Hi Callum,
The error may indicate the fact that the TLS client does not present a
TLS certificate while connection to your OpenSIPS. This has nothing to
do with the TLS multi domain, which anyhow is supported. As the test,
you can create a separate TLS domain (server) bound to the IP of that
TLS client, TLS domain having the require_certificate option turned off.
Best Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
OpenSIPS Bootcamp 2017, Houston, US
http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
On 07/25/2017 03:26 PM, Callum Guy wrote:
Hi All,
*Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7
I have been working with new TLS connection and have been having
problems validating their client certificate. My OpenSIPs
configuration works fine for other providers (i.e. Twilio) however I
am seeing the following error messages reported while verify_cert is
enabled:
Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]:
NOTICE:tls_mgm:verify_callback: depth = 0
Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]:
NOTICE:tls_mgm:verify_callback: subject =
/serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture
Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain
SSL/CN=simwood.com <http://simwood.com>
Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]:
NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get
local issuer certificate
Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]:
NOTICE:tls_mgm:verify_callback: something wrong with the cert ...
error code is 20 (check x509_vfy.h)
Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]:
NOTICE:tls_mgm:verify_callback: verify return:0
Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]:
ERROR:proto_tls:tls_accept: New TLS connection from
178.22.140.34:34281 <http://178.22.140.34:34281> failed to accept
Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]:
ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 25 13:10:32 proxy.ex.com <http://proxy.ex.com> opensips[4881]:
ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
Part of my reason for resorting to the mailing list are old mailing
list emails discussing that multi-domain certificates are not
supported by OpenSIPs - is anyone able to confirm if this remains a
problem?
The openssl error code 20 is translated as
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
I have seen other reports that this issue may be related to an
improperly chained certificate - does this sound at all likely?
Any tips on debugging would be greatly appreciated, thanks.
Callum
--
Callum Guy
Head of Information Security
X-on
*^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> |
_**_^<https://www.linkedin.com/company/x-on>
<https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please
notify X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must
not use, disclose, disseminate, distribute, copy, print or reply to
this email. Views or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the
absence of viruses in this email or any attachments.
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
