The configuration values for the “client_sip_domain_avp” and
“client_tls_domain_avp” modparams are supposed to be the names of AVP
variables, not domain names. They also represent 2 different ways to specify
the desired client. The “match_ip_address” modparam is a third way to specify
the client, or can be used in conjunction with SIP domain for additional
flexibility.
First, if you only have one client as in your config example then both IP and
domain matching are unnecessary. You can simply specify the client to match
everything and all outbound TLS will use that client:
src/main/config/forward/module.cfg:45:modparam("tls_mgm", "match_ip_address",
"[ client]*")
src/main/config/forward/module.cfg:46:modparam("tls_mgm", "match_sip_domain",
"[ client]*")
If you do have multiple clients or you just want to directly specify the client
anyway, then you can choose one of the methods to do so.
A. SIP Domain/IP Matching (see [1], [2], [3], [4])
1. Specify the SIP domain and/or IP which matches the client uses the
respective modparams:
modparam("tls_mgm", "match_ip_address", "[client]x.x.x.x:5061")
modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com")
2. Specify the name of the AVP which your config script will populate with the
SIP domain value to be used for matching against the client. This is only
required if you want SIP Domain matching; it’s not required for IP matching.
modparam("tls_mgm", "client_sip_domain_avp", "tls_client_sip")
3. In your config script, set the named AVP to the appropriate domain for the
message currently being processed. This could be the Request-URI domain ($rd),
Destination URI domain ($dd), or anything else you like.
$avp(tls_client_sip) := “sbc.mydomain.com”; // or $rd or $dd or whatever
B. TLS Client Name Matching (see [5])
1. Specify the TLS client domain name via the modparam:
modparam("tls_mgm", "client_domain", "client")
2. Specify the name of the AVP which your config script will populate with the
TLS client name to be used:
modparam("tls_mgm", "client_tls_domain_avp", “tls_client_name")
3. In your config script, set the named AVP to the name of the TLS client you
wish to use for the message currently being processed.
$avp(tls_client_name) := “client”;
[1] -
https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_match_sip_domain
[2] -
https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_match_ip_address
[3] -
https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_client_sip_domain_avp
[4] - https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#domains-param
[5] -
https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_client_tls_domain_avp
Ben Newlin
From: Users <[email protected]> on behalf of Thiago Lopes via
Users <[email protected]>
Date: Tuesday, March 11, 2025 at 12:49 PM
To: Bogdan-Andrei Iancu <[email protected]>
Cc: OpenSIPS users mailling list <[email protected]>
Subject: Re: [OpenSIPS-Users] MS Teams and SBC integration
EXTERNAL EMAIL - Please use caution with links and attachments
________________________________
Hi Bogdan-Andrei,
I already did this too. The result in the log file was the same.
Actually, even with changing the tls_mgm module, or from openssl to wolfssl, I
saw that the module who answer with error is proto_tls:
/usr/sbin/opensips[4634]: DBG:core:init_sock_keepalive: TCP keepalive enabled
on socket 5
/usr/sbin/opensips[4634]: DBG:core:print_ip: tcpconn_new: new tcp connection
to: 52.114.76.76
/usr/sbin/opensips[4634]: DBG:core:tcpconn_new: on port 5061, proto 3
/usr/sbin/opensips[4634]: ERROR:proto_tls:proto_tls_conn_init: no TLS client
domain found
/usr/sbin/opensips[4634]: ERROR:core:tcp_conn_create: failed to do proto 3
specific init for conn 0x7f794a63d080
/usr/sbin/opensips[4634]: DBG:core:tcpconn_destroy: delaying (0x7f794a63d080,
flags 0018) ref = -1 ...
My actual cfg file:
#loadmodule "tls_openssl.so"
loadmodule "tls_wolfssl.so"
####TLS module
loadmodule "tls_mgm.so"
/*#first the server domain */
modparam("tls_mgm", "server_domain", "default")
modparam("tls_mgm", "certificate",
"[default]/etc/letsencrypt/live/sbc.mydomain.com/fullchain.pem<http://sbc.mydomain.com/fullchain.pem>")
modparam("tls_mgm", "private_key",
"[default]/etc/letsencrypt/live/sbc.mydomain.com/privkey.pem<http://sbc.mydomain.com/privkey.pem>")
modparam("tls_mgm", "ca_list",
"[default]/etc/letsencrypt/live/sbc.mydomain.com/inter.pem<http://sbc.mydomain.com/inter.pem>")
modparam("tls_mgm", "match_ip_address", "[default]x.x.x.x:5061")
modparam("tls_mgm", "match_sip_domain",
"[default]sbc.mydomain.com<http://sbc.mydomain.com>")
#modparam("tls_mgm", "verify_cert", "[default]0")
#modparam("tls_mgm", "require_cert", "[default]1")
#modparam("tls_mgm", "ciphers_list", "[default]AES128-SHA256:AES256-SHA")
modparam("tls_mgm", "tls_method", "[default]SSLv23")
# #and the client domain
modparam("tls_mgm", "client_domain", "client")
modparam("tls_mgm", "certificate",
"[client]/etc/letsencrypt/live/sbc.mydomain.com/fullchain.pem<http://sbc.mydomain.com/fullchain.pem>")
modparam("tls_mgm", "private_key",
"[client]/etc/letsencrypt/live/sbc.mydomain.com/privkey.pem<http://sbc.mydomain.com/privkey.pem>")
modparam("tls_mgm", "ca_list",
"[client]/etc/letsencrypt/live/sbc.mydomain.com/inter.pem<http://sbc.mydomain.com/inter.pem>")
#modparam("tls_mgm", "ca_dir",
"[client]/etc/letsencrypt/live/sbc.mydomain.com/<http://sbc.mydomain.com/>")
modparam("tls_mgm", "match_sip_domain",
"[client]sbc.mydomain.com<http://sbc.mydomain.com>")
modparam("tls_mgm", "match_ip_address", "[client]x.x.x.x:5061")
#modparam("tls_mgm", "verify_cert", "[client]0")
# modparam("tls_mgm", "require_cert", "[client]1")
# modparam("tls_mgm", "ciphers_list", "[client]AES128-SHA256:AES256-SHA")
modparam("tls_mgm", "tls_method", "[client]SSLv23")
modparam("tls_mgm", "tls_library", "wolfssl")
#modparam("tls_mgm", "tls_handshake_timeout", 300)
modparam("tls_mgm", "client_sip_domain_avp",
"sbc.mydomain.com<http://sbc.mydomain.com>")
modparam("tls_mgm", "client_tls_domain_avp",
"sbc.mydomain.com<http://sbc.mydomain.com>")
loadmodule "proto_tls.so"
#modparam("proto_tls", "tls_async", 0)
modparam("proto_tls", "tls_handshake_timeout", 300)
modparam("proto_tls", "tls_send_timeout", 2000)
modparam("proto_tls", "tls_max_msg_chunks", 8)
modparam("proto_tls", "cert_check_on_conn_reusage", 1)
Enable or no the client_sip_domain_avp, client_tls_domain_avp, match_sip_domain
and match_ip_address in any order do not show any different results;
I thought maybe make a rollback, from 3.4.11 to another version where someone
did this connection with Teams successfully .
In past versions here in this list I read that some fellows passed to the same
error. But there was an error in the cfg file. I did several alterations in
this file, modules and certificates. The only change that I didn't make was
changing the version.
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
