Some users are having issues connecting to kamailio websocket using TLS. The logs show SSLv3 errors. Cannot find why that error would show up if SSLv2/3 is not enabled. Double checked it via SSLLabs that only TLSv1.2 is allowed in the service.
Any pointers would be appreciated. Also, let me know if more debug information is needed.
This is the TLS config:
modparam("tls", "tls_method", "TLSv1.2+")
modparam("tls", "verify_certificate", 0)
modparam("tls", "require_certificate", 0)
modparam("tls", "low_mem_threshold1", 0)
modparam("tls", "low_mem_threshold2", 0)
modparam("tls", "private_key", "/etc/certs/tls.key")
modparam("tls", "certificate", "/etc/certs/tls.crt")
This is the output from tls module in kamcmd:
kamcmd> tls.info
{
max_connections: 2048
opened_connections: 353
clear_text_write_queued_bytes: 0
}
kamcmd> tls.options
{
force_run: 0
method: TLSv1.2+
verify_certificate: 0
verify_depth: 9
require_certificate: 0
private_key: /etc/certs/tls.key
ca_list: <null string>
certificate: /etc/certs/tls.crt
cipher_list: <null string>
session_cache: 0
session_id: kamailio-tls-5.x.y
config: <null string>
log: 3
debug: 3
connection_timeout: 600
disable_compression: 1
ssl_release_buffers: -1
ssl_freelist_max: -1
ssl_max_send_fragment: -1
ssl_read_ahead: 0
send_close_notify: 0
low_mem_threshold1: 0
low_mem_threshold2: 0
ct_wq_max: 10485760
con_ct_wq_max: 65536
ct_wq_blk_size: 4096
}
I see this log messages related to SSLv3:
15(36) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
15(36) ERROR: <core> [core/tcp_read.c:1512]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fafc8768190 r: 0x7fafc8768278 (-1)
kamailio -v
version: kamailio 5.3.9 (x86_64/linux)
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled with gcc 6.3.0
Debian 9.13.
Linux 4.19.112+ #1 SMP Wed Sep 23 07:53:39 PDT 2020 x86_64 GNU/Linux
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.