Precautions for opensips and TLS SIP trunk docking

opensips Is a powerful SBC, It supports a variety of underlying protocols ; Such as udp,tcp, And based on tcp Of tls,ws,wss etc. .

Based on tls Of sip trunk When docking , The following points need to be noted ：

1. If it is outbound( Outbound ), Basically, there is no need to configure proto_tls.so,tls_mgm.so Equal module , Just reference ; If it is inbound( Breathe in ), Certificate needs to be configured ,tls Version of ( Suggest tls1_2)
2. On exhalation , stay request URI It's better to add parameters ==;transport=tls==

 $ru=$ru+";transport=tls

3. opensips Sent on tls news , There will be 100ms Of tcp Overtime , This seems to be hardcode Of , So the site and each other sip trunk The network delay of should not exceed this value , If it exceeds, it will fail , The direct manifestation is opensips return 500 Service Error, The log will contain the following :

Jun 21 13:49:16 [38] INFO:core:probe_max_sock_buff: using snd buffer of 416 kb
Jun 21 13:49:16 [38] INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 5
Jun 21 13:49:16 [38] ERROR:proto_tls:tls_blocking_write: TLS send timeout (100)
Jun 21 13:49:16 [38] ERROR:proto_tls:proto_tls_send: failed to send
Jun 21 13:49:16 [38] ERROR:tm:msg_send: send() to 1.1.1.2:5061 for proto tls/3 failed
Jun 21 13:49:16 [38] ERROR:tm:t_forward_nonack: sending request failed

Reference resources Problem connection , But it doesn't seem to work according to its modification

4. Before docking , You need to configure firewalls on both sides ; At the same time, you need to verify whether the other party's certificate is valid ; The certificate verification method is as follows

openssl s_client -host pstn.twilio.com -port 5061 -msg -state -showcerts -tls1_2