[sr-dev] [kamailio/kamailio] TLS Module Regression (ee key too small) (Issue #3737)

31 Jan 2024

### Description

The TLS module seems to have some regression from 5.7.3 to 5.7.4 causing `tls.reload` to
fail loading certificates.

### Troubleshooting

#### System Info

- kamailio version: 5.7.4 (from official kamailio repos)
- distro version: debian 12
- OS/kernel version: Linux ip-172-31-30-183 6.1.0-17-cloud-amd64 #1 SMP PREEMPT_DYNAMIC
Debian 6.1.69-1 (2023-12-30) x86_64 GNU/Linux
- openssl version: 3.0.11 (from official debian repos)

#### Reproduction

On a fresh install of debian 12:
- install openssl from debian repos
- install kamailio 5.7.4 from kamailio repos
- install kamailio-tls-modules from kamailio repos
- create a self signed cert with 4096 bit rsa key
- create a basic tls.cfg to load those files on the client/server default domain
- reload kamailio
- try running `kamcmd tls.reload`

#### Debugging Data

Example tls.cfg

```
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/dsiprouter/certs/dsiprouter-key.pem
certificate = /etc/dsiprouter/certs/dsiprouter-cert.pem
ca_list = /etc/dsiprouter/certs/ca-list.pem
ca_path = /etc/dsiprouter/certs/ca

[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/dsiprouter/certs/dsiprouter-key.pem
certificate = /etc/dsiprouter/certs/dsiprouter-cert.pem
ca_list = /etc/dsiprouter/certs/ca-list.pem
ca_path = /etc/dsiprouter/certs/ca
```

Example tls cert:

```
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7a:43:b8:fa:df:c9:ed:a7:d6:ab:bb:9a:89:c0:8e:95:fd:62:de:26
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = MI, L = Detroit, O = dSIPRouter, CN =
ec2-34-224-90-100.compute-1.amazonaws.com
        Validity
            Not Before: Jan 30 15:28:11 2024 GMT
            Not After : Jan 29 15:28:11 2025 GMT
        Subject: C = US, ST = MI, L = Detroit, O = dSIPRouter, CN =
ec2-34-224-90-100.compute-1.amazonaws.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
...
```

Example tls key:

```
Private-Key: (4096 bit, 2 primes)
modulus:
...
```

#### Log Messages

```
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:345]:
ksr_tls_fill_missing(): TLSs<default>: tls_method=25
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:357]:
ksr_tls_fill_missing(): TLSs<default>:
certificate='/etc/dsiprouter/certs/dsiprouter-cert.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:364]:
ksr_tls_fill_missing(): TLSs<default>:
ca_list='/etc/dsiprouter/certs/ca-list.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:371]:
ksr_tls_fill_missing(): TLSs<default>: ca_path='/etc/dsiprouter/certs/ca'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:378]:
ksr_tls_fill_missing(): TLSs<default>: crl='(null)'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:382]:
ksr_tls_fill_missing(): TLSs<default>: require_certificate=1
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:390]:
ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:397]:
ksr_tls_fill_missing(): TLSs<default>:
private_key='/etc/dsiprouter/certs/dsiprouter-key.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:401]:
ksr_tls_fill_missing(): TLSs<default>: verify_certificate=1
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:406]:
ksr_tls_fill_missing(): TLSs<default>: verify_depth=9
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:410]:
ksr_tls_fill_missing(): TLSs<default>: verify_client=0
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: NOTICE: tls
[tls_domain.c:1168]: ksr_tls_fix_domain(): registered server_name callback handler for
socket [:0], server_name='<default>' ...
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls [tls_domain.c:590]:
load_cert(): TLSs<default>: Unable to load certificate file
'/etc/dsiprouter/certs/dsiprouter-cert.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls [tls_util.h:49]:
tls_err_ret(): load_cert:error:03000072:digital envelope routines::decode error (sni:
unknown)
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls [tls_util.h:49]:
tls_err_ret(): load_cert:error:0A00018F:SSL routines::ee key too small (sni: unknown)
```

#### SIP Traffic

N/A

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3737
You are receiving this because you are subscribed to this thread.

Message ID: &lt;kamailio/kamailio/issues/3737(a)github.com&gt;

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[sr-dev] [kamailio/kamailio] TLS Module Regression (ee key too small) (Issue #3737)