15 Oct
2019
15 Oct
'19
4:49 p.m.
Sometimes I see in syslog errors like this:
Oct 15 16:44:57 salmon /usr/bin/sip-proxy[2064]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
Is it possible somehow to catch the error in config file, for example,
to figure out from which IP address the connection attempt came from?
-- Juha
16 Oct
16 Oct
9:39 a.m.
Looks no, because connection must be established for handling it in the
config file. This error fired by ssl library during Negotiation process.
But you can try tcpdump, at least you will see Who tries to established
connection
On Tue, 15 Oct 2019, 15:51 Juha Heinanen, <jh(a)tutpro.com> wrote:
Sometimes I see in syslog errors like this:
Oct 15 16:44:57 salmon /usr/bin/sip-proxy[2064]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
Is it possible somehow to catch the error in config file, for example,
to figure out from which IP address the connection attempt came from?
-- Juha
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
9:53 a.m.
Yuriy Gorlichenko writes:
Looks no, because connection must be established for
handling it in the
config file. This error fired by ssl library during Negotiation process.
But you can try tcpdump, at least you will see Who tries to established
connection
Yes, I could do that, but I would rather get the IP address to syslog so
that I could fail2ban it.
-- Juha
5:06 p.m.
On 16.10.19 08:53, Juha Heinanen wrote:
Yuriy Gorlichenko writes:
Probably the IP address can be printed in that log message from the C
code, at that level the tcp connection structure (associated with the
tls session) should be filled in with source ip and destination ip.
Obviously it requires to patch the code -- I can do it during the next
two days, if this solution helps.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Oct 21-23, 2019, Berlin, Germany -- https://asipto.com/u/kat
Looks no, because connection must be established
for handling it in the
config file. This error fired by ssl library during Negotiation process.
But you can try tcpdump, at least you will see Who tries to established
connection
Yes, I could do that, but I would rather get the IP address to syslog
so
that I could fail2ban it.
5:11 p.m.
Daniel-Constantin Mierla writes:
Probably the IP address can be printed in that log
message from the C
code, at that level the tcp connection structure (associated with the
tls session) should be filled in with source ip and destination ip.
Obviously it requires to patch the code -- I can do it during the next
two days, if this solution helps.
That would be great. Juha
5:07 p.m.
Not sure if it availible for 4.x Version but for 5.x There is a tcp
connection closed event route
https://kamailio.org/docs/modules/4.4.x/modules/tcpops.html#tcpops.f.tcp_en…
You can try to play around it to get ip that distorbs you.
Probably these will be a lot of attempts during small period of time from
the same ip.
On Wed, 16 Oct 2019, 08:55 Juha Heinanen, <jh(a)tutpro.com> wrote:
Yuriy Gorlichenko writes:
Looks no, because connection must be established
for handling it in the
config file. This error fired by ssl library during Negotiation process.
But you can try tcpdump, at least you will see Who tries to established
connection
Yes, I could do that, but I would rather get the IP address to syslog so
that I could fail2ban it.
-- Juha
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
17 Oct
17 Oct
10:09 a.m.
Yuriy Gorlichenko writes:
Not sure if it availible for 4.x Version but for 5.x
There is a tcp
connection closed event route
https://kamailio.org/docs/modules/4.4.x/modules/tcpops.html#tcpops.f.tcp_en…
You can try to play around it to get ip that distorbs you.
My understanding is that TLS negotiation failure happens before the
request is handled by the config.
-- Juha
1866
days inactive
1868
days old
6 comments
3 participants
participants (3)
-
Daniel-Constantin Mierla -
Juha Heinanen -
Yuriy Gorlichenko