Since there seems to be many variables that could be wrong in my setup let me explain what I am hoping to accomplish.
I have two OpenSIPS Proxies running in a redundant fashion with HA. Proxy 1 = SIPProxy01 <--- Hostname Proxy 2 = SIPProxy02 <--- Hostname Both servers share an IP address of AAA.BBB.CCC.DDD I am hosting multiple domains with this setup. The clients log in by using their domain credentials (example - 9012xx2...@abc.com), but all clients are configured to point to sip.ae.com:5060 as their outbound proxy in order to register and call out. I have a DNS record that points sip.ae.com to the IP address AAA.BBB.CCC.DDD which is the SIPProxy HA IP address. So from reading the TLS support page ( http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html#AEN345) it sounds like I need to do a "Virtual hosting scenario". It says to do "As the SIP proxy does not have received a SIP message yet (this is done after the TLS handshake), the SIP proxy can not retrieve the target domain (which will be usually retrieved from the domain in the request URI). Thus, distinction for these domains must be done by using multiple sockets. The socket on which the TLS connection is received, identifies the respective domain. Thus the SIP proxy is able to present the proper certificate." So I think I need to do the following disable_tls = no listen=tls:50.XX.YY.45:5061 listen=tls:50.XX.YY.45:5063 ### For Domain abc.com listen=tls:50.XX.YY.45:5064 ### For Domain xyz.com tls_method=tlsv1 tls_verify_client = 1 tls_require_client_certificate = 1 tls_ca_list = "/usr/local/etc/opensips/certs/CA/cert.pem" tls_server_domain[50.XX.YY.45:5063] { tls_certificate = "/usr/local/etc/opensips/certs/abc.com/cert.pem" tls_private_key = "/usr/local/etc/opensips/certs/abc.com/privkey.pem" tls_ca_list = "/usr/local/etc/opensips/certs/CA/cert.pem" } tls_server_domain[50.XX.YY.45:5064] { tls_certificate = "/usr/local/etc/opensips/certs/xyz.com/cert.pem" tls_private_key = "/usr/local/etc/opensips/certs/xyz.com/privkey.pem" tls_ca_list = "/usr/local/etc/opensips/certs/CA/cert.pem" } Does this sound right? So for my clients at abc.com would I need to configure them to point to the outbound proxy of sip.ae.com:5063? If abc.com calls xyz.com and both are on the same sipproxy will there be a cert issue or does OpenSIPS know how to handle this? The TLS doc says to do tls_client_domain_avp=400 # calls to other SIP domains # set the proper SSL context (certificate) for local hosted domains avp_write("$fd","$avp(400)"); t_relay(); # uses NAPTR and SRV lookups exit; I thought with some certificates the name of the server mattered. I know when working with wireless certs this is an issue. Does the name of the server when creating the CA cert and individual domain certs matter? I can't seem to get this to work. I just see the following on the server and no reply New TCP connection #51: 99-67-237-217.lightspeed.austtx.sbcglobal.net(58638) <-> 50-XX-XX-156.static.cloud-ips.com(5063) 51 1 0.0547 (0.0547) C>S Handshake ClientHello Version 3.1 cipher suites Unknown value 0xc014 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA Unknown value 0xc013 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA Unknown value 0xc012 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA Unknown value 0xff compression methods NULL Sorry for all the questions but TLS is new for me. On Mon, Apr 30, 2012 at 12:48 AM, Duane Larson <duane.lar...@gmail.com>wrote: > I've read the TLS tutorial > http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html > > > I can't get a snom or counterpath phone to register at all over TLS. I'm > not sure what is wrong. The only errors I see when I start OpenSIPS are > Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_tls: disabling > compression due ZLIB problems > Apr 30 00:08:27 SIPProxy01 opensips: INFO:core:init_tls_domains: > Processing TLS domain [0.0.0.0:0] > Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_ssl_ctx_behavior: > client verification NOT activated. Weaker security. > Apr 30 00:08:27 SIPProxy01 opensips: INFO:core:init_tls_domains: > Processing TLS domain [0.0.0.0:0] > Apr 30 00:08:27 SIPProxy01 opensips: WARNING:core:init_ssl_ctx_behavior: > server verification NOT activated. Weaker security. > Apr 30 00:08:27 SIPProxy01 /usr/local/sbin/opensips[11060]: > NOTICE:core:main: version: opensips 1.8.0-dev0-tls (x86_64/linux) > > > To get the client cert to work with Snom I had to change the cacert.pem to > a .der file. So I did > sudo openssl x509 -in cacert.pem -out cacert.der -outform DER > > > For my config I have the following. > > disable_tls = no > listen = tls:50.XX.XX.156:5061 > tls_verify_server = 0 > tls_verify_client = 0 > tls_require_client_certificate = 0 > tls_method = TLSv1 > #tls_method = SSLv23 > tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem" > tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem" > tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem" > > > > From the Snom phone I can see the Register sent to the server > > Sent to tls:50.XX.XX.156:5061 at 30/4/2012 00:09:11:335 (683 bytes): > REGISTER sip:i.com SIP/2.0 > Via: SIP/2.0/TLS 192.168.1.70:3636;branch=z9hG4bK-brbd3nfa0aao;rport > From: "1000 - 6XX-6XX4" <sip:9016xx6...@i.com>;tag=luco4y7th3 > To: "1000 - 6XX-6XX4" <sip:9016xx6...@i.com> > Call-ID: 3070263c3b8a-l2a7wl7yrrox > CSeq: 44 REGISTER > Max-Forwards: 70 > Contact: <sip:9016XX6XX4@192.168.1.70:3636 > ;transport=tls;line=2c34lho2>;reg-id=1;q=1.0;audio;mobility="fixed";duplex="full";description="snom821";actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO" > User-Agent: snom821/8.4.35 > Allow-Events: dialog > X-Real-IP: 192.168.1.70 > Supported: path > Expires: 3600 > Content-Length: 0 > > I don't see anything at all in the syslog. I did a debug 4 too. If I do > a ssldump I only see the following > > > > New TCP connection #101: 99-67-237-217.lightspeed.austtx.sbcglobal.net(4801) > <-> 50-XX-XX-156.static.cloud-ips.com(5061) > 101 1 0.0562 (0.0562) C>S Handshake > ClientHello > Version 3.1 > cipher suites > TLS_RSA_WITH_RC4_128_MD5 > TLS_RSA_WITH_RC4_128_SHA > TLS_RSA_WITH_NULL_MD5 > TLS_RSA_WITH_NULL_SHA > TLS_DH_anon_WITH_3DES_EDE_CBC_SHA > TLS_DH_anon_WITH_RC4_128_MD5 > TLS_RSA_WITH_DES_CBC_SHA > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > TLS_DH_anon_WITH_DES_CBC_SHA > compression methods > NULL > > So it looks like there is no S>C > > > Any ideas? > -- -- *--*--*--*--*--* Duane *--*--*--*--*--* --
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users