[SR-Users] Help with "routines:ssl3_read_bytes:sslv3 alert bad certificate" kamailio TLS error

Hello everyone, I am trying to configure TLS in kamailio (5.2.4) following this guide: [ http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates ]( http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates ) Modules: #!define WITH_MYSQL #!define WITH_AUTH #!define WITH_USRLOCDB #!define WITH_PRESENCE #!define WITH_ALIASDB #!define WITH_IMC #!define WITH_TLS When i try to connect via command line, this is the result (just including relevant parts): $ openssl s_client -connect 192.X.X.X:5061 -tls1 CONNECTED(00000003) depth=1 C = XX, ST = XXXX, L = XXXXXX, O = XXX CA, CN = XXX CA verify error:num=19:self signed certificate in certificate chain verify return:0 --- No client certificate CA names sent --- SSL handshake has read 2550 bytes and written 336 bytes --- --- Start Time: 1567787935 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- read:errno=0 Now, when I setup my clients, they connect to the server, but they can't send messages or make calls. This is the TLS startup LOG: Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_mod.c:372]: mod_init(): With ECDH-Support! Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_mod.c:375]: mod_init(): With Diffie Hellman Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: CRITICAL: tls [tls_init.c:671]: init_tls_h(): installed openssl library version is too different from the library the kamailio tls module was compiled with: installed "OpenSSL 1.1.1 11 Sep 2018" (0x1010100f), compiled "OpenSSL 1.1.0k 28 May 2019" (0x101000bf).#012 Please make sure a compatible version is used (tls_force_run in kamailio.cfg will override this check) Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: WARNING: tls [tls_init.c:680]: init_tls_h(): tls_force_run turned on, ignoring openssl version mismatch Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: WARNING: tls [tls_init.c:778]: init_tls_h(): openssl bug #1491 (crash/mem leaks on low memory) workaround enabled (on low memory tls operations will fail preemptively) with free memory thresholds 12582912 and 6291456 bytes Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core> [core/cfg/cfg_ctx.c:595]: cfg_set_now(): tls.low_mem_threshold1 has been changed to 12582912 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core> [core/cfg/cfg_ctx.c:595]: cfg_set_now(): tls.low_mem_threshold2 has been changed to 6291456 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core> [main.c:2669]: main(): processes (at least): 24 - shm size: 67108864 - pkg size: 8388608 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core> [core/udp_server.c:153]: probe_max_receive_buffer(): SO_RCVBUF is initially 212992 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core> [core/udp_server.c:205]: probe_max_receive_buffer(): SO_RCVBUF is finally 425984 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>: tls_method=12 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/certs/192.X.X.X/cert.pem' Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>: ca_list='/etc/certs/demoCA/cert.pem' Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)' Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=0 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)' Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/certs/192.X.X.X/key.pem' Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=0 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: NOTICE: tls [tls_domain.c:1087]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ... Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:707]: set_verification(): TLSs<default>: No client certificate required and no checks performed Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>: tls_method=12 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>: certificate='(null)' Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>: ca_list='(null)' Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>: crl='(null)' Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>: require_certificate=0 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>: cipher_list='(null)' Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>: private_key='(null)' Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>: verify_certificate=0 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>: verify_depth=9 Sep 6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:710]: set_verification(): TLSc<default>: Server MAY present invalid certificate Sep 6 16:41:58 aslo-kamailio /usr/sbin/kamailio[5862]: INFO: jsonrpcs [jsonrpcs_sock.c:443]: jsonrpc_dgram_process(): a new child 0/5862 Sep 6 16:41:58 aslo-kamailio /usr/sbin/kamailio[5866]: INFO: ctl [io_listener.c:214]: io_listen_loop(): io_listen_loop: using epoll_lt io watch method (config) This is my tls.cfg file: [server:default] method = TLSv1 verify_certificate = no require_certificate = no private_key = /etc/certs/192.X.X.X/key.pem certificate = /etc/certs/192.X.X.X/cert.pem ca_list = /etc/certs/demoCA/cert.pem #crl = /etc/kamailio/tls/crl.pem # --- # This is the default client domain profile. # Settings in this domain will be used for all outgoing # TLS connections that do not match any other # client domain in this configuration file. # We require that servers present valid certificate. # [client:default] method = TLSv1 verify_certificate = no require_certificate = no These are the relevant parts of my kamailio.cfg: # alias="sip.mydomain.com" alias=192.X.X.X:5060 alias=192.X.X.X:5061 /* uncomment and configure the following line if you want Kamailio to * bind on a specific interface/port/proto (default bind on all available) */ listen=udp:192.X.X.X:5060 listen=tcp:192.X.X.X:5060 listen=tls:192.X.X.X:5061 #!ifdef WITH_TLS enable_tls=yes /* upper limit for TLS connections */ tls_max_connections=2048 #!endif #!ifdef WITH_TLS # ----- tls params ----- modparam("tls", "config", "/etc/kamailio/tls.cfg") modparam("tls", "tls_force_run", 1) #!endif These are the errors that show up everytime i try to connect with a client: Sep 6 16:53:42 aslo-kamailio /usr/sbin/kamailio[5870]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate Sep 6 16:53:42 aslo-kamailio /usr/sbin/kamailio[5870]: ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f7c4e3ddd00 r: 0x7f7c4e3ddd80 (-1) Sep 6 16:53:43 aslo-kamailio /usr/sbin/kamailio[5874]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate Sep 6 16:53:43 aslo-kamailio /usr/sbin/kamailio[5874]: ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f7c4e3ddd00 r: 0x7f7c4e3ddd80 (-1) Sep 6 16:53:44 aslo-kamailio /usr/sbin/kamailio[5875]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate Sep 6 16:53:44 aslo-kamailio /usr/sbin/kamailio[5875]: ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f7c4e3ddd00 r: 0x7f7c4e3ddd80 (-1) Any help would be greatly appreciated. Regards.