Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
When invoking jwt_verify with an expired JWT, it causes TLS termination with log print from the tls_server and tls_util.
While trying to debug the issue, I tried to give the method an invalid key path.
I got the following log (as expected):
failed to read key file
Then the flow continued just fine (fallback to proxy_authorization).
When I gave it a correct file path, but the content is wrong, the problem still occurred.
This makes me think the problem is in the method :
static int ki_jwt_verify_key(sip_msg_t* msg, str *key, str *alg, str *claims,
str *jwtval)
Use an expired JWT
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: INFO: {1 13605 INVITE 71a5d88a-b485-43c0-bac4-a2723333efeb} <script>: request_route: method [INVITE] from [sip:1234@barash.com] to [sip:pre-arranged-conf-factory@barash.com]
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: {1 13605 INVITE 71a5d88a-b485-43c0-bac4-a2723333efeb} jwt [jwt_mod.c:514]: ki_jwt_verify(): failed to decode jwt value
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: INFO: {1 13605 INVITE 71a5d88a-b485-43c0-bac4-a2723333efeb} <script>: route[AUTH] failed to verify jwt token.
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls [tls_server.c:1330]: tls_h_read_f(): protocol level error
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls [tls_util.h:51]: tls_err_ret(): TLS read:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding (sni: dev-proxy.barash.com)
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls [tls_util.h:51]: tls_err_ret(): TLS read:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed (sni: dev-proxy.barash.com)
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls [tls_server.c:1334]: tls_h_read_f(): src addr: 172.19.140.11:37188
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls [tls_server.c:1337]: tls_h_read_f(): dst addr: 172.19.140.70:5061
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: <core> [core/tcp_read.c:1478]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f731ec677f8 r: 0x7f731ec67920 (-1)
kamailio -vversion: kamailio 5.6.4 (x86_64/linux) a004cf
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: a004cf
compiled on 09:56:56 Mar 22 2023 with gcc 8.3.0
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
Linux kamailio01.dev.wb.internal 4.19.0-23-amd64 #1 SMP Debian 4.19.269-1 (2022-12-20) x86_64 GNU/Linux
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.