[sr-dev] [kamailio/kamailio] TLS Client Verification OpenSSL 1.1.1(P-256) to OpenSSL 1.0.2 (P-521) is failing (#2716)

### Description I am connecting two kamailio (5.4.5) using TLS with client cert verification. When one side is OpenSSL 1.1.1 (CentOS 8) + P-256 cert and the other side is OpenSSL 1.0.2 (CentOS 7) + P-521 cert *and* `cipher_list` is set(e.g., `DEFAULT`), the ClientHello fails because the only supported curve sent is P-256 (server has P-521). ### Troubleshooting 1. If `cipher_list` is *not* set at all in `[client:defaut]`l, then the ClientHello sends 4 supported EC groups and the handshake succeeds. 2 . If `cipher_list` is set in `[client:defaut]` (e.g. `DEFAULT` or `ANY`) then the ClientHello sends only 1 supported EC group P-256 (I guess because the client is using a P-256 cert), then the handshake will fail. #### Reproduction 1. Connect two kamailos one on CentOS 8 sending SIP to one on CentOS 7, enable TLS, with client cert verification. Put a P-256 cert on CentOS 8 and a P-521 cert on CentOS 7. #### Debugging Data 1. `cipher_list` is not set: TLS ClientHello Supported Groups is 4 groups: secp256r1 secp521r1 secp384r1 secp256k1 2. `cipher_list` is set to `DEFAULT`: TLS ClientHello Supported Groups is 1 group: secp256r1. #### Log Messages ``` ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher ``` #### SIP Traffic NA - couldn't complete TLS handshake so no SIP was transferred. ### Possible Solutions 1. Don't set cipher_list at all; the moment you set cipher_list to anything(`ANY`, `DEFAULT` etc), the ClientHello will narrow the supported groups to P-256 and the server will reject. I have a thought: does `setup_ecdh()` in `tls_domain.c` behave differently on OpenSSL 1.1.1? Maybe it is forcing the handshake to send only the curve of the client. ### Additional Information 1. kamailio version is 5.4.5 2. Must be OpenSSL 1.1.1 to OpenSSL 1.0.2. BTW in the reverse direction P-521 CentOS 7 to P-256 CentOS 8 doesn't encounter this issue. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2716