<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><br><div><div>On 08 Feb 2015, at 17:56, martin-n martin-n <<a href="mailto:martin-n@rambler.ru">martin-n@rambler.ru</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><p>Hello. I'am using the MSRP Relay with the sip server. My sip server is working using the tls encryption, with the server and client side certificate verification. I also want the same verifycation for the MSRP Relay, so i generated the CA and msrprelay certs using:</p><div><br class="webkit-block-placeholder"></div><p> ./gen_ca_creds.sh 180.29.x.x</p><div><br class="webkit-block-placeholder"></div><p> ./gen_relay_creds_ca.sh 180.29.x.x</p><div><br class="webkit-block-placeholder"></div><p>So i get msrprelay.crt msrprelay.key and ca.crt ca.key. For the testing i'm using SIP Blink client. I already have the server cert for opensips server set in blink, and a certificate authority for opensips server. So i did append the msrp relay ca.crt to the my server-calist.pem, but when i try and start the chat session with someone i get the error:</p><div><br class="webkit-block-placeholder"></div><p> debug: 192.x.x.x:49273 (<- my ip) (NEW): Connection lost: peer rejected our certificate as invalid</p><div><br></div></blockquote>Who is logging this? OpenSIPS? MSRP Relay? Blink?</div><div><br></div><div>Please paste untrimmed logs.</div><div><br></div><div>Adrian</div><div><br><br><blockquote type="cite"><p>So the question is, is the ca.crt is enough on client side to setup the verification on msrp relay? Do i need to add the ca.crt to my msrp config? Do i need to add the msrp CA.crt to the opensips server-calist authority used on server side? </p><div><br class="webkit-block-placeholder"></div><p>the opensips config is:</p><div><br class="webkit-block-placeholder"></div><p><br>listen=tls:x.x.x.x:5061<br>tls_verify_server= 1<br>tls_verify_client = 1<br>tls_require_client_certificate = 1<br><br>tls_method = SSLv23<br>tls_certificate = "/usr/local/etc/opensips/tls/server/server-cert.pem"<br>tls_private_key = "/usr/local/etc/opensips/tls/server/server-privkey.pem"<br>tls_ca_list = "/usr/local/etc/opensips/tls/server/server-calist.pem" <-- this must contain also the ca.crt from msrp relay?</p><div> <br class="webkit-block-placeholder"></div><p>Here is my msrp config.ini:</p><div><br class="webkit-block-placeholder"></div><p>[Relay]<br><br>certificate = /var/msrprelay/msrprelay/tls/msrprelay.crt<br><br>key = /var/msrprelay/msrprelay/tls/msrprelay.key<br><br>address = 0.0.0.0:2855<br><br>log_failed_auth = yes</p><p>backend = database</p><div><br class="webkit-block-placeholder"></div><p>Thank you for support.</p><div><br class="webkit-block-placeholder"></div><p>Martin</p>_______________________________________________<br>SIPBeyondVoIP mailing list<br><a href="mailto:SIPBeyondVoIP@lists.ag-projects.com">SIPBeyondVoIP@lists.ag-projects.com</a><br>http://lists.ag-projects.com/mailman/listinfo/sipbeyondvoip<br></blockquote></div><br><div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">--<br>Adrian<br><br><br></div>
</div>
<br></body></html>