<p>Hello. I'am using the MSRP Relay with the sip server. My sip server is working using the tls encryption, with the server and client side certificate verification. I also want the same verifycation for the MSRP Relay, so i generated the CA and msrprelay certs using:</p>
<p></p>
<p> ./gen_ca_creds.sh 180.29.x.x</p>
<p></p>
<p> ./gen_relay_creds_ca.sh 180.29.x.x</p>
<p></p>
<p>So i get msrprelay.crt msrprelay.key and ca.crt ca.key. For the testing i'm using SIP Blink client. I already have the server cert for opensips server set in blink, and a certificate authority for opensips server. So i did append the msrp relay ca.crt to the my server-calist.pem, but when i try and start the chat session with someone i get the error:</p>
<p></p>
<p> debug: 192.x.x.x:49273 (<- my ip) (NEW): Connection lost: peer rejected our certificate as invalid</p>
<p></p>
<p>So the question is, is the ca.crt is enough on client side to setup the verification on msrp relay? Do i need to add the ca.crt to my msrp config? Do i need to add the msrp CA.crt to the opensips server-calist authority used on server side? </p>
<p></p>
<p>the opensips config is:</p>
<p></p>
<p><br />listen=tls:x.x.x.x:5061<br />tls_verify_server= 1<br />tls_verify_client = 1<br />tls_require_client_certificate = 1<br /><br />tls_method = SSLv23<br />tls_certificate = "/usr/local/etc/opensips/tls/server/server-cert.pem"<br />tls_private_key = "/usr/local/etc/opensips/tls/server/server-privkey.pem"<br />tls_ca_list = "/usr/local/etc/opensips/tls/server/server-calist.pem" <-- this must contain also the ca.crt from msrp relay?</p>
<p> </p>
<p>Here is my msrp config.ini:</p>
<p></p>
<p>[Relay]<br /><br />certificate = /var/msrprelay/msrprelay/tls/msrprelay.crt<br /><br />key = /var/msrprelay/msrprelay/tls/msrprelay.key<br /><br />address = 0.0.0.0:2855<br /><br />log_failed_auth = yes</p>
<p>backend = database</p>
<p></p>
<p>Thank you for support.</p>
<p></p>
<p>Martin</p>