Re: [OpenSIPS-Users] MS Teams and SBC integration

Bogdan-Andrei Iancu Tue, 11 Mar 2025 02:50:21 -0700

Hi,

OK, so your opensips is client from TLS pov. So, you need to helpOpenSIPS to figure out which TLS client domain to use. The simplest waysto do it is by forcing directly the name of the TLS client domain (see[1]) or by setting a SIP domain (see [2]) that matches"match_sip_domain" in your TLS client domain

[1]https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_client_tls_domain_avp[2]https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_client_sip_domain_avp


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
  https://www.siphub.com

On 10.03.2025 18:49, Thiago Lopes wrote:

Hello,

I tried to change this option, change from self-signed to truecertificate, change the listeners and even change the DRouting moduleto Dispatcher.

Microsoft's documentation says that a SBC must send a packet to them,so they will answer back and will send an OPTIONS packet as soon asthe TLS connection was made successfully.

So, when I send the first packet, I will act as a client TLS user. Ithought the 'client domain' part, in module configuration was theproblem. But even changing the 'server' part too, the result was thesame.


     /usr/sbin/opensips[676690]: DBG:proto_tls:proto_tls_send: no open
    tcp connection found, opening new one, async = 1
     /usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff:
    getsockopt: snd is initially 16384
     /usr/sbin/opensips[676690]: DBG:core:probe_max_sock_buff: using
    snd buffer of 416 kb
     /usr/sbin/opensips[676690]: DBG:core:init_sock_keepalive: TCP
    keepalive enabled on socket 5
     /usr/sbin/opensips[676681]: WARNING:core:utimer_ticker: utimer
    task <tm-utimer> already scheduled 100 ms ago (now 35900 ms),
    delaying execution
     /usr/sbin/opensips[676690]: DBG:core:tcp_async_connect: Polling
    is overdue
     /usr/sbin/opensips[676690]: DBG:core:tcp_async_connect: Create
    connection for async connect
     /usr/sbin/opensips[676690]: DBG:core:print_ip: tcpconn_new: new
    tcp connection to: 52.114.32.169
     /usr/sbin/opensips[676690]: DBG:core:tcpconn_new: on port 5061,
    proto 3
     /usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_conn_init:
    no TLS client domain found
     /usr/sbin/opensips[676690]: ERROR:core:tcp_conn_create: failed to
    do proto 3 specific init for conn 0x7f027cb1d070
    /usr/sbin/opensips[676690]: DBG:core:tcpconn_destroy: delaying
    (0x7f027cb1d070, flags 0018) ref = -1 ...
     /usr/sbin/opensips[676690]: ERROR:core:tcp_async_connect:
    tcp_conn_create failed
     /usr/sbin/opensips[676690]: ERROR:proto_tls:proto_tls_send: async
    TCP connect failed


Thank you for your help.

Regards,

On Mon, Mar 10, 2025 at 4:33 AM Bogdan-Andrei Iancu<[email protected]> wrote:


    Hi,

    For the incoming TLS connections, the right TLS server domain is
    selected based either on the IP address (of OpenSIPS's listener),
    either on the SIP domain (if SNI is used).

    So, maybe SNI is not used in your case, so you should define a
    match_ip_address:
    
https://opensips.org/html/docs/modules/3.4.x/tls_mgm.html#param_match_ip_address

    Regards,

    Bogdan-Andrei Iancu

    OpenSIPS Founder and Developer
       https://www.opensips-solutions.com
       https://www.siphub.com

    On 07.03.2025 23:10, Thiago Lopes via Users wrote:

    Hi everyone,

    I'm trying to integrate Ms Teams and Opensips and I'm having some
    problems.

    I tried to use self signed and Letsencrypt certificates, with no
    success. I always receive a ''no TLS client domain found'.

     /usr/sbin/opensips[505412]: ERROR:proto_tls:proto_tls_conn_init:
    no TLS client domain found
     /usr/sbin/opensips[505412]: ERROR:core:tcp_conn_create: failed
    to do proto 3 specific init for conn 0x7f7220f343b0
     /usr/sbin/opensips[505412]: ERROR:core:tcp_async_connect:
    tcp_conn_create failed

    Here my opensips.cfg:

    loadmodule "tls_mgm.so"

    /*#first the  server domain */
    modparam("tls_mgm", "server_domain", "default")
    modparam("tls_mgm", "certificate",
    "[default]/etc/letsencrypt/live/sbc.mydomain.com/fullchain.pem
    <http://sbc.mydomain.com/fullchain.pem>")
    modparam("tls_mgm", "private_key",
    "[default]/etc/letsencrypt/live/sbc.mydomain.com/privkey.pem
    <http://sbc.mydomain.com/privkey.pem>")
    modparam("tls_mgm", "ca_list",
    "[default]/etc/letsencrypt/live/sbc.mydomain.com/inter.pem
    <http://sbc.mydomain.com/inter.pem>")
    modparam("tls_mgm", "match_sip_domain",
    "[default]sbc.mydomain.com <http://sbc.mydomain.com>")
    modparam("tls_mgm", "verify_cert", "[default]0")
    #modparam("tls_mgm", "require_cert", "[default]1")
    #modparam("tls_mgm", "ciphers_list",
    "[default]AES128-SHA256:AES256-SHA")
    modparam("tls_mgm", "tls_method", "[default]SSLv23")


     # #and the client domain
    modparam("tls_mgm", "client_domain", "client")
    modparam("tls_mgm", "certificate",
    "[client]/etc/letsencrypt/live/sbc.mydomain.com/fullchain.pem
    <http://sbc.mydomain.com/fullchain.pem>")
    modparam("tls_mgm", "private_key",
    "[client]/etc/letsencrypt/live/sbc.mydomain.com/privkey.pem
    <http://sbc.mydomain.com/privkey.pem>")
    modparam("tls_mgm", "ca_list",
    "[client]/etc/letsencrypt/live/sbc.mydomain.com/inter.pem
    <http://sbc.mydomain.com/inter.pem>")
    #modparam("tls_mgm", "ca_dir",
    "[client]/etc/letsencrypt/live/sbc.mydomain.com/
    <http://sbc.mydomain.com/>")
    modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com
    <http://sbc.mydomain.com>")

    modparam("tls_mgm", "verify_cert", "[client]0")
     # modparam("tls_mgm", "require_cert", "[client]1")
     # modparam("tls_mgm", "ciphers_list",
    "[client]AES128-SHA256:AES256-SHA")
    modparam("tls_mgm", "tls_method", "[client]SSLv23")

    I also changed the certificates, using self signed in "server
    domain" only or "client domain" only. Same result.

    Using the openssl the verify the certificates, I receive a OK in
    console:

    fullchain.pem: OK

    The inter.pem is the file with the root and
    intermediate Letsencrypt certificates.

    On the Ms Teams side, I checked the FQDN used, checked the
    firewall ports etc.

    I followed this tutorial:
    https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/ ,
    so I'm using the Dynamic Routing module to send the OPTIONS
    packet. The opensips start the communication using TLS, I see the
    packets using TLS in 5061 port, but when Opensips will answer,
    this message appears on the console and the connection is closed.

    /usr/sbin/opensips[505398]: ERROR:tm:t_uac: attempt to send to
    'sip:sip.pstnhub.microsoft.com
    <http://sip.pstnhub.microsoft.com>' failed
    /usr/sbin/opensips[505398]: ERROR:proto_tls:proto_tls_conn_init:
    no TLS client domain found
    /usr/sbin/opensips[505398]: ERROR:core:tcp_conn_create: failed to
    do proto 3 specific init for conn 0x7f7220f4df40

    What I'm not seeing? Did someone pass through this problem?
    Best regards

    _______________________________________________
    Users mailing list
    [email protected]
    http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] MS Teams and SBC integration

Reply via email to