Description

after some nearest changes, there are problems with the TLS handshake (for at least ECDHE-RSA-AES256-GCM-SHA384)
because of the missed OPENSSL_init_ssl() call for TCP workers

Reproduction

try to send any SIP message over TLS to the server which accepts ECDHE-RSA-AES256-GCM-SHA384 in Server Hello during handshake

the simplest way to reproduce is to add microsoft teams server to the dispatcher and enable probing to send OPTIONS

kamailio.cfg:

loadmodule "tls.so"
modparam("tls", "config", "/etc/kamailio/tls.cfg")

loadmodule "dispatcher.so"
modparam("dispatcher","flags",2)
modparam("dispatcher", "list_file", "/etc/kamailio/dispatcher.list")
modparam("dispatcher", "ds_ping_method","OPTIONS")
modparam("dispatcher", "ds_ping_interval",5)
modparam("dispatcher", "ds_probing_mode",1)

tls.cfg:

[server:default]
certificate = /etc/kamailio/ssl/ssl-cert-snakeoil.pem
private_key = /etc/kamailio/ssl/ssl-cert-snakeoil.key

[client:default]
certificate = /etc/kamailio/ssl/ssl-cert-snakeoil.pem
private_key = /etc/kamailio/ssl/ssl-cert-snakeoil.key

dispatcher.list:

1 sip:sip.pstnhub.microsoft.com;transport=tls 0 0

Debugging Data

backtrace for the cipher suite lookup:

(gdb) bt
#0  ssl_cipher_id_cmp_BSEARCH_CMP_FN (a_=0x7ffd2a0aade0, b_=0x7fa110ceeec0 <ssl3_ciphers+11680>) at ../ssl/ssl_lib.c:4985
#1  0x00007fa110832a95 in ossl_bsearch (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167, size=size@entry=80, cmp=cmp@entry=0x7fa110c7cac0 <ssl_cipher_id_cmp_BSEARCH_CMP_FN>, flags=flags@entry=0)
    at ../crypto/bsearch.c:28
#2  0x00007fa1108fc229 in OBJ_bsearch_ex_ (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167, size=size@entry=80, cmp=cmp@entry=0x7fa110c7cac0 <ssl_cipher_id_cmp_BSEARCH_CMP_FN>, flags=flags@entry=0)
    at ../crypto/objects/obj_dat.c:699
#3  0x00007fa1108fc23c in OBJ_bsearch_ (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167, size=size@entry=80, cmp=cmp@entry=0x7fa110c7cac0 <ssl_cipher_id_cmp_BSEARCH_CMP_FN>)
    at ../crypto/objects/obj_dat.c:691
#4  0x00007fa110c7fb95 in OBJ_bsearch_ssl_cipher_id (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167) at ../ssl/ssl_lib.c:4985
#5  0x00007fa110c6ed4c in ssl3_get_cipher_by_id (id=<optimized out>) at ../ssl/s3_lib.c:4075
#6  0x00007fa110c76077 in ssl_get_cipher_by_char (ssl=ssl@entry=0x7fa10cfca900, ptr=ptr@entry=0x7fa10cfcc767 "\3000", all=all@entry=0) at ../ssl/ssl_ciph.c:2102
#7  0x00007fa110cae0ee in set_client_ciphersuite (s=s@entry=0x7fa10cfca900, cipherchars=cipherchars@entry=0x7fa10cfcc767 "\3000") at ../ssl/statem/statem_clnt.c:1310
#8  0x00007fa110cb03b3 in tls_process_server_hello (s=0x7fa10cfca900, pkt=<optimized out>) at ../ssl/statem/statem_clnt.c:1614
#9  0x00007fa110cace72 in read_state_machine (s=0x7fa10cfca900) at ../ssl/statem/statem.c:647
#10 state_machine (s=0x7fa10cfca900, server=0) at ../ssl/statem/statem.c:442
#11 0x00007fa110d33aaa in tls_connect (c=c@entry=0x7fa10cfc64e0, error=error@entry=0x7ffd2a0ab0e4) at ./src/modules/tls/tls_server.c:542
#12 0x00007fa110d01edd in ssl_flush (size=413, buf=0x7fa10cfdafdc, error=<synthetic pointer>, tcp_c=0x7fa10cfc64e0) at ./src/modules/tls/tls_ct_wrq.c:101
#13 sbufq_flush (flush_f=<optimized out>, flush_p2=<synthetic pointer>, flush_p1=0x7fa10cfc64e0, flags=0x7ffd2a0ab1ac, q=0x7fa10cfb43a0) at ./src/modules/tls/sbufq.h:247
#14 tls_ct_q_flush (flush_p2=<synthetic pointer>, flush_p1=0x7fa10cfc64e0, flush_f=<optimized out>, flags=0x7ffd2a0ab1ac, tc_q=0x18) at ./src/modules/tls/tls_ct_q.h:122
#15 tls_ct_wq_flush (c=c@entry=0x7fa10cfc64e0, ct_q=ct_q@entry=0x7fa10cfb34c0, flags=flags@entry=0x7ffd2a0ab1ac, ssl_err=ssl_err@entry=0x7ffd2a0ab1a8) at ./src/modules/tls/tls_ct_wrq.c:147
#16 0x00007fa110d386f4 in tls_h_read_f (c=0x7fa10cfc64e0, flags=0x7ffd2a0cb5d0) at ./src/modules/tls/tls_server.c:1140
#17 0x0000562ad6b0c46e in tcp_read_headers (c=c@entry=0x7fa10cfc64e0, read_flags=read_flags@entry=0x7ffd2a0cb5d0) at core/tcp_read.c:445
#18 0x0000562ad6b0f543 in tcp_read_req (con=0x7fa10cfc64e0, bytes_read=bytes_read@entry=0x7ffd2a0cb5cc, read_flags=read_flags@entry=0x7ffd2a0cb5d0) at core/tcp_read.c:1508
#19 0x0000562ad6b14879 in handle_io (fm=fm@entry=0x7fa110ed31c8, events=events@entry=1, idx=idx@entry=-1) at core/tcp_read.c:1832
#20 0x0000562ad6b1a7fd in io_wait_loop_epoll (repeat=repeat@entry=0, t=2, h=0x562ad6de8c20 <io_w>) at core/io_wait.h:1073
#21 0x0000562ad6b1b017 in tcp_receive_loop (unix_sock=<optimized out>) at core/tcp_read.c:2032
#22 0x0000562ad6b02df5 in tcp_init_children (woneinit=woneinit@entry=0x7ffd2a0cbb0c) at core/tcp_main.c:5364
#23 0x0000562ad6928b60 in main_loop () at ./src/main.c:1936
#24 0x0000562ad691a463 in main (argc=<optimized out>, argv=<optimized out>) at ./src/main.c:3212

part of the ssl3_ciphers array that should be sorted by id ascending:

  }, {
    valid = 1,
    name = 0x7fa110cc3720 "ECDHE-RSA-AES256-GCM-SHA384",
    stdname = 0x7fa110cc89f8 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    id = 50380848,
    ...
  }, {
    valid = 1,
    name = 0x7fa110cc3770 "PSK-NULL-SHA",
    stdname = 0x7fa110cc373c "TLS_PSK_WITH_NULL_SHA",
    id = 50331692,
    ...

Log Messages

ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS write:error:0A0000F8:SSL routines::unknown cipher returned (sni: unknown)

Possible Solutions

Additional Information

# kamailio -v
version: kamailio 5.7.4 (x86_64/linux) 
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown 
compiled with gcc 13.2.0
# apt list kamailio --installed
Listing... Done
kamailio/testing,now 5.7.4-1 amd64 [installed]

Debian GNU/Linux trixie/sid (reproduced on Debian bookworm either)


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/issues/3765@github.com>