<p></p>

<h3 dir="auto">Description</h3>

<p dir="auto">Some users are having issues connecting to kamailio websocket using TLS. The logs show SSLv3 errors. Cannot find why that error would show up if SSLv2/3 is not enabled. Double checked it via SSLLabs that only TLSv1.2 is allowed in the service.</p>

<p dir="auto">Any pointers would be appreciated. Also, let me know if more debug information is needed.</p>

<h3 dir="auto">Troubleshooting</h3>

<h4 dir="auto">Debugging Data</h4>

<p dir="auto">This is the TLS config:</p>

<pre><code>modparam("tls", "tls_method", "TLSv1.2+")

modparam("tls", "verify_certificate", 0)

modparam("tls", "require_certificate", 0)

modparam("tls", "low_mem_threshold1", 0)

modparam("tls", "low_mem_threshold2", 0)

modparam("tls", "private_key", "/etc/certs/tls.key")

modparam("tls", "certificate", "/etc/certs/tls.crt")

</code></pre>

<p dir="auto">This is the output from tls module in kamcmd:</p>

<pre><code>kamcmd> tls.info

{

        max_connections: 2048

        opened_connections: 353

        clear_text_write_queued_bytes: 0

}

kamcmd> tls.options

{

        force_run: 0

        method: TLSv1.2+

        verify_certificate: 0

        verify_depth: 9

        require_certificate: 0

        private_key: /etc/certs/tls.key

        ca_list: <null string>

        certificate: /etc/certs/tls.crt

        cipher_list: <null string>

        session_cache: 0

        session_id: kamailio-tls-5.x.y

        config: <null string>

        log: 3

        debug: 3

        connection_timeout: 600

        disable_compression: 1

        ssl_release_buffers: -1

        ssl_freelist_max: -1

        ssl_max_send_fragment: -1

        ssl_read_ahead: 0

        send_close_notify: 0

        low_mem_threshold1: 0

        low_mem_threshold2: 0

        ct_wq_max: 10485760

        con_ct_wq_max: 65536

        ct_wq_blk_size: 4096

}

</code></pre>

<h4 dir="auto">Log Messages</h4>

<p dir="auto">I see this log messages related to SSLv3:</p>

<pre><code>15(36) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

15(36) ERROR: <core> [core/tcp_read.c:1512]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fafc8768190 r: 0x7fafc8768278 (-1)

</code></pre>

<h3 dir="auto">Additional Information</h3>

<ul dir="auto">

<li><strong>Kamailio Version</strong> - output of <code>kamailio -v</code></li>

</ul>

<pre><code>version: kamailio 5.3.9 (x86_64/linux) 

flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED

ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB

poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.

id: unknown 

compiled with gcc 6.3.0

</code></pre>

<ul dir="auto">

<li><strong>Operating System</strong>:</li>

</ul>

<p dir="auto">Debian 9.13.</p>

<pre><code>Linux 4.19.112+ #1 SMP Wed Sep 23 07:53:39 PDT 2020 x86_64 GNU/Linux

</code></pre>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/kamailio/kamailio/issues/3085">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABO7UZMMIIUGPVHYWUQOYWDVE4RD3ANCNFSM5TLWX5KQ">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/ABO7UZJP7457EY3XHFE7CH3VE4RD3A5CNFSM5TLWX5K2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4R57MVRA.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><kamailio/kamailio/issues/3085</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>

<script type="application/ld+json">[

{

"@context": "http://schema.org",

"@type": "EmailMessage",

"potentialAction": {

"@type": "ViewAction",

"target": "https://github.com/kamailio/kamailio/issues/3085",

"url": "https://github.com/kamailio/kamailio/issues/3085",

"name": "View Issue"

},

"description": "View this Issue on GitHub",

"publisher": {

"@type": "Organization",

"name": "GitHub",

"url": "https://github.com"

}

}

]</script>