Description

Some users are having issues connecting to kamailio websocket using TLS. The logs show SSLv3 errors. Cannot find why that error would show up if SSLv2/3 is not enabled. Double checked it via SSLLabs that only TLSv1.2 is allowed in the service.

Any pointers would be appreciated. Also, let me know if more debug information is needed.

Troubleshooting

Debugging Data

This is the TLS config:

modparam("tls", "tls_method", "TLSv1.2+")
modparam("tls", "verify_certificate", 0)
modparam("tls", "require_certificate", 0)
modparam("tls", "low_mem_threshold1", 0)
modparam("tls", "low_mem_threshold2", 0)
modparam("tls", "private_key", "/etc/certs/tls.key")
modparam("tls", "certificate", "/etc/certs/tls.crt")

This is the output from tls module in kamcmd:

kamcmd> tls.info
{
        max_connections: 2048
        opened_connections: 353
        clear_text_write_queued_bytes: 0
}
kamcmd> tls.options
{
        force_run: 0
        method: TLSv1.2+
        verify_certificate: 0
        verify_depth: 9
        require_certificate: 0
        private_key: /etc/certs/tls.key
        ca_list: <null string>
        certificate: /etc/certs/tls.crt
        cipher_list: <null string>
        session_cache: 0
        session_id: kamailio-tls-5.x.y
        config: <null string>
        log: 3
        debug: 3
        connection_timeout: 600
        disable_compression: 1
        ssl_release_buffers: -1
        ssl_freelist_max: -1
        ssl_max_send_fragment: -1
        ssl_read_ahead: 0
        send_close_notify: 0
        low_mem_threshold1: 0
        low_mem_threshold2: 0
        ct_wq_max: 10485760
        con_ct_wq_max: 65536
        ct_wq_blk_size: 4096
}

Log Messages

I see this log messages related to SSLv3:

15(36) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
15(36) ERROR: <core> [core/tcp_read.c:1512]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fafc8768190 r: 0x7fafc8768278 (-1)

Additional Information

version: kamailio 5.3.9 (x86_64/linux) 
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown 
compiled with gcc 6.3.0

Debian 9.13.

Linux 4.19.112+ #1 SMP Wed Sep 23 07:53:39 PDT 2020 x86_64 GNU/Linux


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/issues/3085@github.com>