Opensips Tls and certificates issues

0
votes

I am trying to setup the certificate verification in opensips along with the blink sip client. I followed the tutorial:

https://github.com/antonraharja/book-opensips-101/blob/master/content/3.2.%20SIP%20TLS%20Secure%20Calling.mediawiki

My config look like so:

[opensips.cfg]
disable_tls = no
listen = tls:my_ip:5061
tls_verify_server= 0
tls_verify_client = 1
tls_require_client_certificate = 1
#tls_method = TLSv1
tls_method = SSLv23
tls_certificate = "/usr/local/etc/opensips/tls/server/server-cert.pem"
tls_private_key = "/usr/local/etc/opensips/tls/server/server-privkey.pem"
tls_ca_list = "/usr/local/etc/opensips/tls/server/server-calist.pem"

So i generated the rootCA and the server certificate. Then i took the server-calist.pem added the server-privkey.pem in there (otherwise blink sip client won't load it) and set it in client. I also set the server-calist.pem as a certificate authority in the blink. But when i try to login to my server i get:

Feb  4 21:02:42 user /usr/local/sbin/opensips[28065]: DBG:core:tcp_read_req: Using the global ( per process ) buff
Feb  4 21:02:42 user /usr/local/sbin/opensips[28065]: DBG:core:tls_update_fd: New fd is 17
Feb  4 21:02:42 user /usr/local/sbin/opensips[28065]: ERROR:core:tls_accept: New TLS connection from 130.85.9.114:48253 failed to accept: rejected by client

So i assume that the client doesn't accept the server certificate for some reason, although i have the "Verify server" checkbox turned off in my blink sip client! I think i have the wrong certificate authority file. 

./user/user-cert.pem
./user/user-cert_req.pem
./user/user-privkey.pem
./user/user-calist.pem     <- this 4 are for using opensips as a client i think
./rootCA/certs/01.pem
./rootCA/private/cakey.pem
./rootCA/cacert.pem
./server/server-privkey.pem
./server/server-calist.pem
./server/server-cert.pem
./server/server-cert_req.pem
./calist.pem

Can anybody help, did i do something wrong i the config or did i use the wrong certificate chain? What certificate exactly should be used by the client as a client cert, and ca authority cert?

1
sslssl-certificateserversipopensips
I have the impression that the SSL_accept() is actually failing on the server side! Could you try cleaning up your Blink certificates, and let it use the ones from your OpenSIPS?Liviu Chircu
@LiviuChircu i will try it and tell you what i getRaziel
@LiviuChircu i removed the 'tls' folder from the blink program files folder, and added server-calist.pem with server-privkey.pem as an account key, and server-calist.pem (which is the same as /rootCA/cacert.pem) as a certificate authority file. I stil get the same Feb 5 01:04:07 user /usr/local/sbin/opensips[30040]: DBG:core:tls_update_fd: New fd is 17 Feb 5 01:04:07 user /usr/local/sbin/opensips[30040]: ERROR:core:tls_accept: New TLS connection from 130.85.9.114:51297 failed to accept: rejected by clientRaziel
@LiviuChircu also the log configuration is: debug=6 log_stderror=no log_facility=LOG_LOCAL0Raziel
@LiviuChircu i tried placing the wrong pem cert which was generated by asterisk and got the following log pastebin.com/xGmmVeZj . It still says rejected by client, but i think you right, it's actualy the server side which is closing the connection. I also tried removing all the certificates from blink, and tried again. I got again rejected by client but without any verify notifications, which appear when you place the wrong cert.Raziel

1 Answers

0
votes

Allright, i'm still not sure if it is working or not, because the authorization behaviour became weird, but after it's hanging for 5-6 minutes i get the success authorization, so this is a solution:

Generate rootCA:

opensipsctl tls rootCA

then edit server.conf file in your tls opensips folder and set the commonName = xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is your server ip address. Other variables can be edited in any way. Generate the certificates signed by CA

opensipsctl tls userCERT server

This will produce 4 files. Download the server-calist.pem, server-cert.pem, server-privkey.pem. Open the server-privkey.pem, copy it's content and paste in the file server-cert.pem, before the actual certificate. If you are using blink, the produced server-cert.pem goes in the preferences->account->advanced. And server-calist.pem goes into the preferences->advanced. After that restart blink and after 5-6 minutes your account is gonna be logged in. But i'v observed a weird behaviour, if you run another copy of blink and try to log into the other existing account after your logged from the first one with the certificates, you can log in from other account without providing the certificates. So i don't know, but i think it's working.

P.S. I asked about the certificates in the opensips mailing list, but i guess they found my question too lame, so i didn't get the response. If you have the same problem and got better results or an answer from opensips support let me know please.