Hello All! First of all - I've read a bit about TLS and certificates in OpenSIPS but I still don't have a clue what's wrong with this.
My problem is - although openssl can verify certificate as well as it can be loaded by opensips, client apps are refusing to connect. Namely, empathy and Jitsi. My setup is quite simple (well, I thought so). I've got a bunch of SIP domains, lets,say sip0[0-9].domain.com fully resolvable via DNS (w/o additional DNS SRV records - just domain names). I've got wildcard SSL certificate from Thawte (for "*.domain.com" without quotes) and a CA bundle from Thawte ( https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem ). I appended it to the end of the system-wide certificate bundle (and checked with openssl). And now here is my relevant config data (I added "192.168.0.1 sip01.domain.com" to /etc/hosts for the sake of simplicity): disable_tls = 0 listen = tls:192.168.0.1:5051 tls_verify_server = 0 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 alias=sip01.domain.com:5051 tls_certificate = "./wildcard.domain.com.crt" tls_private_key = "./wildcard.domain.com.key" tls_ca_list = "./ca-bundle.crt" # system-wide CA bundle + SSL_CA_Bundle.pem All I got so far is Sep 14 16:02:29 [14877] ERROR:core:tls_accept: New TLS connection from 192.168.0.2:59588 failed to accept: rejected by client Here is a confirmation from openssl: work ~/work/OpenSIPS (git::1.8.x-ipport): openssl verify -CAfile ./ca-bundle.crt ./wildcard.domain.com.crt ./wildcard.domain.com.crt: OK work ~/work/OpenSIPS (git::1.8.x-ipport): I'm using the same certificate for https and it works quite fine in Firefox. What did I miss so far? -- With best regards, Peter Lemenkov. _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users