[SIP Beyond VoIP] Msrp relay and opensips, tls encryption certificate issues

ag at ag-projects.com ag at ag-projects.com
Sun Feb 8 18:14:01 CET 2015


On 08 Feb 2015, at 17:56, martin-n martin-n <martin-n at rambler.ru> wrote:

> Hello. I'am using the MSRP Relay with the sip server. My sip server is working using the tls encryption, with the server and client side certificate verification. I also want the same verifycation for the MSRP Relay, so i generated the CA and msrprelay certs using:
> 
> 
>     ./gen_ca_creds.sh  180.29.x.x
> 
> 
>    ./gen_relay_creds_ca.sh  180.29.x.x
> 
> 
> So i get msrprelay.crt  msrprelay.key and ca.crt  ca.key. For the testing i'm using SIP Blink client. I already have the server cert for opensips server set in blink, and a certificate authority for opensips server. So i did append the msrp relay ca.crt to the my server-calist.pem, but when i try and start the chat session with someone i get the error:
> 
> 
>    debug: 192.x.x.x:49273 (<- my ip)  (NEW): Connection lost: peer rejected our certificate as invalid
> 
> 
Who is logging this? OpenSIPS? MSRP Relay? Blink?

Please paste untrimmed logs.

Adrian


> So the question is, is the ca.crt is enough on client side to setup the verification on msrp relay? Do i need to add the ca.crt to my msrp config?  Do i need to add the msrp CA.crt to the opensips server-calist authority used on server side?
> 
> 
> the opensips config is:
> 
> 
> 
> listen=tls:x.x.x.x:5061
> tls_verify_server= 1
> tls_verify_client = 1
> tls_require_client_certificate = 1
> 
> tls_method = SSLv23
> tls_certificate = "/usr/local/etc/opensips/tls/server/server-cert.pem"
> tls_private_key = "/usr/local/etc/opensips/tls/server/server-privkey.pem"
> tls_ca_list = "/usr/local/etc/opensips/tls/server/server-calist.pem"              <-- this must contain also the ca.crt from msrp relay?
> 
>                                                                                                                                                                                                                       
> Here is my msrp config.ini:
> 
> 
> [Relay]
> 
> certificate = /var/msrprelay/msrprelay/tls/msrprelay.crt
> 
> key = /var/msrprelay/msrprelay/tls/msrprelay.key
> 
> address = 0.0.0.0:2855
> 
> log_failed_auth = yes
> 
> backend = database
> 
> 
> Thank you for support.
> 
> 
> Martin
> 
> _______________________________________________
> SIPBeyondVoIP mailing list
> SIPBeyondVoIP at lists.ag-projects.com
> http://lists.ag-projects.com/mailman/listinfo/sipbeyondvoip

--
Adrian



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ag-projects.com/pipermail/sipbeyondvoip/attachments/20150208/4d66ca3f/attachment.html>


More information about the SIPBeyondVoIP mailing list