You're not defining any ciphers to use, given the commented-out
tls_ciphers_list line.
Try setting it to:
tls_ciphers_list = "MEDIUM:HIGH"
Check the OpenSSL documentation for more information on what values
this string can take.
-Kyle H
On 2/6/06, Pjothi <[EMAIL PROTECTED]> wrote:
>
>
> Dear all,
>
>
>
> The scenario is, I want to register minisip client(SUSE Linux 10) with
> OpenSER (Suse Linux 10) in a LAN scenario for a demo.
>
>
>
> I compiled & installed OpenSER with TLS support and I can start OpenSER and
> it listens on the following address 192.168.0.4:5061. I created a CA cert,
> server certificate and a client certificate with the scripts provided by
> OpenSER. I ported the client certificate, private key and ca list to minisip
> running machine ( 192.168.0.3) and then loaded in the client. The user I
> created in OpenSER using openserctl is user2 and I can check out the user in
> MySQL table.
>
>
>
> Minisip GUI configuration:
>
>
>
> Configuring the user: user2 in minisip, I set the network port to: 5061
>
> Certificate settings: I loaded the certificate, private key and ca_list u
>
> I enable TLS(5061), TCP(5060)
>
>
>
> Problem: When I start minisip, after starting OpenSER, I get the following
> error. I have also pasted the OpenSER.cfg file below the error. In the
> minisip status, it also shows the client is still unregistered. Any
> suggestions/help in this regard is greatly appreciated.
>
>
>
> MINISIP ERROR:
>
>
> linux:/home/user1/minisip # minisip
> Starting MiniSIP ... welcome!
> Initializing NetUtil
> Creating SipSoftPhoneConfiguration
> init 1/9: Creating timeout provider
> init 2/9: Creating GUI
> Creating GTK GUI
> (minisip:5575): gtkmm-WARNING **: gtkmm: Attempt to call Gtk::manage() on a
> Gtk::Window, but a Gtk::Window has no parent container to manage its
> lifetime.
> Minisip: gtk 1
> Minisip: gtk 2
> Setting contact db
> Thread 2 running - doing initParseConfig
> init 3/9: Parsing configuration file ()
> config file version checked ok!
> SipIdentity::SipIdentity : cretated identity id=1
> SipIdentity::setSipUri: sipUsername=<user2> sipDomain=< 192.168.0.4 >
> SipIdentity::setSipProxy: autodetect is false; userUri= [EMAIL PROTECTED] ;
> transport = TLS; proxyAddr=192.168.0.4 ; proxyPort=5061
> SipProxy:setProxy(str) : addr = 192.168.0.4
> SipIdentity::setProxy: manual sipproxy success ...
> SipIdentity::setProxy: else ...
> Identities:
> identity=1; username=user2; domain= 192.168.0.4
> proxy=[proxyString=192.168.0.4 ; proxyString=192.168.0.4 ; port=5061;
> transport=TLS; autodetect=no; user=user2; password=user2; expires=1000];
> isRegistered=0
> init 4/9: Creating IP provider
> SimpleIPProvider: localIp =
> SimpleIPProvider: checking interface = lo with IP= 127.0.0.1
> SimpleIPProvider: checking interface = eth0 with IP= 192.168.0.3
> SimpleIPProvider: using localIP = 192.168.0.3
> init 5/9: Creating MediaHandler
> Sound I/O: using Spatial Audio Mixer
> Adding audio codec: G.711
> init 6/9: Creating MSip SIP stack
> init 7/9: Connecting GUI to SIP logic
> init 8.2/9: Starting TCP transport worker thread
> init 9/9: Registering Identities to registrar server
> Registering user [EMAIL PROTECTED] to proxy 192.168.0.4 , requesting domain
> 192.168.0.4
> SipMessageTransport: sendMessage: creating new socket
> Creating new SSL_CTX
> SSL: connect failed
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: creating new socket
> SSL: connect failed
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: exception thrown!
> SipIdentity::SipIdentity : cretated identity id=2
> SipIdentity::setSipUri: sipUsername=<user2> sipDomain=< 192.168.0.4 >
> SipIdentity::setSipProxy: autodetect is false; userUri= [EMAIL PROTECTED] ;
> transport = TLS; proxyAddr=192.168.0.4 ; proxyPort=5061
> SipProxy:setProxy(str) : addr = 192.168.0.4
> SipIdentity::setProxy: manual sipproxy success ...
> SipIdentity::setProxy: else ...
> Sound I/O: using Spatial Audio Mixer
> Adding audio codec: G.711
> SipIdentity::SipIdentity : cretated identity id=3
> SipIdentity::setSipUri: sipUsername=<user2> sipDomain=< 192.168.0.4 >
> SipIdentity::setSipProxy: autodetect is false; userUri= [EMAIL PROTECTED] ;
> transport = TLS; proxyAddr=192.168.0.4 ; proxyPort=5061
> SipProxy:setProxy(str) : addr = 192.168.0.4
> SipIdentity::setProxy: manual sipproxy success ...
> SipIdentity::setProxy: else ...
> Sound I/O: using Spatial Audio Mixer
> Adding audio codec: G.711
> SipIdentity::SipIdentity : cretated identity id=4
> SipIdentity::setSipUri: sipUsername=<user2> sipDomain=< 192.168.0.4 >
> SipIdentity::setSipProxy: autodetect is false; userUri= [EMAIL PROTECTED] ;
> transport = TLS; proxyAddr=192.168.0.4 ; proxyPort=5061
> SipProxy:setProxy(str) : addr = 192.168.0.4
> SipIdentity::setProxy: manual sipproxy success ...
> SipIdentity::setProxy: else ...
> Sound I/O: using Spatial Audio Mixer
> Adding audio codec: G.711
>
>
> OpenSER.cfg
>
>
>
> # $Id: openser.cfg,v 1.5 2005/10/28 19:45:33 bogdan_iancu Exp $
>
> #
>
> # simple quick-start config script
>
> #
>
>
>
> # ----------- global configuration parameters ------------------------
>
>
>
> debug=3 # debug level (cmd line: -dddddddddd)
>
> fork=yes
>
> log_stderror=no # (cmd line: -E)
>
>
>
> /* Uncomment these lines to enter debugging mode
>
> fork=yes
>
> log_stderror=yes
>
> */
>
>
>
> check_via=no # (cmd. line: -v)
>
> dns=no # (cmd. line: -r)
>
> rev_dns=no # (cmd. line: -R)
>
> port=5060
>
> children=4
>
> fifo="/tmp/openser_fifo"
>
>
>
> #
>
> # uncomment the following lines for TLS support
>
> disable_tls = 0
>
> listen = tls: 192.168.0.4:5061
>
> tls_verify = 1
>
> tls_require_certificate = 0
>
> tls_method = TLSv1
>
> tls_certificate = "/usr/local/etc/openser/user/user-
> cert.pem"
>
> tls_private_key = "/usr/local/etc/openser/user/user-
> privkey.pem"
>
> tls_ca_list = "/usr/local/etc/openser/user/user-
> calist.pem"
>
> #tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
>
>
>
>
>
> # ------------------ module loading
> ----------------------------------
>
>
>
> # Uncomment this if you want to use SQL database
>
> loadmodule "/usr/local/lib/openser/modules/mysql.so"
>
>
>
> loadmodule "/usr/local/lib/openser/modules/sl.so"
>
> loadmodule "/usr/local/lib/openser/modules/tm.so"
>
> loadmodule "/usr/local/lib/openser/modules/rr.so"
>
> loadmodule "/usr/local/lib/openser/modules/maxfwd.so"
>
> loadmodule "/usr/local/lib/openser/modules/usrloc.so"
>
> loadmodule "/usr/local/lib/openser/modules/registrar.so"
>
> loadmodule "/usr/local/lib/openser/modules/textops.so"
>
> #loadmodule "/usr/local/lib/openser/modules/uri_db.so"
>
> # Uncomment this if you want digest authentication
>
> # mysql.so must be loaded !
>
> loadmodule "/usr/local/lib/openser/modules/auth.so"
>
> loadmodule "/usr/local/lib/openser/modules/auth_db.so"
>
>
>
> # ----------------- setting module-specific parameters ---------------
>
>
>
> # -- usrloc params --
>
>
>
> #modparam("usrloc", "db_mode", 0)
>
>
>
> # Uncomment this if you want to use SQL database
>
> # for persistent storage and comment the previous line
>
> modparam("usrloc", "db_mode", 2)
>
>
>
> # -- auth params --
>
> # Uncomment if you are using auth module
>
> #
>
> modparam("auth_db", "calculate_ha1", yes)
>
> #
>
> # If you set "calculate_ha1" parameter to yes (which true in this config),
>
> # uncomment also the following parameter)
>
> #
>
> modparam("auth_db", "password_column", "password")
>
>
>
> modparam("auth_db","db_url","
> mysql://openser:[EMAIL PROTECTED]/openser")
>
> # -- rr params --
>
> # add value to ;lr param to make some broken UAs happy
>
> modparam("rr", "enable_full_lr", 1)
>
>
>
> # ------------------------- request routing logic -------------------
>
>
>
> # main routing logic
>
>
>
> route{
>
>
>
> # initial sanity checks -- messages with
>
> # max_forwards==0, or excessively long requests
>
> if (!mf_process_maxfwd_header("10")) {
>
> sl_send_reply("483","Too Many Hops");
>
> exit;
>
> };
>
>
>
> if (msg:len >= 2048 ) {
>
> sl_send_reply("513", "Message too big");
>
> exit;
>
> };
>
>
>
> # we record-route all messages -- to make sure that
>
> # subsequent messages will go through our proxy; that's
>
> # particularly good if upstream and downstream entities
>
> # use different transport protocol
>
> if (!method=="REGISTER")
>
> record_route();
>
>
>
> # subsequent messages withing a dialog should take the
>
> # path determined by record-routing
>
> if (loose_route()) {
>
> # mark routing logic in request
>
> append_hf("P-hint: rr-enforced\r\n");
>
> route(1);
>
> };
>
>
>
> if (!uri==myself) {
>
> # mark routing logic in request
>
> append_hf("P-hint: outbound\r\n");
>
> # if you have some interdomain connections via TLS
>
> #if(uri=~"@tls_domain1.net") {
>
> #
> t_relay_to_tls("IP_domain1","port_domain1");
>
> # exit;
>
> #} else if(uri=~"@tls_domain2.net") {
>
> #
> t_relay_to_tls("IP_domain2","port_domain2");
>
> # exit;
>
> #}
>
> route(1);
>
> };
>
>
>
> # if the request is for other domain use UsrLoc
>
> # (in case, it does not work, use the following command
>
> # with proper names and addresses in it)
>
> if (uri==myself) {
>
>
>
> if (method=="REGISTER") {
>
>
>
> # Uncomment this if you want to use digest authentication
>
> if (!www_authorize("192.168.0.4", "subscriber")) {
>
> www_challenge("192.168.0.4", "0");
>
> exit;
>
> };
>
>
>
> save("location");
>
> exit;
>
> };
>
>
>
> lookup("aliases");
>
> if (!uri==myself) {
>
> append_hf("P-hint: outbound alias\r\n");
>
> route(1);
>
> };
>
>
>
> # native SIP destinations are handled using our USRLOC DB
>
> if (!lookup("location")) {
>
> sl_send_reply("404", "Not Found");
>
> exit;
>
> };
>
> append_hf("P-hint: usrloc applied\r\n");
>
> };
>
>
>
> route(1);
>
> }
>
>
>
>
>
> route[1] {
>
> # send it out now; use stateful forwarding as it works reliably
>
> # even for UDP2TCP
>
> if (!t_relay()) {
>
> sl_reply_error();
>
> };
>
> exit;
>
> }
>
>
>
>
>
> -------------------------------------------------------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
