[sr-dev] [kamailio/kamailio] TLS Module Regression (ee key too small) (Issue #3737)

31 Jan 2024


      ### Description
The TLS module seems to have some regression from 5.7.3 to 5.7.4 causing `tls.reload` to fail loading certificates.
### Troubleshooting
#### System Info
- kamailio version: 5.7.4 (from official kamailio repos)
- distro version: debian 12
- OS/kernel version: Linux ip-172-31-30-183 6.1.0-17-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64 GNU/Linux
- openssl version: 3.0.11 (from official debian repos)
#### Reproduction
On a fresh install of debian 12:
- install openssl from debian repos
- install kamailio 5.7.4 from kamailio repos
- install kamailio-tls-modules from kamailio repos
- create a self signed cert with 4096 bit rsa key
- create a basic tls.cfg to load those files on the client/server default domain
- reload kamailio
- try running `kamcmd tls.reload`
#### Debugging Data
Example tls.cfg
```
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/dsiprouter/certs/dsiprouter-key.pem
certificate = /etc/dsiprouter/certs/dsiprouter-cert.pem
ca_list = /etc/dsiprouter/certs/ca-list.pem
ca_path = /etc/dsiprouter/certs/ca
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/dsiprouter/certs/dsiprouter-key.pem
certificate = /etc/dsiprouter/certs/dsiprouter-cert.pem
ca_list = /etc/dsiprouter/certs/ca-list.pem
ca_path = /etc/dsiprouter/certs/ca
```
Example tls cert:
```
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7a:43:b8:fa:df:c9:ed:a7:d6:ab:bb:9a:89:c0:8e:95:fd:62:de:26
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = MI, L = Detroit, O = dSIPRouter, CN = ec2-34-224-90-100.compute-1.amazonaws.com
        Validity
            Not Before: Jan 30 15:28:11 2024 GMT
            Not After : Jan 29 15:28:11 2025 GMT
        Subject: C = US, ST = MI, L = Detroit, O = dSIPRouter, CN = ec2-34-224-90-100.compute-1.amazonaws.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
...
```
Example tls key:
```
Private-Key: (4096 bit, 2 primes)
modulus:
...
```
#### Log Messages
```
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:345]: ksr_tls_fill_missing(): TLSs<default>: tls_method=25
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:357]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/dsiprouter/certs/dsiprouter-cert.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:364]: ksr_tls_fill_missing(): TLSs<default>: ca_list='/etc/dsiprouter/certs/ca-list.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:371]: ksr_tls_fill_missing(): TLSs<default>: ca_path='/etc/dsiprouter/certs/ca'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:378]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:382]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=1
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:397]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/dsiprouter/certs/dsiprouter-key.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:401]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=1
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:406]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:410]: ksr_tls_fill_missing(): TLSs<default>: verify_client=0
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: NOTICE: tls [tls_domain.c:1168]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ...
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls [tls_domain.c:590]: load_cert(): TLSs<default>: Unable to load certificate file '/etc/dsiprouter/certs/dsiprouter-cert.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:03000072:digital envelope routines::decode error (sni: unknown)
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:0A00018F:SSL routines::ee key too small (sni: unknown)
```
#### SIP Traffic
N/A
-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3737
You are receiving this because you are subscribed to this thread.

Message ID: kamailio/kamailio/issues/3737@github.com

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[sr-dev] [kamailio/kamailio] TLS Module Regression (ee key too small) (Issue #3737)