client Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]:
E
Re: [OpenSIPS-Users] How to TLS ?
Hi,
That option is only required if you want to enable "Mutual (two-way) client
authentication' and is not normally necessary when using TLS. Most of these
clients don't seem to support two way authentication. You can have this
option disabled:
modparam("proto_tls","require_cert", "0").
477 error in my experience is usually a temporary connection error related
to TLS, but not directly related to configuration.
Nabeel
On 12 Feb 2016 6:45 am, "Hamid Hashmi" <hamid2kv...@hotmail.com> wrote:
> Nabeel
>
> I dont know how to present a certificate from client. I have tried using
> Xoiper (Android - Free), SFLphone (Ubuntu) and CsipSimple (Android) but
> there was no options set a public key.
>
> Now I am using CA signed certificates in opensips with disabled flags of
> verify_cert and require_cert, having an error of *477 Send failed
> (477/TM). *
>
> *Hamid R. Hashmi*
> Software Engineer - VoIP
> Vopium A/S
>
>
> --
> Date: Tue, 9 Feb 2016 08:48:41 +0000
> From: nabeelshik...@gmail.com
> To: users@lists.opensips.org
> Subject: Re: [OpenSIPS-Users] How to TLS ?
>
> Hi,
>
> Does the client present a client certificate? If not, then with
> modparam("proto_tls","require_cert", "1"), OpenSIPS misleadingly logs:
> 'failed to accept: rejected by client'. What it actually means is that
> the client failed to present a certificate.
> On 9 Feb 2016 6:06 am, "Hamid Hashmi" <hamid2kv...@hotmail.com> wrote:
>
> It will be a great help if you please help me in configuring TLS. I have
> followed this <http://www.opensips.org/Documentation/Tutorials-TLS-2-1>
> to configure TLS but could not able to verify certificates.
>
> its working if disable following flags
>
> modparam("proto_tls","verify_cert", "0")
> modparam("proto_tls","require_cert", "0")
>
> BUT not verifying certificates. Please see logs
> <http://pastebin.com/qmXZjSy2> if enabled
>
> modparam("proto_tls","verify_cert", "1")
> modparam("proto_tls","require_cert", "1")
>
> then have following ERROR
>
> Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29867]:
> [udp:keepalive@192.168.26.181:8000 <http://192.168.26.181:8000>]: Receive
> request OPTIONS from local server [192.168.26.181]
> Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]:
> ERROR:proto_tls:tls_accept: New TLS connection from 115.186.93.1:47015 failed
> to accept: rejected by client
> Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]:
> ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
> Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
> [tcp:siplb@192.168.26.180:6080 <http://192.168.26.180:6080>]: In LOCAL Route
> sending OPTIONS to 192.168.26.181
> Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
> INFO:core:probe_max_sock_buff: using snd buffer of 244 kb
> Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
> INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 17
>
> Regards
> *Hamid R. Hashmi*
>
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> ___ Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] How to TLS ?
Nabeel
I dont know how to present a certificate from client. I have tried using Xoiper
(Android - Free), SFLphone (Ubuntu) and CsipSimple (Android) but there was no
options set a public key.
Now I am using CA signed certificates in opensips with disabled flags of
verify_cert and require_cert, having an error of 477 Send failed (477/TM).
Hamid R. HashmiSoftware Engineer - VoIPVopium A/S
Date: Tue, 9 Feb 2016 08:48:41 +
From: nabeelshik...@gmail.com
To: users@lists.opensips.org
Subject: Re: [OpenSIPS-Users] How to TLS ?
Hi,
Does the client present a client certificate? If not, then with
modparam("proto_tls","require_cert", "1"), OpenSIPS misleadingly logs:
'failed to accept: rejected by client'. What it actually means is that the
client failed to present a certificate.
On 9 Feb 2016 6:06 am, "Hamid Hashmi" <hamid2kv...@hotmail.com> wrote:
It will be a great help if you please help me in configuring TLS. I have
followed this to configure TLS but could not able to verify certificates.
its working if disable following flags
modparam("proto_tls","verify_cert", "0")modparam("proto_tls","require_cert",
"0")
BUT not verifying certificates. Please see logs if enabled
modparam("proto_tls","verify_cert", "1")modparam("proto_tls","require_cert",
"1")
then have following ERROR
Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29867]:
[udp:keepalive@192.168.26.181:8000]: Receive request OPTIONS from local server
[192.168.26.181]
Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]: ERROR:proto_tls:tls_accept:
New TLS connection from 115.186.93.1:47015 failed to accept: rejected by client
Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]:
ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
[tcp:siplb@192.168.26.180:6080]: In LOCAL Route sending OPTIONS to
192.168.26.181
Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
INFO:core:probe_max_sock_buff: using snd buffer of 244 kb
Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 17Regards
Hamid R. Hashmi
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] How to TLS ?
Hi,
Does the client present a client certificate? If not, then with
modparam("proto_tls","require_cert", "1"), OpenSIPS misleadingly logs:
'failed to accept: rejected by client'. What it actually means is that the
client failed to present a certificate.
On 9 Feb 2016 6:06 am, "Hamid Hashmi" wrote:
> It will be a great help if you please help me in configuring TLS. I have
> followed this
> to configure TLS but could not able to verify certificates.
>
> its working if disable following flags
>
> modparam("proto_tls","verify_cert", "0")
> modparam("proto_tls","require_cert", "0")
>
> BUT not verifying certificates. Please see logs
> if enabled
>
> modparam("proto_tls","verify_cert", "1")
> modparam("proto_tls","require_cert", "1")
>
> then have following ERROR
>
> Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29867]:
> [udp:keepalive@192.168.26.181:8000]: Receive request OPTIONS from local
> server [192.168.26.181]
> Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]:
> ERROR:proto_tls:tls_accept: New TLS connection from 115.186.93.1:47015 failed
> to accept: rejected by client
> Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]:
> ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
> Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
> [tcp:siplb@192.168.26.180:6080]: In LOCAL Route sending OPTIONS to
> 192.168.26.181
> Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
> INFO:core:probe_max_sock_buff: using snd buffer of 244 kb
> Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
> INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 17
>
> Regards
> *Hamid R. Hashmi*
>
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] How to TLS ?
It will be a great help if you please help me in configuring TLS. I have
followed this to configure TLS but could not able to verify certificates.
its working if disable following flags
modparam("proto_tls","verify_cert", "0")modparam("proto_tls","require_cert",
"0")
BUT not verifying certificates. Please see logs if enabled
modparam("proto_tls","verify_cert", "1")modparam("proto_tls","require_cert",
"1")
then have following ERROR
Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29867]:
[udp:keepalive@192.168.26.181:8000]: Receive request OPTIONS from local server
[192.168.26.181]
Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]: ERROR:proto_tls:tls_accept:
New TLS connection from 115.186.93.1:47015 failed to accept: rejected by client
Feb 9 05:57:14 comoyo-dev-ec2-siplb SIPLB[29868]:
ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
[tcp:siplb@192.168.26.180:6080]: In LOCAL Route sending OPTIONS to
192.168.26.181
Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
INFO:core:probe_max_sock_buff: using snd buffer of 244 kb
Feb 9 05:57:17 comoyo-dev-ec2-siplb SIPLB[29863]:
INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 17Regards
Hamid R. Hashmi
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] How many TLS connections can an opensips server handle?
Hi List Thank you very much Bogdan for the very helpful reply! Now seems I'll need to find ways to increase the limitation of the max number of allowed TCP connections for Ubuntu - for the VM that opensips runs on and the host. I'll be very grateful if anyone would like to share their experience on this. Thanks very much! Yufei Message: 2 Date: Thu, 03 Feb 2011 17:47:39 +0200 From: Bogdan-Andrei Iancu bog...@opensips.org Subject: Re: [OpenSIPS-Users] How many TLS connections can an opensips server handle? To: OpenSIPS users mailling list users@lists.opensips.org Message-ID: 4d4ace1b.4090...@opensips.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Yufei, OpenSIPS has a core paramter limiting the number of TCP connection (note that a TLS conn is counted also as TCP conn). See the tcp_max_connections global param. The default value is 2048. Of course, you can change it from the script. Also take note about the system limitations. Regards, Bogdan yufei.tao wrote: Hi List Can anyone give me an idea on how many TLS/TCP connections an opensips server can handle? Not sure if this is a fair question even. Or does the number depend rather on the operating system underneath? If so does opensips impose any further limitations? A bit background: all our SIP clients use TLS connections for security reasons. The connections will be kept open using keep-alives once the clients are registered. I've got a opensips 1.6.2+tls running in a virtual machine (with Ubuntu 10.0.4), and the virtual machine runs on a host that agains runs Ubuntu 10.0.4. I want to get an idea how many SIP clients this server can support, as TLS is obviously more 'expensive' than UDP. Thanks very much in advance! Yufei ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- Bogdan-Andrei Iancu OpenSIPS Event - expo, conf, social, bootcamp 2 - 4 February 2011, ITExpo, Miami, USA OpenSIPS solutions and know-how ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] How many TLS connections can an opensips server handle?
Hi Yufei, OpenSIPS has a core paramter limiting the number of TCP connection (note that a TLS conn is counted also as TCP conn). See the tcp_max_connections global param. The default value is 2048. Of course, you can change it from the script. Also take note about the system limitations. Regards, Bogdan yufei.tao wrote: Hi List Can anyone give me an idea on how many TLS/TCP connections an opensips server can handle? Not sure if this is a fair question even. Or does the number depend rather on the operating system underneath? If so does opensips impose any further limitations? A bit background: all our SIP clients use TLS connections for security reasons. The connections will be kept open using keep-alives once the clients are registered. I've got a opensips 1.6.2+tls running in a virtual machine (with Ubuntu 10.0.4), and the virtual machine runs on a host that agains runs Ubuntu 10.0.4. I want to get an idea how many SIP clients this server can support, as TLS is obviously more 'expensive' than UDP. Thanks very much in advance! Yufei ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- Bogdan-Andrei Iancu OpenSIPS Event - expo, conf, social, bootcamp 2 - 4 February 2011, ITExpo, Miami, USA OpenSIPS solutions and know-how ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
