opensips 2.4.4: bug in tls_mgm

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

opensips 2.4.4: bug in tls_mgm

Johan De Clercq

Hi,

 

I believe that I have found a bug in tls_mgm:

 

Using opensips default certificates:

/usr/local/opensips/etc/opensips/tls# ls -lu

total 24

-rw-r--r-- 1 root staff 2049 Feb 17 12:13 ca.conf

-rw-r--r-- 1 root staff 1048 Feb 17 12:13 README

-rw-r--r-- 1 root staff 1127 Feb 17 12:13 request.conf

drwxr-sr-x 4 root staff 4096 Feb 17 12:16 rootCA

drwxr-sr-x 2 root staff 4096 Feb 17 12:13 user

-rw-r--r-- 1 root staff  591 Feb 17 12:13 user.conf

 

/usr/local/opensips/etc/opensips/tls/rootCA# ls

cacert.pem  certs  index.txt  private  serial

 

Tls params:

loadmodule "tls_mgm.so"

modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")

modparam("tls_mgm", "require_cert", "[sv_dom]0")

modparam("tls_mgm", "verify_cert", "[sv_dom]0")

modparam("tls_mgm", "tls_method", "[sv_dom]SSLv23")

modparam("tls_mgm", "certificate", "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")          

modparam("tls_mgm", "private_key", "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")   

modparam("tls_mgm", "ca_list", "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") 

#### PROTO_TLS module

loadmodule "proto_tls.so"

modparam("proto_tls", "trace_destination", "hep_dest")

modparam("proto_tls", "trace_on", 1)

 

I removed the passphrase:

 

mv etc/tls/rootCA/private/cakey.pem etc/tls/rootCA/private/cakey.pem.protected

openssl rsa -in etc/tls/rootCA/private/cakey.pem.protected -out etc/tls/rootCA/private/cakey.pem

 

and then tried to run opensips from cmdline : ./opensips -f /usr/local/opensips/etc/opensips/opensips.cfg

 

syslog output:

 

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:tls_mgm:load_certificate: unable to load certificate file '/usr/local/opensips//etc/opensips/tls/cert.pem'

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:init_mod: failed to initialize module tls_mgm

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:main: error while initializing modules

Feb 17 12:22:01 ns3012072 ./opensips[28673]: CRITICAL:core:sig_usr: segfault in attendant (starter) process!

Feb 17 12:22:01 ns3012072 kernel: [ 4024.678398] opensips[28673]: segfault at 7fcb76dbf850 ip 00007fcb76546f69 sp 00007ffe803ac150 error 4 in libcrypto.so.1.1[7fcb763df000+265000]

 

Next I tried with:

loadmodule "tls_mgm.so"

#modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")

modparam("tls_mgm", "require_cert", "0")

modparam("tls_mgm", "verify_cert", "0")

modparam("tls_mgm", "tls_method", "SSLv23")

modparam("tls_mgm", "certificate", "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")          

modparam("tls_mgm", "private_key", "/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")   

modparam("tls_mgm", "ca_list", "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") 

#### PROTO_TLS module

loadmodule "proto_tls.so"

modparam("proto_tls", "trace_destination", "hep_dest")

modparam("proto_tls", "trace_on", 1)

 

and then opensips starts…

 

Can you please explain what I am doing wrong ?

 

 

 

cid:F3100D46-F00D-4610-87ED-3E91DA790A82

Johan De Clercq, Managing Director
Democon bvba - Ooigemstraat 41 - 8780 Oostrozebeke

Tel +3256980990 – GSM +32478720104

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: opensips 2.4.4: bug in tls_mgm

Vlad Patrascu

Hi Johan,

The issue is probably caused by the fact that OpenSIPS tries to initialize a 'default' client and server domain and the certificate file is inexistent at the default path ('/usr/local/opensips//etc/opensips/tls/cert.pem'). So even if you define your "sv_dom" custom server domain, OpenSIPS still tries to create default domains for fallback purposes. When you omit the '[sv_dom]' prefix for the domain settings in your second test, you overwrite the default ones (with a valid path for the certificate this time).

In conclusion, either specify your custom domain _and_ default domains separately (set the modparams multiple times) or make sure the certificate is found at the default path. Also, note that it's not necessary to define a custom server domain if you only intend to use a single one, as the default will match any socket.

Regards,

Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com
On 02/17/2019 01:35 PM, johan de clercq wrote:

Hi,

 

I believe that I have found a bug in tls_mgm:

 

Using opensips default certificates:

/usr/local/opensips/etc/opensips/tls# ls -lu

total 24

-rw-r--r-- 1 root staff 2049 Feb 17 12:13 ca.conf

-rw-r--r-- 1 root staff 1048 Feb 17 12:13 README

-rw-r--r-- 1 root staff 1127 Feb 17 12:13 request.conf

drwxr-sr-x 4 root staff 4096 Feb 17 12:16 rootCA

drwxr-sr-x 2 root staff 4096 Feb 17 12:13 user

-rw-r--r-- 1 root staff  591 Feb 17 12:13 user.conf

 

/usr/local/opensips/etc/opensips/tls/rootCA# ls

cacert.pem  certs  index.txt  private  serial

 

Tls params:

loadmodule "tls_mgm.so"

modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")

modparam("tls_mgm", "require_cert", "[sv_dom]0")

modparam("tls_mgm", "verify_cert", "[sv_dom]0")

modparam("tls_mgm", "tls_method", "[sv_dom]SSLv23")

modparam("tls_mgm", "certificate", "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")          

modparam("tls_mgm", "private_key", "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")   

modparam("tls_mgm", "ca_list", "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") 

#### PROTO_TLS module

loadmodule "proto_tls.so"

modparam("proto_tls", "trace_destination", "hep_dest")

modparam("proto_tls", "trace_on", 1)

 

I removed the passphrase:

 

mv etc/tls/rootCA/private/cakey.pem etc/tls/rootCA/private/cakey.pem.protected

openssl rsa -in etc/tls/rootCA/private/cakey.pem.protected -out etc/tls/rootCA/private/cakey.pem

 

and then tried to run opensips from cmdline : ./opensips -f /usr/local/opensips/etc/opensips/opensips.cfg

 

syslog output:

 

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:tls_mgm:load_certificate: unable to load certificate file '/usr/local/opensips//etc/opensips/tls/cert.pem'

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:init_mod: failed to initialize module tls_mgm

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:main: error while initializing modules

Feb 17 12:22:01 ns3012072 ./opensips[28673]: CRITICAL:core:sig_usr: segfault in attendant (starter) process!

Feb 17 12:22:01 ns3012072 kernel: [ 4024.678398] opensips[28673]: segfault at 7fcb76dbf850 ip 00007fcb76546f69 sp 00007ffe803ac150 error 4 in libcrypto.so.1.1[7fcb763df000+265000]

 

Next I tried with:

loadmodule "tls_mgm.so"

#modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")

modparam("tls_mgm", "require_cert", "0")

modparam("tls_mgm", "verify_cert", "0")

modparam("tls_mgm", "tls_method", "SSLv23")

modparam("tls_mgm", "certificate", "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")          

modparam("tls_mgm", "private_key", "/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")   

modparam("tls_mgm", "ca_list", "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") 

#### PROTO_TLS module

loadmodule "proto_tls.so"

modparam("proto_tls", "trace_destination", "hep_dest")

modparam("proto_tls", "trace_on", 1)

 

and then opensips starts…

 

Can you please explain what I am doing wrong ?

 

 

 

cid:F3100D46-F00D-4610-87ED-3E91DA790A82

Johan De Clercq, Managing Director
Democon bvba - Ooigemstraat 41 - 8780 Oostrozebeke

Tel +3256980990 – GSM +32478720104

 



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: opensips 2.4.4: bug in tls_mgm

Johan De Clercq

Having pulled the lates 3.0-devel version, I have the following error when trying to compile proto-tls

 

../tls_mgm/tls_conn_ops.h:118:29: error: dereferencing pointer to incomplete type ‘SSL {aka struct ssl_st}’

  if ( ((SSL *)c->extra_data)->kssl_ctx ) {

 

Can you please correct ?

 

From: Users <[hidden email]> On Behalf Of Vlad Patrascu
Sent: Thursday, March 7, 2019 11:46 AM
To: [hidden email]
Subject: Re: [OpenSIPS-Users] opensips 2.4.4: bug in tls_mgm

 

Hi Johan,

The issue is probably caused by the fact that OpenSIPS tries to initialize a 'default' client and server domain and the certificate file is inexistent at the default path ('/usr/local/opensips//etc/opensips/tls/cert.pem'). So even if you define your "sv_dom" custom server domain, OpenSIPS still tries to create default domains for fallback purposes. When you omit the '[sv_dom]' prefix for the domain settings in your second test, you overwrite the default ones (with a valid path for the certificate this time).

In conclusion, either specify your custom domain _and_ default domains separately (set the modparams multiple times) or make sure the certificate is found at the default path. Also, note that it's not necessary to define a custom server domain if you only intend to use a single one, as the default will match any socket.

Regards,

Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com

On 02/17/2019 01:35 PM, johan de clercq wrote:

Hi,

 

I believe that I have found a bug in tls_mgm:

 

Using opensips default certificates:

/usr/local/opensips/etc/opensips/tls# ls -lu

total 24

-rw-r--r-- 1 root staff 2049 Feb 17 12:13 ca.conf

-rw-r--r-- 1 root staff 1048 Feb 17 12:13 README

-rw-r--r-- 1 root staff 1127 Feb 17 12:13 request.conf

drwxr-sr-x 4 root staff 4096 Feb 17 12:16 rootCA

drwxr-sr-x 2 root staff 4096 Feb 17 12:13 user

-rw-r--r-- 1 root staff  591 Feb 17 12:13 user.conf

 

/usr/local/opensips/etc/opensips/tls/rootCA# ls

cacert.pem  certs  index.txt  private  serial

 

Tls params:

loadmodule "tls_mgm.so"

modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")

modparam("tls_mgm", "require_cert", "[sv_dom]0")

modparam("tls_mgm", "verify_cert", "[sv_dom]0")

modparam("tls_mgm", "tls_method", "[sv_dom]SSLv23")

modparam("tls_mgm", "certificate", "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")          

modparam("tls_mgm", "private_key", "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")   

modparam("tls_mgm", "ca_list", "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") 

#### PROTO_TLS module

loadmodule "proto_tls.so"

modparam("proto_tls", "trace_destination", "hep_dest")

modparam("proto_tls", "trace_on", 1)

 

I removed the passphrase:

 

mv etc/tls/rootCA/private/cakey.pem etc/tls/rootCA/private/cakey.pem.protected

openssl rsa -in etc/tls/rootCA/private/cakey.pem.protected -out etc/tls/rootCA/private/cakey.pem

 

and then tried to run opensips from cmdline : ./opensips -f /usr/local/opensips/etc/opensips/opensips.cfg

 

syslog output:

 

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:tls_mgm:load_certificate: unable to load certificate file '/usr/local/opensips//etc/opensips/tls/cert.pem'

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:init_mod: failed to initialize module tls_mgm

Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:main: error while initializing modules

Feb 17 12:22:01 ns3012072 ./opensips[28673]: CRITICAL:core:sig_usr: segfault in attendant (starter) process!

Feb 17 12:22:01 ns3012072 kernel: [ 4024.678398] opensips[28673]: segfault at 7fcb76dbf850 ip 00007fcb76546f69 sp 00007ffe803ac150 error 4 in libcrypto.so.1.1[7fcb763df000+265000]

 

Next I tried with:

loadmodule "tls_mgm.so"

#modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")

modparam("tls_mgm", "require_cert", "0")

modparam("tls_mgm", "verify_cert", "0")

modparam("tls_mgm", "tls_method", "SSLv23")

modparam("tls_mgm", "certificate", "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")          

modparam("tls_mgm", "private_key", "/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")   

modparam("tls_mgm", "ca_list", "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem") 

#### PROTO_TLS module

loadmodule "proto_tls.so"

modparam("proto_tls", "trace_destination", "hep_dest")

modparam("proto_tls", "trace_on", 1)

 

and then opensips starts…

 

Can you please explain what I am doing wrong ?

 

 

 

cid:F3100D46-F00D-4610-87ED-3E91DA790A82

Johan De Clercq, Managing Director
Democon bvba - Ooigemstraat 41 - 8780 Oostrozebeke

Tel +3256980990 – GSM +32478720104

 




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: opensips 2.4.4: bug in tls_mgm

Răzvan Crainea-2
Hi, Johan!

Are you sure you are using the latest 3.0 sources? I am asking because
this should have already been resolved long time ago. Moreover, your
error is reported at line 118 in modules/tls_mgm/tls_conn_ops.h, but the
master sources have something else at that line[1].

[1]
https://github.com/OpenSIPS/opensips/blob/master/modules/tls_mgm/tls_conn_ops.h#L118

Best regards,
Răzvan

On 3/12/19 7:34 PM, johan de clercq wrote:

> Having pulled the lates 3.0-devel version, I have the following error
> when trying to compile proto-tls
>
> ../tls_mgm/tls_conn_ops.h:118:29: error: dereferencing pointer to
> incomplete type ‘SSL {aka struct ssl_st}’
>
>    if ( ((SSL *)c->extra_data)->kssl_ctx ) {
>
> Can you please correct ?
>
> *From:*Users <[hidden email]> *On Behalf Of *Vlad Patrascu
> *Sent:* Thursday, March 7, 2019 11:46 AM
> *To:* [hidden email]
> *Subject:* Re: [OpenSIPS-Users] opensips 2.4.4: bug in tls_mgm
>
> Hi Johan,
>
> The issue is probably caused by the fact that OpenSIPS tries to
> initialize a 'default' client and server domain and the certificate file
> is inexistent at the default path
> ('/usr/local/opensips//etc/opensips/tls/cert.pem'). So even if you
> define your "sv_dom" custom server domain, OpenSIPS still tries to
> create default domains for fallback purposes. When you omit the
> '[sv_dom]' prefix for the domain settings in your second test, you
> overwrite the default ones (with a valid path for the certificate this
> time).
>
> In conclusion, either specify your custom domain _and_ default domains
> separately (set the modparams multiple times) or make sure the
> certificate is found at the default path. Also, note that it's not
> necessary to define a custom server domain if you only intend to use a
> single one, as the default will match any socket.
>
> Regards,
>
> Vlad Patrascu
>
> OpenSIPS Developer
>
> http://www.opensips-solutions.com
>
> On 02/17/2019 01:35 PM, johan de clercq wrote:
>
>     Hi,
>
>     I believe that I have found a bug in tls_mgm:
>
>     Using opensips default certificates:
>
>     /usr/local/opensips/etc/opensips/tls# ls -lu
>
>     total 24
>
>     -rw-r--r-- 1 root staff 2049 Feb 17 12:13 ca.conf
>
>     -rw-r--r-- 1 root staff 1048 Feb 17 12:13 README
>
>     -rw-r--r-- 1 root staff 1127 Feb 17 12:13 request.conf
>
>     drwxr-sr-x 4 root staff 4096 Feb 17 12:16 rootCA
>
>     drwxr-sr-x 2 root staff 4096 Feb 17 12:13 user
>
>     -rw-r--r-- 1 root staff  591 Feb 17 12:13 user.conf
>
>     /usr/local/opensips/etc/opensips/tls/rootCA# ls
>
>     cacert.pem  certs  index.txt  private  serial
>
>     Tls params:
>
>     loadmodule "tls_mgm.so"
>
>     modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")
>
>     modparam("tls_mgm", "require_cert", "[sv_dom]0")
>
>     modparam("tls_mgm", "verify_cert", "[sv_dom]0")
>
>     modparam("tls_mgm", "tls_method", "[sv_dom]SSLv23")
>
>     modparam("tls_mgm", "certificate",
>     "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
>     modparam("tls_mgm", "private_key",
>     "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")
>
>
>     modparam("tls_mgm", "ca_list",
>     "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
>     #### PROTO_TLS module
>
>     loadmodule "proto_tls.so"
>
>     modparam("proto_tls", "trace_destination", "hep_dest")
>
>     modparam("proto_tls", "trace_on", 1)
>
>     I removed the passphrase:
>
>     mv etc/tls/rootCA/private/cakey.pem
>     etc/tls/rootCA/private/cakey.pem.protected
>
>     openssl rsa -in etc/tls/rootCA/private/cakey.pem.protected -out
>     etc/tls/rootCA/private/cakey.pem
>
>     and then tried to run opensips from cmdline : ./opensips -f
>     /usr/local/opensips/etc/opensips/opensips.cfg
>
>     syslog output:
>
>     Feb 17 12:22:01 ns3012072 ./opensips[28673]:
>     ERROR:tls_mgm:load_certificate: unable to load certificate file
>     '/usr/local/opensips//etc/opensips/tls/cert.pem'
>
>     Feb 17 12:22:01 ns3012072 ./opensips[28673]:
>     ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'
>
>     Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:init_mod:
>     failed to initialize module tls_mgm
>
>     Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:main: error
>     while initializing modules
>
>     Feb 17 12:22:01 ns3012072 ./opensips[28673]: CRITICAL:core:sig_usr:
>     segfault in attendant (starter) process!
>
>     Feb 17 12:22:01 ns3012072 kernel: [ 4024.678398] opensips[28673]:
>     segfault at 7fcb76dbf850 ip 00007fcb76546f69 sp 00007ffe803ac150
>     error 4 in libcrypto.so.1.1[7fcb763df000+265000]
>
>     Next I tried with:
>
>     loadmodule "tls_mgm.so"
>
>     #modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")
>
>     modparam("tls_mgm", "require_cert", "0")
>
>     modparam("tls_mgm", "verify_cert", "0")
>
>     modparam("tls_mgm", "tls_method", "SSLv23")
>
>     modparam("tls_mgm", "certificate",
>     "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
>     modparam("tls_mgm", "private_key",
>     "/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")
>
>     modparam("tls_mgm", "ca_list",
>     "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
>     #### PROTO_TLS module
>
>     loadmodule "proto_tls.so"
>
>     modparam("proto_tls", "trace_destination", "hep_dest")
>
>     modparam("proto_tls", "trace_on", 1)
>
>     and then opensips starts…
>
>     Can you please explain what I am doing wrong ?
>
>     cid:F3100D46-F00D-4610-87ED-3E91DA790A82
>
>     Johan De Clercq, Managing Director
>     Democon bvba - Ooigemstraat 41 - 8780 Oostrozebeke
>
>     Tel +3256980990 – GSM +32478720104
>
>
>
>
>     _______________________________________________
>
>     Users mailing list
>
>     [hidden email]  <mailto:[hidden email]>
>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

--
Răzvan Crainea
OpenSIPS Core Developer
   http://www.opensips-solutions.com
Meet the OpenSIPS team at the next OpenSIPS Summit:
   https://www.opensips.org/events

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: opensips 2.4.4: bug in tls_mgm

Johan De Clercq
You are right: I used 3.0-devel branch instead of master.

Maybe it's a good idea to get rid of 3.0 devel branch.

-----Original Message-----
From: Users <[hidden email]> On Behalf Of Razvan Crainea
Sent: Thursday, March 14, 2019 10:45 AM
To: [hidden email]
Subject: Re: [OpenSIPS-Users] opensips 2.4.4: bug in tls_mgm

Hi, Johan!

Are you sure you are using the latest 3.0 sources? I am asking because this should have already been resolved long time ago. Moreover, your error is reported at line 118 in modules/tls_mgm/tls_conn_ops.h, but the master sources have something else at that line[1].

[1]
https://github.com/OpenSIPS/opensips/blob/master/modules/tls_mgm/tls_conn_ops.h#L118

Best regards,
Răzvan

On 3/12/19 7:34 PM, johan de clercq wrote:

> Having pulled the lates 3.0-devel version, I have the following error
> when trying to compile proto-tls
>
> ../tls_mgm/tls_conn_ops.h:118:29: error: dereferencing pointer to
> incomplete type ‘SSL {aka struct ssl_st}’
>
>    if ( ((SSL *)c->extra_data)->kssl_ctx ) {
>
> Can you please correct ?
>
> *From:*Users <[hidden email]> *On Behalf Of *Vlad
> Patrascu
> *Sent:* Thursday, March 7, 2019 11:46 AM
> *To:* [hidden email]
> *Subject:* Re: [OpenSIPS-Users] opensips 2.4.4: bug in tls_mgm
>
> Hi Johan,
>
> The issue is probably caused by the fact that OpenSIPS tries to
> initialize a 'default' client and server domain and the certificate
> file is inexistent at the default path
> ('/usr/local/opensips//etc/opensips/tls/cert.pem'). So even if you
> define your "sv_dom" custom server domain, OpenSIPS still tries to
> create default domains for fallback purposes. When you omit the
> '[sv_dom]' prefix for the domain settings in your second test, you
> overwrite the default ones (with a valid path for the certificate this
> time).
>
> In conclusion, either specify your custom domain _and_ default domains
> separately (set the modparams multiple times) or make sure the
> certificate is found at the default path. Also, note that it's not
> necessary to define a custom server domain if you only intend to use a
> single one, as the default will match any socket.
>
> Regards,
>
> Vlad Patrascu
>
> OpenSIPS Developer
>
> http://www.opensips-solutions.com
>
> On 02/17/2019 01:35 PM, johan de clercq wrote:
>
>     Hi,
>
>     I believe that I have found a bug in tls_mgm:
>
>     Using opensips default certificates:
>
>     /usr/local/opensips/etc/opensips/tls# ls -lu
>
>     total 24
>
>     -rw-r--r-- 1 root staff 2049 Feb 17 12:13 ca.conf
>
>     -rw-r--r-- 1 root staff 1048 Feb 17 12:13 README
>
>     -rw-r--r-- 1 root staff 1127 Feb 17 12:13 request.conf
>
>     drwxr-sr-x 4 root staff 4096 Feb 17 12:16 rootCA
>
>     drwxr-sr-x 2 root staff 4096 Feb 17 12:13 user
>
>     -rw-r--r-- 1 root staff  591 Feb 17 12:13 user.conf
>
>     /usr/local/opensips/etc/opensips/tls/rootCA# ls
>
>     cacert.pem  certs  index.txt  private  serial
>
>     Tls params:
>
>     loadmodule "tls_mgm.so"
>
>     modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")
>
>     modparam("tls_mgm", "require_cert", "[sv_dom]0")
>
>     modparam("tls_mgm", "verify_cert", "[sv_dom]0")
>
>     modparam("tls_mgm", "tls_method", "[sv_dom]SSLv23")
>
>     modparam("tls_mgm", "certificate",
>     "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
>     modparam("tls_mgm", "private_key",
>    
> "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem
> ")
>
>
>     modparam("tls_mgm", "ca_list",
>     "[sv_dom]/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
>     #### PROTO_TLS module
>
>     loadmodule "proto_tls.so"
>
>     modparam("proto_tls", "trace_destination", "hep_dest")
>
>     modparam("proto_tls", "trace_on", 1)
>
>     I removed the passphrase:
>
>     mv etc/tls/rootCA/private/cakey.pem
>     etc/tls/rootCA/private/cakey.pem.protected
>
>     openssl rsa -in etc/tls/rootCA/private/cakey.pem.protected -out
>     etc/tls/rootCA/private/cakey.pem
>
>     and then tried to run opensips from cmdline : ./opensips -f
>     /usr/local/opensips/etc/opensips/opensips.cfg
>
>     syslog output:
>
>     Feb 17 12:22:01 ns3012072 ./opensips[28673]:
>     ERROR:tls_mgm:load_certificate: unable to load certificate file
>     '/usr/local/opensips//etc/opensips/tls/cert.pem'
>
>     Feb 17 12:22:01 ns3012072 ./opensips[28673]:
>     ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'
>
>     Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:init_mod:
>     failed to initialize module tls_mgm
>
>     Feb 17 12:22:01 ns3012072 ./opensips[28673]: ERROR:core:main: error
>     while initializing modules
>
>     Feb 17 12:22:01 ns3012072 ./opensips[28673]: CRITICAL:core:sig_usr:
>     segfault in attendant (starter) process!
>
>     Feb 17 12:22:01 ns3012072 kernel: [ 4024.678398] opensips[28673]:
>     segfault at 7fcb76dbf850 ip 00007fcb76546f69 sp 00007ffe803ac150
>     error 4 in libcrypto.so.1.1[7fcb763df000+265000]
>
>     Next I tried with:
>
>     loadmodule "tls_mgm.so"
>
>     #modparam("tls_mgm", "server_domain", "sv_dom=5.135.140.139:5061")
>
>     modparam("tls_mgm", "require_cert", "0")
>
>     modparam("tls_mgm", "verify_cert", "0")
>
>     modparam("tls_mgm", "tls_method", "SSLv23")
>
>     modparam("tls_mgm", "certificate",
>     "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
>     modparam("tls_mgm", "private_key",
>     "/usr/local/opensips/etc/opensips/tls/rootCA/private/cakey.pem")
>
>     modparam("tls_mgm", "ca_list",
>     "/usr/local/opensips/etc/opensips/tls/rootCA/cacert.pem")
>
>     #### PROTO_TLS module
>
>     loadmodule "proto_tls.so"
>
>     modparam("proto_tls", "trace_destination", "hep_dest")
>
>     modparam("proto_tls", "trace_on", 1)
>
>     and then opensips starts…
>
>     Can you please explain what I am doing wrong ?
>
>     cid:F3100D46-F00D-4610-87ED-3E91DA790A82
>
>     Johan De Clercq, Managing Director
>     Democon bvba - Ooigemstraat 41 - 8780 Oostrozebeke
>
>     Tel +3256980990 – GSM +32478720104
>
>
>
>
>     _______________________________________________
>
>     Users mailing list
>
>     [hidden email]  <mailto:[hidden email]>
>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

--
Răzvan Crainea
OpenSIPS Core Developer
   http://www.opensips-solutions.com
Meet the OpenSIPS team at the next OpenSIPS Summit:
   https://www.opensips.org/events

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users