### Description after some nearest changes, there are problems with the TLS handshake (for at least ECDHE-RSA-AES256-GCM-SHA384) because of the missed `OPENSSL_init_ssl()` call for TCP workers #### Reproduction try to send any SIP message over TLS to the server which accepts ECDHE-RSA-AES256-GCM-SHA384 in Server Hello during handshake the simplest way to reproduce is to add microsoft teams server to the dispatcher and enable probing to send OPTIONS kamailio.cfg: ``` loadmodule "tls.so" modparam("tls", "config", "/etc/kamailio/tls.cfg") loadmodule "dispatcher.so" modparam("dispatcher","flags",2) modparam("dispatcher", "list_file", "/etc/kamailio/dispatcher.list") modparam("dispatcher", "ds_ping_method","OPTIONS") modparam("dispatcher", "ds_ping_interval",5) modparam("dispatcher", "ds_probing_mode",1) ``` tls.cfg: ``` [server:default] certificate = /etc/kamailio/ssl/ssl-cert-snakeoil.pem private_key = /etc/kamailio/ssl/ssl-cert-snakeoil.key [client:default] certificate = /etc/kamailio/ssl/ssl-cert-snakeoil.pem private_key = /etc/kamailio/ssl/ssl-cert-snakeoil.key ``` dispatcher.list: ``` 1 sip:sip.pstnhub.microsoft.com;transport=tls 0 0 ``` #### Debugging Data backtrace for the cipher suite lookup: ``` (gdb) bt #0 ssl_cipher_id_cmp_BSEARCH_CMP_FN (a_=0x7ffd2a0aade0, b_=0x7fa110ceeec0 <ssl3_ciphers+11680>) at ../ssl/ssl_lib.c:4985 #1 0x00007fa110832a95 in ossl_bsearch (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167, size=size@entry=80, cmp=cmp@entry=0x7fa110c7cac0 <ssl_cipher_id_cmp_BSEARCH_CMP_FN>, flags=flags@entry=0) at ../crypto/bsearch.c:28 #2 0x00007fa1108fc229 in OBJ_bsearch_ex_ (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167, size=size@entry=80, cmp=cmp@entry=0x7fa110c7cac0 <ssl_cipher_id_cmp_BSEARCH_CMP_FN>, flags=flags@entry=0) at ../crypto/objects/obj_dat.c:699 #3 0x00007fa1108fc23c in OBJ_bsearch_ (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167, size=size@entry=80, cmp=cmp@entry=0x7fa110c7cac0 <ssl_cipher_id_cmp_BSEARCH_CMP_FN>) at ../crypto/objects/obj_dat.c:691 #4 0x00007fa110c7fb95 in OBJ_bsearch_ssl_cipher_id (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167) at ../ssl/ssl_lib.c:4985 #5 0x00007fa110c6ed4c in ssl3_get_cipher_by_id (id=<optimized out>) at ../ssl/s3_lib.c:4075 #6 0x00007fa110c76077 in ssl_get_cipher_by_char (ssl=ssl@entry=0x7fa10cfca900, ptr=ptr@entry=0x7fa10cfcc767 "\3000", all=all@entry=0) at ../ssl/ssl_ciph.c:2102 #7 0x00007fa110cae0ee in set_client_ciphersuite (s=s@entry=0x7fa10cfca900, cipherchars=cipherchars@entry=0x7fa10cfcc767 "\3000") at ../ssl/statem/statem_clnt.c:1310 #8 0x00007fa110cb03b3 in tls_process_server_hello (s=0x7fa10cfca900, pkt=<optimized out>) at ../ssl/statem/statem_clnt.c:1614 #9 0x00007fa110cace72 in read_state_machine (s=0x7fa10cfca900) at ../ssl/statem/statem.c:647 #10 state_machine (s=0x7fa10cfca900, server=0) at ../ssl/statem/statem.c:442 #11 0x00007fa110d33aaa in tls_connect (c=c@entry=0x7fa10cfc64e0, error=error@entry=0x7ffd2a0ab0e4) at ./src/modules/tls/tls_server.c:542 #12 0x00007fa110d01edd in ssl_flush (size=413, buf=0x7fa10cfdafdc, error=<synthetic pointer>, tcp_c=0x7fa10cfc64e0) at ./src/modules/tls/tls_ct_wrq.c:101 #13 sbufq_flush (flush_f=<optimized out>, flush_p2=<synthetic pointer>, flush_p1=0x7fa10cfc64e0, flags=0x7ffd2a0ab1ac, q=0x7fa10cfb43a0) at ./src/modules/tls/sbufq.h:247 #14 tls_ct_q_flush (flush_p2=<synthetic pointer>, flush_p1=0x7fa10cfc64e0, flush_f=<optimized out>, flags=0x7ffd2a0ab1ac, tc_q=0x18) at ./src/modules/tls/tls_ct_q.h:122 #15 tls_ct_wq_flush (c=c@entry=0x7fa10cfc64e0, ct_q=ct_q@entry=0x7fa10cfb34c0, flags=flags@entry=0x7ffd2a0ab1ac, ssl_err=ssl_err@entry=0x7ffd2a0ab1a8) at ./src/modules/tls/tls_ct_wrq.c:147 #16 0x00007fa110d386f4 in tls_h_read_f (c=0x7fa10cfc64e0, flags=0x7ffd2a0cb5d0) at ./src/modules/tls/tls_server.c:1140 #17 0x0000562ad6b0c46e in tcp_read_headers (c=c@entry=0x7fa10cfc64e0, read_flags=read_flags@entry=0x7ffd2a0cb5d0) at core/tcp_read.c:445 #18 0x0000562ad6b0f543 in tcp_read_req (con=0x7fa10cfc64e0, bytes_read=bytes_read@entry=0x7ffd2a0cb5cc, read_flags=read_flags@entry=0x7ffd2a0cb5d0) at core/tcp_read.c:1508 #19 0x0000562ad6b14879 in handle_io (fm=fm@entry=0x7fa110ed31c8, events=events@entry=1, idx=idx@entry=-1) at core/tcp_read.c:1832 #20 0x0000562ad6b1a7fd in io_wait_loop_epoll (repeat=repeat@entry=0, t=2, h=0x562ad6de8c20 <io_w>) at core/io_wait.h:1073 #21 0x0000562ad6b1b017 in tcp_receive_loop (unix_sock=<optimized out>) at core/tcp_read.c:2032 #22 0x0000562ad6b02df5 in tcp_init_children (woneinit=woneinit@entry=0x7ffd2a0cbb0c) at core/tcp_main.c:5364 #23 0x0000562ad6928b60 in main_loop () at ./src/main.c:1936 #24 0x0000562ad691a463 in main (argc=<optimized out>, argv=<optimized out>) at ./src/main.c:3212 ``` part of the `ssl3_ciphers` array that should be sorted by id ascending: ``` }, { valid = 1, name = 0x7fa110cc3720 "ECDHE-RSA-AES256-GCM-SHA384", stdname = 0x7fa110cc89f8 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", id = 50380848, ... }, { valid = 1, name = 0x7fa110cc3770 "PSK-NULL-SHA", stdname = 0x7fa110cc373c "TLS_PSK_WITH_NULL_SHA", id = 50331692, ... ``` * `ossl_bsearch` assumes that it works with sorted `ssl3_ciphers` * `ssl3_ciphers` sorting performed by `OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings)` -> `ossl_init_ssl_base()` -> `ssl_sort_cipher_list()` -> `qsort(ssl3_ciphers...` #### Log Messages ``` ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS write:error:0A0000F8:SSL routines::unknown cipher returned (sni: unknown) ``` ### Possible Solutions * ensure `OPENSSL_init_ssl()` to be called (directly or using OPENSSL_INIT_ATFORK) for TCP workers * fixed by `OPENSSL_init_ssl(0, NULL);` call in `tls_init.c:int tls_h_mod_init_f(void)` but it's hardly the fully correct solution ### Additional Information * **Kamailio Version** - output of `kamailio -v` ``` # kamailio -v version: kamailio 5.7.4 (x86_64/linux) flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled with gcc 13.2.0 ``` ``` # apt list kamailio --installed Listing... Done kamailio/testing,now 5.7.4-1 amd64 [installed] ``` * **Operating System**: Debian GNU/Linux trixie/sid (reproduced on Debian bookworm either) -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/3765 You are receiving this because you are subscribed to this thread. Message ID: &lt;kamailio/kamailio/issues/3765(a)github.com&gt;