TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5

Ali Pey
Hello,

My opensips server is just a registrar server and I have enabled tls with the following settings:

listen=tls:xx.xx.xx.xx:5061
disable_tls=no
tls_certificate="/etc/opensips/pbx-bundle.crt"
tls_private_key="/etc/opensips/pbx.key"


When my sip phones try to open tls connection, they reject the connection saying "Certificate Validation Failure". My certificate is valid and works fine on the https website.

What am I missing? What should I look for?

Regards,
Ali Pey


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5

hrhashmi
Please define  following values
tls_ca_list     = "/path/to/file"
tls_method      = tlsv1
for details please consult http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html

Regards
Hamid R. Hashmi


Date: Thu, 7 Apr 2016 13:14:28 -0400
From: [hidden email]
To: [hidden email]
Subject: [OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5

Hello,

My opensips server is just a registrar server and I have enabled tls with the following settings:

listen=tls:xx.xx.xx.xx:5061
disable_tls=no
tls_certificate="/etc/opensips/pbx-bundle.crt"
tls_private_key="/etc/opensips/pbx.key"


When my sip phones try to open tls connection, they reject the connection saying "Certificate Validation Failure". My certificate is valid and works fine on the https website.

What am I missing? What should I look for?

Regards,
Ali Pey


_______________________________________________ Users mailing list [hidden email] http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5

Ali Pey
Hello Hamid,

The parameters below don't have any effects. In my scenario, the sip phones are rejecting the tls connection by saying "Certificate Validation Failure".

Neither of parameters below had any effects.


Anyone else has any idea what I need to look for?

Regards,
Ali Pey


On Fri, Apr 8, 2016 at 4:00 AM, Hamid Hashmi <[hidden email]> wrote:
Please define  following values
tls_ca_list     = "/path/to/file"
tls_method      = tlsv1
for details please consult http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html

Regards
Hamid R. Hashmi


Date: Thu, 7 Apr 2016 13:14:28 -0400
From: [hidden email]
To: [hidden email]
Subject: [OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5


Hello,

My opensips server is just a registrar server and I have enabled tls with the following settings:

listen=tls:xx.xx.xx.xx:5061
disable_tls=no
tls_certificate="/etc/opensips/pbx-bundle.crt"
tls_private_key="/etc/opensips/pbx.key"


When my sip phones try to open tls connection, they reject the connection saying "Certificate Validation Failure". My certificate is valid and works fine on the https website.

What am I missing? What should I look for?

Regards,
Ali Pey


_______________________________________________ Users mailing list [hidden email] http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5

Rodrigo Pimenta Carvalho

Hi.


I got the same problem in softphone ZOIPER.

I just let my ZOIPER ignore the file received from OpenSIPS and then the problem was solved. Otherwise I should had to install the client party on the phone. It was possible for me because in my project I didn't have to use certificates, just cryptographic messages with TLS.


See below the configuration in my OpenSIPS.cfg file (my proxy is version 2.2 from 2015):


loadmodule "proto_tls.so"                                                                                                                                            
                                                                                                                                                                                      
 modparam("proto_tls","verify_cert", "0")                                                                                                                                             
 modparam("proto_tls","require_cert", "0")  #0 means  *do not* force the client to present a certificate where as 1 means *do* ask the client to present a cert.                      
 modparam("proto_tls","tls_method", "TLSv1")  #If you want RFC3261 conformance and all your clients support TLSv1 (or you are planning to use encrypted "tunnels" only between differe
                                                                                                                                                                                      
                                                                                                                                                                     
modparam("proto_tls", "certificate",  "/usr/local/etc/opensips/tls/rootCA/certs/cert.pem")                                                                                            
modparam("proto_tls", "private_key", "/usr/local/etc/opensips/tls/rootCA/private/key.pem")                                                                                            
modparam("proto_tls", "ca_list", "/usr/local/etc/opensips/tls/rootCA/cacert.pem")                                                                                                     
modparam("proto_tls", "ca_dir", "/usr/local/etc/opensips/tls/rootCA/")  


# Sets the TLS protocol. The first parameter, if set, represents the id of the domain. TLS method which can be:                                                                       
#                                                                                                                                                                                     
#    TLSv1_2 - means OpenSIPS will accept only TLSv1.2 connections (rfc3261 conformant).                                                                                              
#                                                                                                                                                                                     
#    TLSv1 - means OpenSIPS will accept only TLSv1 connections (rfc3261 conformant).                                                                                                  
#                                                                                                                                                                                     
#    SSLv3 - means OpenSIPS will accept only SSLv3 connections                                                                                                                        
#                                                                                                                                                                                     
#    SSLv2 - means OpenSIPS will accept only SSLv2 connections (almost all old clients support this).                                                                
#                                                                                                                                                                                     
#    SSLv23 - means OpenSIPS will accept any of the above methods, but the initial SSL hello must be v2 (in the initial hello all the supported protocols are advertised enabling swit
#                                                                                                                                                                                     
#Default value is SSLv23. 


Tell me if I'm wrongly, please.


Best regards.



RODRIGO PIMENTA CARVALHO
Inatel Competence Center
Software
Ph: +55 35 3471 9200 RAMAL 979



De: [hidden email] <[hidden email]> em nome de Ali Pey <[hidden email]>
Enviado: sexta-feira, 8 de abril de 2016 10:25
Para: OpenSIPS users mailling list
Assunto: Re: [OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5
 
Hello Hamid,

The parameters below don't have any effects. In my scenario, the sip phones are rejecting the tls connection by saying "Certificate Validation Failure".

Neither of parameters below had any effects.


Anyone else has any idea what I need to look for?

Regards,
Ali Pey


On Fri, Apr 8, 2016 at 4:00 AM, Hamid Hashmi <[hidden email]> wrote:
Please define  following values
tls_ca_list     = "/path/to/file"
tls_method      = tlsv1
for details please consult http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html

Regards
Hamid R. Hashmi


Date: Thu, 7 Apr 2016 13:14:28 -0400
From: [hidden email]
To: [hidden email]
Subject: [OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5


Hello,

My opensips server is just a registrar server and I have enabled tls with the following settings:

listen=tls:xx.xx.xx.xx:5061
disable_tls=no
tls_certificate="/etc/opensips/pbx-bundle.crt"
tls_private_key="/etc/opensips/pbx.key"


When my sip phones try to open tls connection, they reject the connection saying "Certificate Validation Failure". My certificate is valid and works fine on the https website.

What am I missing? What should I look for?

Regards,
Ali Pey


_______________________________________________ Users mailing list [hidden email] http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5

Ali Pey
Hello Rodrigo,

Thank you for your response. I set verify_cert and require_cert to zero and that fixes my problem. After that I was getting "Certificate Name Mismatch" error on the eyeBeam and Zoiper phones and after some investigation, I realized that it was due to wild cards in my certificate. Apparently, eyeBeam and Zoiper cannot or do not handle wild cards (*) in a certificate.

Best regards,
Ali Pey


On Fri, Apr 8, 2016 at 10:48 AM, Rodrigo Pimenta Carvalho <[hidden email]> wrote:

Hi.


I got the same problem in softphone ZOIPER.

I just let my ZOIPER ignore the file received from OpenSIPS and then the problem was solved. Otherwise I should had to install the client party on the phone. It was possible for me because in my project I didn't have to use certificates, just cryptographic messages with TLS.


See below the configuration in my OpenSIPS.cfg file (my proxy is version 2.2 from 2015):


loadmodule "proto_tls.so"                                                                                                                                            
                                                                                                                                                                                      
 modparam("proto_tls","verify_cert", "0")                                                                                                                                             
 modparam("proto_tls","require_cert", "0")  #0 means  *do not* force the client to present a certificate where as 1 means *do* ask the client to present a cert.                      
 modparam("proto_tls","tls_method", "TLSv1")  #If you want RFC3261 conformance and all your clients support TLSv1 (or you are planning to use encrypted "tunnels" only between differe
                                                                                                                                                                                      
                                                                                                                                                                     
modparam("proto_tls", "certificate",  "/usr/local/etc/opensips/tls/rootCA/certs/cert.pem")                                                                                            
modparam("proto_tls", "private_key", "/usr/local/etc/opensips/tls/rootCA/private/key.pem")                                                                                            
modparam("proto_tls", "ca_list", "/usr/local/etc/opensips/tls/rootCA/cacert.pem")                                                                                                     
modparam("proto_tls", "ca_dir", "/usr/local/etc/opensips/tls/rootCA/")  


# Sets the TLS protocol. The first parameter, if set, represents the id of the domain. TLS method which can be:                                                                       
#                                                                                                                                                                                     
#    TLSv1_2 - means OpenSIPS will accept only TLSv1.2 connections (rfc3261 conformant).                                                                                              
#                                                                                                                                                                                     
#    TLSv1 - means OpenSIPS will accept only TLSv1 connections (rfc3261 conformant).                                                                                                  
#                                                                                                                                                                                     
#    SSLv3 - means OpenSIPS will accept only SSLv3 connections                                                                                                                        
#                                                                                                                                                                                     
#    SSLv2 - means OpenSIPS will accept only SSLv2 connections (almost all old clients support this).                                                                
#                                                                                                                                                                                     
#    SSLv23 - means OpenSIPS will accept any of the above methods, but the initial SSL hello must be v2 (in the initial hello all the supported protocols are advertised enabling swit
#                                                                                                                                                                                     
#Default value is SSLv23. 


Tell me if I'm wrongly, please.


Best regards.



RODRIGO PIMENTA CARVALHO
Inatel Competence Center
Software
Ph: <a href="tel:%2B55%2035%203471%209200" value="+553534719200" target="_blank">+55 35 3471 9200 RAMAL 979



De: [hidden email] <[hidden email]> em nome de Ali Pey <[hidden email]>
Enviado: sexta-feira, 8 de abril de 2016 10:25
Para: OpenSIPS users mailling list
Assunto: Re: [OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5
 
Hello Hamid,

The parameters below don't have any effects. In my scenario, the sip phones are rejecting the tls connection by saying "Certificate Validation Failure".

Neither of parameters below had any effects.


Anyone else has any idea what I need to look for?

Regards,
Ali Pey


On Fri, Apr 8, 2016 at 4:00 AM, Hamid Hashmi <[hidden email]> wrote:
Please define  following values
tls_ca_list     = "/path/to/file"
tls_method      = tlsv1
for details please consult http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html

Regards
Hamid R. Hashmi


Date: Thu, 7 Apr 2016 13:14:28 -0400
From: [hidden email]
To: [hidden email]
Subject: [OpenSIPS-Users] TLS - Certificate Validation Failure error on SIP Phones - OpenSIPS version 1.11.5


Hello,

My opensips server is just a registrar server and I have enabled tls with the following settings:

listen=tls:xx.xx.xx.xx:5061
disable_tls=no
tls_certificate="/etc/opensips/pbx-bundle.crt"
tls_private_key="/etc/opensips/pbx.key"


When my sip phones try to open tls connection, they reject the connection saying "Certificate Validation Failure". My certificate is valid and works fine on the https website.

What am I missing? What should I look for?

Regards,
Ali Pey


_______________________________________________ Users mailing list [hidden email] http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users