Hey Ben, Thank you for your email. I really misunderstood this topic and wrote it wrong.
Now finally I have a new error. It's about the local issuer certificate. I'm using Letsencrypt and Microsoft's using Digicert as CA /usr/sbin/opensips[24021]: NOTICE:tls_openssl:verify_callback: depth = 1, verify failure /usr/sbin/opensips[24021]: NOTICE:tls_openssl:verify_callback: subject = /C=US/O=Microsoft Corporation/CN=Microsoft Azure RSA TLS Issuing CA 03 /usr/sbin/opensips[24021]: NOTICE:tls_openssl:verify_callback: issuer = /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 /usr/sbin/opensips[24021]: NOTICE:tls_openssl:verify_callback: verify error: unable to get local issuer certificate [error=20] /usr/sbin/opensips[24021]: ERROR:tls_openssl:openssl_tls_async_connect: New TLS connection to 52.114.132.46:5061 failed I'll troubleshoot this error, and make some tests using openssl to see what happens here. Thank you for your help. Regards, On Tue, Mar 11, 2025 at 3:09 PM Ben Newlin <[email protected]> wrote: > The configuration values for the “client_sip_domain_avp” and > “client_tls_domain_avp” modparams are supposed to be the names of AVP > variables, not domain names. They also represent 2 different ways to > specify the desired client. The “match_ip_address” modparam is a third way > to specify the client, or can be used in conjunction with SIP domain for > additional flexibility. > > > > First, if you only have one client as in your config example then both IP > and domain matching are unnecessary. You can simply specify the client to > match everything and all outbound TLS will use that client: > > > > src/main/config/forward/module.cfg:45:modparam("tls_mgm", > "match_ip_address", "[ client]*") > > src/main/config/forward/module.cfg:46:modparam("tls_mgm", > "match_sip_domain", "[ client]*") > > > > If you do have multiple clients or you just want to directly specify the > client anyway, then you can choose one of the methods to do so. > > > > A. SIP Domain/IP Matching (see [1], [2], [3], [4]) > > > > 1. Specify the SIP domain and/or IP which matches the client uses the > respective modparams: > > > > modparam("tls_mgm", "match_ip_address", "[client]x.x.x.x:5061") > > modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com") > > > > 2. Specify the name of the AVP which your config script will populate with > the SIP domain value to be used for matching against the client. This is > only required if you want SIP Domain matching; it’s not required for IP > matching. > > > > modparam("tls_mgm", "client_sip_domain_avp", "tls_client_sip") > > > > 3. In your config script, set the named AVP to the appropriate domain for > the message currently being processed. This could be the Request-URI domain > ($rd), Destination URI domain ($dd), or anything else you like. > > > > $avp(tls_client_sip) := “sbc.mydomain.com”; // or $rd or $dd or whatever > > > > B. TLS Client Name Matching (see [5]) > > > > 1. Specify the TLS client domain name via the modparam: > > > > modparam("tls_mgm", "client_domain", "client") > > > > 2. Specify the name of the AVP which your config script will populate with > the TLS client name to be used: > > > > modparam("tls_mgm", "client_tls_domain_avp", “tls_client_name") > > > > 3. In your config script, set the named AVP to the name of the TLS client > you wish to use for the message currently being processed. > > > > $avp(tls_client_name) := “client”; > > [1] - > https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_match_sip_domain > > [2] - > https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_match_ip_address > > [3] - > https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_client_sip_domain_avp > > [4] - > https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#domains-param > > [5] - > https://opensips.org/html/docs/modules/3.6.x/tls_mgm.html#param_client_tls_domain_avp > > > > > > Ben Newlin > > > > *From: *Users <[email protected]> on behalf of Thiago > Lopes via Users <[email protected]> > *Date: *Tuesday, March 11, 2025 at 12:49 PM > *To: *Bogdan-Andrei Iancu <[email protected]> > *Cc: *OpenSIPS users mailling list <[email protected]> > *Subject: *Re: [OpenSIPS-Users] MS Teams and SBC integration > > * EXTERNAL EMAIL - Please use caution with links and attachments * > > > ------------------------------ > > Hi Bogdan-Andrei, > > > > I already did this too. The result in the log file was the same. > > > > Actually, even with changing the tls_mgm module, or from openssl to > wolfssl, I saw that the module who answer with error is proto_tls: > > > > /usr/sbin/opensips[4634]: DBG:core:init_sock_keepalive: TCP keepalive > enabled on socket 5 > /usr/sbin/opensips[4634]: DBG:core:print_ip: tcpconn_new: new tcp > connection to: 52.114.76.76 > /usr/sbin/opensips[4634]: DBG:core:tcpconn_new: on port 5061, proto 3 > * /usr/sbin/opensips[4634]: ERROR:proto_tls:proto_tls_conn_init: no TLS > client domain found* > /usr/sbin/opensips[4634]: ERROR:core:tcp_conn_create: failed to do proto > 3 specific init for conn 0x7f794a63d080 > /usr/sbin/opensips[4634]: DBG:core:tcpconn_destroy: delaying > (0x7f794a63d080, flags 0018) ref = -1 ... > > > > My actual cfg file: > > > > #loadmodule "tls_openssl.so" > loadmodule "tls_wolfssl.so" > > ####TLS module > loadmodule "tls_mgm.so" > /*#first the server domain */ > modparam("tls_mgm", "server_domain", "default") > modparam("tls_mgm", "certificate", "[default]/etc/letsencrypt/live/ > sbc.mydomain.com/fullchain.pem") > modparam("tls_mgm", "private_key", "[default]/etc/letsencrypt/live/ > sbc.mydomain.com/privkey.pem") > modparam("tls_mgm", "ca_list", "[default]/etc/letsencrypt/live/ > sbc.mydomain.com/inter.pem") > modparam("tls_mgm", "match_ip_address", "[default]x.x.x.x:5061") > modparam("tls_mgm", "match_sip_domain", "[default]sbc.mydomain.com") > #modparam("tls_mgm", "verify_cert", "[default]0") > #modparam("tls_mgm", "require_cert", "[default]1") > #modparam("tls_mgm", "ciphers_list", "[default]AES128-SHA256:AES256-SHA") > modparam("tls_mgm", "tls_method", "[default]SSLv23") > > > # #and the client domain > > modparam("tls_mgm", "client_domain", "client") > modparam("tls_mgm", "certificate", "[client]/etc/letsencrypt/live/ > sbc.mydomain.com/fullchain.pem") > modparam("tls_mgm", "private_key", "[client]/etc/letsencrypt/live/ > sbc.mydomain.com/privkey.pem") > modparam("tls_mgm", "ca_list", "[client]/etc/letsencrypt/live/ > sbc.mydomain.com/inter.pem") > #modparam("tls_mgm", "ca_dir", "[client]/etc/letsencrypt/live/ > sbc.mydomain.com/") > modparam("tls_mgm", "match_sip_domain", "[client]sbc.mydomain.com") > modparam("tls_mgm", "match_ip_address", "[client]x.x.x.x:5061") > > #modparam("tls_mgm", "verify_cert", "[client]0") > # modparam("tls_mgm", "require_cert", "[client]1") > # modparam("tls_mgm", "ciphers_list", "[client]AES128-SHA256:AES256-SHA") > modparam("tls_mgm", "tls_method", "[client]SSLv23") > > > > modparam("tls_mgm", "tls_library", "wolfssl") > #modparam("tls_mgm", "tls_handshake_timeout", 300) > modparam("tls_mgm", "client_sip_domain_avp", "sbc.mydomain.com") > modparam("tls_mgm", "client_tls_domain_avp", "sbc.mydomain.com") > > loadmodule "proto_tls.so" > #modparam("proto_tls", "tls_async", 0) > modparam("proto_tls", "tls_handshake_timeout", 300) > modparam("proto_tls", "tls_send_timeout", 2000) > modparam("proto_tls", "tls_max_msg_chunks", 8) > modparam("proto_tls", "cert_check_on_conn_reusage", 1) > > > > > > Enable or no the client_sip_domain_avp, client_tls_domain_avp, > match_sip_domain and match_ip_address in any order do not show any > different results; > > > > I thought maybe make a rollback, from 3.4.11 to another version where > someone did this connection with Teams successfully . > > > > In past versions here in this list I read that some fellows passed to the > same error. But there was an error in the cfg file. I did several > alterations in this file, modules and certificates. The only change that I > didn't make was changing the version. >
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
