Sometimes I see in syslog errors like this:
Oct 15 16:44:57 salmon /usr/bin/sip-proxy[2064]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Is it possible somehow to catch the error in config file, for example, to figure out from which IP address the connection attempt came from?
-- Juha
Looks no, because connection must be established for handling it in the config file. This error fired by ssl library during Negotiation process.
But you can try tcpdump, at least you will see Who tries to established connection
On Tue, 15 Oct 2019, 15:51 Juha Heinanen, jh@tutpro.com wrote:
Sometimes I see in syslog errors like this:
Oct 15 16:44:57 salmon /usr/bin/sip-proxy[2064]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Is it possible somehow to catch the error in config file, for example, to figure out from which IP address the connection attempt came from?
-- Juha
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Yuriy Gorlichenko writes:
Looks no, because connection must be established for handling it in the config file. This error fired by ssl library during Negotiation process.
But you can try tcpdump, at least you will see Who tries to established connection
Yes, I could do that, but I would rather get the IP address to syslog so that I could fail2ban it.
-- Juha
On 16.10.19 08:53, Juha Heinanen wrote:
Yuriy Gorlichenko writes:
Looks no, because connection must be established for handling it in the config file. This error fired by ssl library during Negotiation process.
But you can try tcpdump, at least you will see Who tries to established connection
Yes, I could do that, but I would rather get the IP address to syslog so that I could fail2ban it.
Probably the IP address can be printed in that log message from the C code, at that level the tcp connection structure (associated with the tls session) should be filled in with source ip and destination ip. Obviously it requires to patch the code -- I can do it during the next two days, if this solution helps.
Cheers, Daniel
Daniel-Constantin Mierla writes:
Probably the IP address can be printed in that log message from the C code, at that level the tcp connection structure (associated with the tls session) should be filled in with source ip and destination ip. Obviously it requires to patch the code -- I can do it during the next two days, if this solution helps.
That would be great. Juha
Not sure if it availible for 4.x Version but for 5.x There is a tcp connection closed event route https://kamailio.org/docs/modules/4.4.x/modules/tcpops.html#tcpops.f.tcp_ena... You can try to play around it to get ip that distorbs you.
Probably these will be a lot of attempts during small period of time from the same ip.
On Wed, 16 Oct 2019, 08:55 Juha Heinanen, jh@tutpro.com wrote:
Yuriy Gorlichenko writes:
Looks no, because connection must be established for handling it in the config file. This error fired by ssl library during Negotiation process.
But you can try tcpdump, at least you will see Who tries to established connection
Yes, I could do that, but I would rather get the IP address to syslog so that I could fail2ban it.
-- Juha
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Yuriy Gorlichenko writes:
Not sure if it availible for 4.x Version but for 5.x There is a tcp connection closed event route https://kamailio.org/docs/modules/4.4.x/modules/tcpops.html#tcpops.f.tcp_ena... You can try to play around it to get ip that distorbs you.
My understanding is that TLS negotiation failure happens before the request is handled by the config.
-- Juha
-
Daniel-Constantin Mierla -
Juha Heinanen -
Yuriy Gorlichenko