TLS call failed

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS call failed

doolin wu
Hello,
 
I'm trying use TLS feature of OpenSIPS-1.5-tls. TLS was configured and server run successfully.
I tried to make 2 SIP UAs work with my OpenSIPS-1.5-tls, but all of them are failed.
Here is my settings:
    >Server:
    tls_verify_server = 0
    tls_verify_client = 0
    tls_require_client_certificate = 0
    tls_method = TLSv1
    tls_certificate = "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-cert.pem"
    tls_private_key = "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-privkey.pem"
    tls_ca_list = "/usr/local/opensips.1.5.tls//etc/opensips/tls/user/user-calist.pem"
 
    >Client:
    The self-signed rootCA (tls\rootCA\cacert.pem)  was imported in to client successfully
 
First one UA is VoIP client on NOKIA N97. Client register to SIP server with TLS successfully, but when make call from N97 to others I got error code 477 Send failed (477/TM).
I traced opensips, looks like opensips tried to forward the invite to callee, but the tls socket failed to send the request.
Logs from opensips here:
Feb  2 07:19:32 [5779] ERROR:core:tcp_send: failed to send
Feb  2 07:19:32 [5779] ERROR:tm:msg_send: tcp_send failed
Feb  2 07:19:32 [5779] ERROR:tm:t_forward_nonack: sending request failed
Feb  2 07:19:32 [5779] DBG:tm:t_relay_to: t_forward_nonack returned error
Feb  2 07:19:32 [5779] DBG:core:parse_headers: flags=ffffffffffffffff
Feb  2 07:19:32 [5779] DBG:core:check_via_address: params 10.57.52.186, 10.57.52.186, 0
Feb  2 07:19:32 [5779] DBG:tm:cleanup_uac_timers: RETR/FR timers reset
Feb  2 07:19:32 [5779] DBG:tm:set_timer: relative timeout is 30
Feb  2 07:19:32 [5779] DBG:tm:insert_timer_unsafe: [0]: 0xb61a180c (92)
Feb  2 07:19:32 [5779] DBG:core:tcp_send: tcp connection found (0xb61d7908), acquiring fd
Feb  2 07:19:32 [5779] DBG:core:tcp_send: c= 0xb61d7908, n=8
Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61f4b48, 2, fd 41 from 16 (5779)
Feb  2 07:19:32 [5787] DBG:core:tcpconn_add: hashes: 719, 4
Feb  2 07:19:32 [5787] DBG:core:io_watch_add: io_watch_add(0x817bbc0, 41, 2, 0xb61f4b48), fd_no=31
Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61f4b48, -2, fd -1 from 16 (5779)
Feb  2 07:19:32 [5787] DBG:core:io_watch_del: io_watch_del (0x817bbc0, 41, -1, 0x10) fd_no=32 called
Feb  2 07:19:32 [5787] DBG:core:tcpconn_destroy: destroying connection 0xb61f4b48, flags 0002
Feb  2 07:19:32 [5787] DBG:core:tls_close: closing SSL connection
Feb  2 07:19:32 [5787] DBG:core:tls_update_fd: New fd is 41
Feb  2 07:19:32 [5787] DBG:core:tls_shutdown: shutdown successful
Feb  2 07:19:32 [5787] DBG:core:tls_tcpconn_clean: entered
Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response= b61d7908, 1, fd -1 from 16 (5779)
Feb  2 07:19:32 [5779] DBG:core:tcp_send: after receive_fd: c= 0xb61d7908 n=4 fd=34
Feb  2 07:19:32 [5779] DBG:core:tcp_send: sending...
Feb  2 07:19:32 [5779] DBG:core:tls_update_fd: New fd is 34
Feb  2 07:19:32 [5779] DBG:core:tls_write: write was successful (374 bytes)
Feb  2 07:19:32 [5779] DBG:core:tcp_send: after write: c= 0xb61d7908 n=374 fd=34
Feb  2 07:19:32 [5779] DBG:core:tcp_send: buf=
 
Could some one help to have a look the problem?
 
Meanwhile, I use eyebeam 1.5 as client. Things more bad as the register failed.
I traced eyebeam and found the eyebeam failed when verify server's certificate. Here I have something unclear about use the certificates between client and server.
To configure run opensips with TLS(just talk about the self-signed case), we should create two certififcates. one is self-signed rootCA (tls\rootCA\cacert.pem), another one is a certificate signed by rootCA (tls\user\user-cert.pem).  The server hold rootCA by config tls_ca_list and send certificate (by config tls_certificate) to client when handshark with client.
My question is how to config certificate in client side. In these two cases (use N97 and eyebeam), I just imported the rootCA to my client.
Is it right for config certificate on client? N97 seems OK with the rootCA. But eyebeam failed. The guidline of eyebeam says:
During the TLS handshke, the TLS server has to send to the client the whole chain of certificate excepting the root certificate; the client must posses the root certificate otherwise the authentication cannot happen.
 
Any idea to config opensips send 'the whole chain of certificate excepting the root certificate' ?
 
Thanks for your kindly support.
--
Steven.W.Doolin
 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: TLS call failed

Bogdan-Andrei Iancu
Hi Steven,

For the NOKIA N97, could you post the entire log (debug 4) for the
INVITE part (covering the receiving of the INVITE also) ?

Regards,
Bogdan

doolin wu wrote:

> Hello,
>  
> I'm trying use TLS feature of OpenSIPS-1.5-tls. TLS was
> configured and server run successfully.
> I tried to make 2 SIP UAs work with my OpenSIPS-1.5-tls, but all of
> them are failed.
> Here is my settings:
>     >Server:
>     tls_verify_server = 0
>     tls_verify_client = 0
>     tls_require_client_certificate = 0
>     tls_method = TLSv1
>     tls_certificate =
> "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-cert.pem"
>     tls_private_key =
> "/usr/local/opensips.1.5.tls/etc/opensips/tls/user/user-privkey.pem"
>     tls_ca_list =
> "/usr/local/opensips.1.5.tls//etc/opensips/tls/user/user-calist.pem"
>  
>     >Client:
>     The self-signed rootCA (tls\rootCA\cacert.pem)  was imported in to
> client successfully
>  
> First one UA is VoIP client on NOKIA N97. Client register to SIP
> server with TLS successfully, but when make call from N97 to others I
> got error code 477 Send failed (477/TM).
> I traced opensips, looks like opensips tried to forward the invite to
> callee, but the tls socket failed to send the request.
> Logs from opensips here:
>
>     Feb  2 07:19:32 [5779] ERROR:core:tcp_send: failed to send
>     Feb  2 07:19:32 [5779] ERROR:tm:msg_send: tcp_send failed
>     Feb  2 07:19:32 [5779] ERROR:tm:t_forward_nonack: sending request
>     failed
>     Feb  2 07:19:32 [5779] DBG:tm:t_relay_to: t_forward_nonack
>     returned error
>     Feb  2 07:19:32 [5779] DBG:core:parse_headers: flags=ffffffffffffffff
>     Feb  2 07:19:32 [5779] DBG:core:check_via_address: params
>     10.57.52.186, 10.57.52.186, 0
>     Feb  2 07:19:32 [5779] DBG:tm:cleanup_uac_timers: RETR/FR timers reset
>     Feb  2 07:19:32 [5779] DBG:tm:set_timer: relative timeout is 30
>     Feb  2 07:19:32 [5779] DBG:tm:insert_timer_unsafe: [0]: 0xb61a180c
>     (92)
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: tcp connection found
>     (0xb61d7908), acquiring fd
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: c= 0xb61d7908, n=8
>     Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response=
>     b61f4b48, 2, fd 41 from 16 (5779)
>     Feb  2 07:19:32 [5787] DBG:core:tcpconn_add: hashes: 719, 4
>     Feb  2 07:19:32 [5787] DBG:core:io_watch_add:
>     io_watch_add(0x817bbc0, 41, 2, 0xb61f4b48), fd_no=31
>     Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response=
>     b61f4b48, -2, fd -1 from 16 (5779)
>     Feb  2 07:19:32 [5787] DBG:core:io_watch_del: io_watch_del
>     (0x817bbc0, 41, -1, 0x10) fd_no=32 called
>     Feb  2 07:19:32 [5787] DBG:core:tcpconn_destroy: destroying
>     connection 0xb61f4b48, flags 0002
>     Feb  2 07:19:32 [5787] DBG:core:tls_close: closing SSL connection
>     Feb  2 07:19:32 [5787] DBG:core:tls_update_fd: New fd is 41
>     Feb  2 07:19:32 [5787] DBG:core:tls_shutdown: shutdown successful
>     Feb  2 07:19:32 [5787] DBG:core:tls_tcpconn_clean: entered
>     Feb  2 07:19:32 [5787] DBG:core:handle_ser_child: read response=
>     b61d7908, 1, fd -1 from 16 (5779)
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: after receive_fd: c=
>     0xb61d7908 n=4 fd=34
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: sending...
>     Feb  2 07:19:32 [5779] DBG:core:tls_update_fd: New fd is 34
>     Feb  2 07:19:32 [5779] DBG:core:tls_write: write was successful
>     (374 bytes)
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: after write: c=
>     0xb61d7908 n=374 fd=34
>     Feb  2 07:19:32 [5779] DBG:core:tcp_send: buf=
>      
>
> Could some one help to have a look the problem?
>
>      
>
> Meanwhile, I use eyebeam 1.5 as client. Things more bad as the
> register failed.
> I traced eyebeam and found the eyebeam failed when verify server's
> certificate. Here I have something unclear about use the certificates
> between client and server.
> To configure run opensips with TLS(just talk about the self-signed
> case), we should create two certififcates. one is self-signed rootCA
> (tls\rootCA\cacert.pem), another one is a certificate signed by rootCA
> (tls\user\user-cert.pem).  The server hold rootCA by config
> tls_ca_list and send certificate (by config tls_certificate) to client
> when handshark with client.
> My question is how to config certificate in client side. In these two
> cases (use N97 and eyebeam), I just imported the rootCA to my client.
> Is it right for config certificate on client? N97 seems OK with the
> rootCA. But eyebeam failed. The guidline of eyebeam says:
>
>     During the TLS handshke, *the TLS server has to send to the client
>     the whole chain of certificate excepting the root certificate*;
>     the client must posses the root certificate otherwise the
>     authentication cannot happen.
>      
>
> Any idea to config opensips send 'the whole chain of certificate
> excepting the root certificate' ?
>  
> Thanks for your kindly support.
> --
> Steven.W.Doolin
>  
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  


--
Bogdan-Andrei Iancu
www.voice-system.ro


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: TLS call failed

doolin wu


On Thu, Feb 4, 2010 at 5:34 PM, Bogdan-Andrei Iancu <[hidden email]> wrote:
Hi Steven,

For the NOKIA N97, could you post the entire log (debug 4) for the
INVITE part (covering the receiving of the INVITE also) ?

Regards,
Bogdan
_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Hi Bogdan,
Thank u for your reply.
When receives INVITE from N97, Opensips constructs the INVITE for callee and create a new TLS socket for the destination. But some problem happend when use the socket to send message. The debug I pasted in the original email was traced by enable log at debug=7.  The piece of log show server send message (forward INVITE to callee ) failed with TLS socket and then reply N97 with 477 response.
 
Best Regards,
Steven

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users