Re: [OpenSIPS-Users] Teams TLS Error

Fri, 13 Nov 2020 08:00:29 -0800

You got me there... the doc states

OpenSIPS offers SIP service for multiple
  219    domains, e.g. atlanta.com and biloxi.com. Altough both domains
  220    will be hosted on a single SIP proxy, the SIP proxy needs 2
  221    certificates: One for atlanta.com and one for biloxi.com. For
  222    incoming TLS connections

If you need one cert per domain, maybe it implies that you need to have the domain as the CN instead of a SAN?

Kevin
From: farm...@gmail.com
Sent: November 13, 2020 10:43 a.m.
To: users@lists.opensips.org
Reply to: users@lists.opensips.org
Subject: Re: [OpenSIPS-Users] Teams TLS Error

OK so now I have this:

modparam("tls_mgm","certificate", "[my.domain.name]/usr/local/etc/opensips/tls/myCert.pem")
modparam("tls_mgm","private_key", "[my.domain.name]/usr/local/etc/opensips/tls/myKey.key")
modparam("tls_mgm","ca_dir", "/etc/ssl/certs")
modparam("tls_mgm","verify_cert", "[my.domain.name]1")
modparam("tls_mgm","require_cert", "[my.domain.name]1")
modparam("tls_mgm","tls_method", "[my.domain.name]TLSv1_2")
modparam("tls_mgm", "match_sip_domain", "my.domain.name")

But now it claims that my.domain.name is not defined in myCert.pem
I know it is - it is in a SAN within the certificate.

Any suggestions?
Many thanks
Mark.


On Fri, 13 Nov 2020 at 15:12, Kevin Vines <kevin.vi...@gmail.com> wrote:
Hi Mark,

Based on some googling it looks like you need to specify the domain eg:

modparam("tls_mgm","verify_cert", "[domain.com]1")

Kevin 

Sent: November 13, 2020 9:49 a.m.
Subject: [OpenSIPS-Users] Teams TLS Error

Hi everyone

OpenSIPS 3.1.0

I am following the OpenSIPS as Teams SBC guide and have added the TLS config:

modparam("tls_mgm","verify_cert", "1")
modparam("tls_mgm","require_cert", "1")
modparam("tls_mgm","tls_method", "TLSv1_2")
modparam("tls_mgm","certificate", "/usr/local/etc/opensips/tls/myCert.pem")
modparam("tls_mgm","private_key", "/usr/local/etc/opensips/tls/myKey.key")
modparam("tls_mgm", "ca_dir", "/etc/ssl/certs")

But I am seeing a TLS domain error:

Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS domain name
Nov 13 14:36:50 [175314] Traceback (last included file at the bottom):
Nov 13 14:36:50 [175314]  0. /usr/local//etc/opensips/opensips.cfg
Nov 13 14:36:50 [175314] CRITICAL:core:yyerror: parse error in /usr/local//etc/opensips/opensips.cfg:191:19-20: Parameter <verify_cert> not found in module <tls_mgm> - can't set
Nov 13 14:36:50 [175314] #modparam("tls_mgm", "require_cert", "[dom4]1")
Nov 13 14:36:50 [175314]
Nov 13 14:36:50 [175314] modparam("tls_mgm","verify_cert", "1")
Nov 13 14:36:50 [175314] ^~
Nov 13 14:36:50 [175314] modparam("tls_mgm","require_cert", "1")
Nov 13 14:36:50 [175314] modparam("tls_mgm","tls_method", "TLSv1_2")
Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm
Nov 13 14:36:50 [175314] DBG:core:set_mod_param_regex: found <require_cert> in module tls_mgm [/usr/local/lib64/opensips/modules/]
Nov 13 14:36:50 [175314] ERROR:tls_mgm:split_param_val: No TLS domain name

Can anyone tell me what I might be missing please?

Many thanks
Mark.

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


--
Mark Farmer
farm...@gmail.com
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Reply via email to