[OpenSIPS-Users] Opensips and TLS
Hello! I want to ask an advice for making one scheme. There is one softswitch (rather old) which does not support TLS protocol. Can I use Opensips as TLS intermediary between some SIP UA and old softswitch? Scheme: SIP UA ßà Opensips (with TLS) ßà old softswitch. Old softswitch must know SIP UA status (register/unregister) and must make incoming call to SIP UA. Thank you for any help ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPS and TLS with wildcard certificates again
The client must load same CA chain that signed the server cert. Adrian On Sep 14, 2012, at 2:13 PM, Peter Lemenkov wrote: > Hello All! > > First of all - I've read a bit about TLS and certificates in OpenSIPS > but I still don't have a clue what's wrong with this. > > My problem is - although openssl can verify certificate as well as it > can be loaded by opensips, client apps are refusing to connect. > Namely, empathy and Jitsi. > > My setup is quite simple (well, I thought so). I've got a bunch of SIP > domains, lets,say sip0[0-9].domain.com fully resolvable via DNS (w/o > additional DNS SRV records - just domain names). I've got wildcard SSL > certificate from Thawte (for "*.domain.com" without quotes) and a CA > bundle from Thawte ( > https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem > ). I appended it to the end of the system-wide certificate bundle (and > checked with openssl). And now here is my relevant config data (I > added "192.168.0.1 sip01.domain.com" to /etc/hosts for the sake of > simplicity): > > disable_tls = 0 > listen = tls:192.168.0.1:5051 > tls_verify_server = 0 > tls_verify_client = 0 > tls_require_client_certificate = 0 > tls_method = TLSv1 > > alias=sip01.domain.com:5051 > > tls_certificate = "./wildcard.domain.com.crt" > tls_private_key = "./wildcard.domain.com.key" > tls_ca_list = "./ca-bundle.crt" # system-wide CA bundle + SSL_CA_Bundle.pem > > > All I got so far is > > Sep 14 16:02:29 [14877] ERROR:core:tls_accept: New TLS connection from > 192.168.0.2:59588 failed to accept: rejected by client > > Here is a confirmation from openssl: > > work ~/work/OpenSIPS (git::1.8.x-ipport): openssl verify -CAfile > ./ca-bundle.crt ./wildcard.domain.com.crt > ./wildcard.domain.com.crt: OK > work ~/work/OpenSIPS (git::1.8.x-ipport): > > I'm using the same certificate for https and it works quite fine in > Firefox. What did I miss so far? > > -- > With best regards, Peter Lemenkov. > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPS and TLS with wildcard certificates again
The client must trust the certificate authority that signed the certificate presented by the server. Try load the same CA file in Jitsi's supported list of CAs. Adrian On Sep 14, 2012, at 2:13 PM, Peter Lemenkov wrote: > Hello All! > > First of all - I've read a bit about TLS and certificates in OpenSIPS > but I still don't have a clue what's wrong with this. > > My problem is - although openssl can verify certificate as well as it > can be loaded by opensips, client apps are refusing to connect. > Namely, empathy and Jitsi. > > My setup is quite simple (well, I thought so). I've got a bunch of SIP > domains, lets,say sip0[0-9].domain.com fully resolvable via DNS (w/o > additional DNS SRV records - just domain names). I've got wildcard SSL > certificate from Thawte (for "*.domain.com" without quotes) and a CA > bundle from Thawte ( > https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem > ). I appended it to the end of the system-wide certificate bundle (and > checked with openssl). And now here is my relevant config data (I > added "192.168.0.1 sip01.domain.com" to /etc/hosts for the sake of > simplicity): > > disable_tls = 0 > listen = tls:192.168.0.1:5051 > tls_verify_server = 0 > tls_verify_client = 0 > tls_require_client_certificate = 0 > tls_method = TLSv1 > > alias=sip01.domain.com:5051 > > tls_certificate = "./wildcard.domain.com.crt" > tls_private_key = "./wildcard.domain.com.key" > tls_ca_list = "./ca-bundle.crt" # system-wide CA bundle + SSL_CA_Bundle.pem > > > All I got so far is > > Sep 14 16:02:29 [14877] ERROR:core:tls_accept: New TLS connection from > 192.168.0.2:59588 failed to accept: rejected by client > > Here is a confirmation from openssl: > > work ~/work/OpenSIPS (git::1.8.x-ipport): openssl verify -CAfile > ./ca-bundle.crt ./wildcard.domain.com.crt > ./wildcard.domain.com.crt: OK > work ~/work/OpenSIPS (git::1.8.x-ipport): > > I'm using the same certificate for https and it works quite fine in > Firefox. What did I miss so far? > > -- > With best regards, Peter Lemenkov. > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] OpenSIPS and TLS with wildcard certificates again
Hello All! First of all - I've read a bit about TLS and certificates in OpenSIPS but I still don't have a clue what's wrong with this. My problem is - although openssl can verify certificate as well as it can be loaded by opensips, client apps are refusing to connect. Namely, empathy and Jitsi. My setup is quite simple (well, I thought so). I've got a bunch of SIP domains, lets,say sip0[0-9].domain.com fully resolvable via DNS (w/o additional DNS SRV records - just domain names). I've got wildcard SSL certificate from Thawte (for "*.domain.com" without quotes) and a CA bundle from Thawte ( https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem ). I appended it to the end of the system-wide certificate bundle (and checked with openssl). And now here is my relevant config data (I added "192.168.0.1 sip01.domain.com" to /etc/hosts for the sake of simplicity): disable_tls = 0 listen = tls:192.168.0.1:5051 tls_verify_server = 0 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 alias=sip01.domain.com:5051 tls_certificate = "./wildcard.domain.com.crt" tls_private_key = "./wildcard.domain.com.key" tls_ca_list = "./ca-bundle.crt" # system-wide CA bundle + SSL_CA_Bundle.pem All I got so far is Sep 14 16:02:29 [14877] ERROR:core:tls_accept: New TLS connection from 192.168.0.2:59588 failed to accept: rejected by client Here is a confirmation from openssl: work ~/work/OpenSIPS (git::1.8.x-ipport): openssl verify -CAfile ./ca-bundle.crt ./wildcard.domain.com.crt ./wildcard.domain.com.crt: OK work ~/work/OpenSIPS (git::1.8.x-ipport): I'm using the same certificate for https and it works quite fine in Firefox. What did I miss so far? -- With best regards, Peter Lemenkov. ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users