We have observed this error when using multiple tls connecitons with openssl version 1.0.0.  This is because CRYPTO_set_id_callback() is not used in tls_init_locks(). The kamailio code has following comment
    /* thread id callback: not needed because ser doesn't use thread and
     * openssl already uses getpid() (by default)
     * CRYPTO_set_id_callback(id_f);

As per the documentation openssl is not using getpid anymore , it is valid only till 0.9. 
the openssl man page says 
If the application does not register such a callback using CRYPTO_THREADID_set_callback(), then a default implementation is used - on Windows and BeOS this uses the system's default thread identifying APIs, and on all other platforms it uses the address of errno.
In multi process environment Errno can points to same virtual address. So we need to use getpid() in CRYPTO_set_id_callback(id_f)

unsigned long id_f()
{
return my_pid();
}

Please read the link below for refrence
http://www.openssl.org/docs/crypto/threads.html


On Thu, Jul 12, 2012 at 9:46 PM, sip-router <bugtracker@sip-router.org> wrote:
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below.
User who did this - Shaobin.Feng (saxon_leo)
Attached to Project - sip-router
Summary - kamailio tls debug error
Task Type - Bug Report
Category - tls
Status - Unconfirmed
Assigned To - Operating System - Linux
Severity - Low
Priority - Normal
Reported Version - 3.2
Due in Version - Undecided
Due Date - Undecided
Details - kamailio keeps debuging follows:
  "ERROR: tls [tls_server.c:1174]: TLS accept:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac"

Well,I used command (openssl s_client -connect host:port -no_ssl2 -bugs) to connect to kamailio, it returns normal.

So, this really confuse me,is there something wrong or not?

Is there any other method can check the tls module works normal or not? Any suggestion will be nice.

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=245

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev