[SIP Beyond VoIP] Msrp relay and opensips, tls encryption certificate issues

martin-n martin-n martin-n at rambler.ru
Sun Feb 8 17:56:23 CET 2015

Hello. I'am using the MSRP Relay with the sip server. My sip server is working
using the tls encryption, with the server and client side certificate
verification. I also want the same verifycation for the MSRP Relay, so i
generated the CA and msrprelay certs using:

./gen_ca_creds.sh 180.29.x.x

./gen_relay_creds_ca.sh 180.29.x.x

So i get msrprelay.crt msrprelay.key and ca.crt ca.key. For the testing i'm using
SIP Blink client. I already have the server cert for opensips server set in
blink, and a certificate authority for opensips server. So i did append the msrp
relay ca.crt to the my server-calist.pem, but when i try and start the chat
session with someone i get the error:

debug: 192.x.x.x:49273 (<- my ip) (NEW): Connection lost: peer rejected our
certificate as invalid

So the question is, is the ca.crt is enough on client side to setup the
verification on msrp relay? Do i need to add the ca.crt to my msrp config? Do i
need to add the msrp CA.crt to the opensips server-calist authority used on
server side?

the opensips config is:

tls_verify_server= 1
tls_verify_client = 1
tls_require_client_certificate = 1

tls_method = SSLv23
tls_certificate = "/usr/local/etc/opensips/tls/server/server-cert.pem"
tls_private_key = "/usr/local/etc/opensips/tls/server/server-privkey.pem"
tls_ca_list = "/usr/local/etc/opensips/tls/server/server-calist.pem" <-- this
must contain also the ca.crt from msrp relay?

Here is my msrp config.ini:


certificate = /var/msrprelay/msrprelay/tls/msrprelay.crt

key = /var/msrprelay/msrprelay/tls/msrprelay.key

address =

log_failed_auth = yes

backend = database

Thank you for support.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ag-projects.com/pipermail/sipbeyondvoip/attachments/20150208/b7502b52/attachment.html>

More information about the SIPBeyondVoIP mailing list