Fwd: TLS call failed

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Fwd: TLS call failed

doolin wu

I tried to get help from users group, but seems nobody can help me. So, I foward the email to developers group and hope get answer here.


---------- Forwarded message ----------
From: doolin wu <[hidden email]>
Date: Tue, Feb 2, 2010 at 3:09 PM
Subject: TLS call failed
To: [hidden email]

I'm trying use TLS feature of OpenSIPS-1.5-tls. TLS was configured and server run successfully.
I tried to make 2 SIP UAs work with my OpenSIPS-1.5-tls, but all of them are failed.
Here is my settings:
    tls_verify_server = 0
    tls_verify_client = 0
    tls_require_client_certificate = 0
    tls_method = TLSv1
    tls_certificate = "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-cert.pem"
    tls_private_key = "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-privkey.pem"
    tls_ca_list = "/usr/local/opensips.1.5.tls//etc/opensips/tls/user/user-calist.pem"
    The self-signed rootCA (tls\rootCA\cacert.pem)  was imported in to client successfully
First one UA is VoIP client on NOKIA N97. Client register to SIP server with TLS successfully, but when make call from N97 to others I got error code 477 Send failed (477/TM).
I traced opensips, looks like opensips tried to forward the invite to callee, but the tls socket failed to send the request.
Logs from opensips here:
Feb  2 07:19:32 [5779] ERROR:core:tcp_send: failed to send
Feb  2 07:19:32 [5779] ERROR:tm:msg_send: tcp_send failed
Feb  2 07:19:32 [5779] ERROR:tm:t_forward_nonack: sending request failed
Feb  2 07:19:32 [5779] DBG:tm:t_relay_to: t_forward_nonack returned error
Feb  2 07:19:32 [5779] DBG:core:parse_headers: flags=ffffffffffffffff
Feb  2 07:19:32 [5779] DBG:core:check_via_address: params,, 0
Feb  2 07:19:32 [5779] DBG:tm:cleanup_uac_timers: RETR/FR timers reset
Feb  2 07:19:32 [5779] DBG:tm:set_timer: relative timeout is 30
Feb  2 07:19:32 [5779] DBG:tm:insert_timer_unsafe: [0]: 0xb61a180c (92)
Feb  2 07:19:32 [5779] DBG:core:tcp_send: tcp connection found (0xb61d7908), acquiring fd
Feb  2 07:19:32 [5779] DBG:core:tcp_send: c= 0xb61d7908, n=8
Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61f4b48, 2, fd 41 from 16 (5779)
Feb  2 07:19:32 [5787] DBG:core:tcpconn_add: hashes: 719, 4
Feb  2 07:19:32 [5787] DBG:core:io_watch_add: io_watch_add(0x817bbc0, 41, 2, 0xb61f4b48), fd_no=31
Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61f4b48, -2, fd -1 from 16 (5779)
Feb  2 07:19:32 [5787] DBG:core:io_watch_del: io_watch_del (0x817bbc0, 41, -1, 0x10) fd_no=32 called
Feb  2 07:19:32 [5787] DBG:core:tcpconn_destroy: destroying connection 0xb61f4b48, flags 0002
Feb  2 07:19:32 [5787] DBG:core:tls_close: closing SSL connection
Feb  2 07:19:32 [5787] DBG:core:tls_update_fd: New fd is 41
Feb  2 07:19:32 [5787] DBG:core:tls_shutdown: shutdown successful
Feb  2 07:19:32 [5787] DBG:core:tls_tcpconn_clean: entered
Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61d7908, 1, fd -1 from 16 (5779)
Feb  2 07:19:32 [5779] DBG:core:tcp_send: after receive_fd: c= 0xb61d7908 n=4 fd=34
Feb  2 07:19:32 [5779] DBG:core:tcp_send: sending...
Feb  2 07:19:32 [5779] DBG:core:tls_update_fd: New fd is 34
Feb  2 07:19:32 [5779] DBG:core:tls_write: write was successful (374 bytes)
Feb  2 07:19:32 [5779] DBG:core:tcp_send: after write: c= 0xb61d7908 n=374 fd=34
Feb  2 07:19:32 [5779] DBG:core:tcp_send: buf=
Could some one help to have a look the problem?
Meanwhile, I use eyebeam 1.5 as client. Things more bad as the register failed.
I traced eyebeam and found the eyebeam failed when verify server's certificate. Here I have something unclear about use the certificates between client and server.
To configure run opensips with TLS(just talk about the self-signed case), we should create two certififcates. one is self-signed rootCA (tls\rootCA\cacert.pem), another one is a certificate signed by rootCA (tls\user\user-cert.pem).  The server hold rootCA by config tls_ca_list and send certificate (by config tls_certificate) to client when handshark with client.
My question is how to config certificate in client side. In these two cases (use N97 and eyebeam), I just imported the rootCA to my client.
Is it right for config certificate on client? N97 seems OK with the rootCA. But eyebeam failed. The guidline of eyebeam says:
During the TLS handshke, the TLS server has to send to the client the whole chain of certificate excepting the root certificate; the client must posses the root certificate otherwise the authentication cannot happen.
Any idea to config opensips send 'the whole chain of certificate excepting the root certificate' ?
Thanks for your kindly support.

Steven Wu
Teleca Mobile Solution

Devel mailing list
[hidden email]