[sr-dev] Re: [kamailio/kamailio] TLS Module Regression (ee key too small) (Issue #3737)

Same vanilla version of `ca-certificates`: ``` root@ip-172-31-22-12:~# dpkg -l |grep ca-cert ii ca-certificates 20230311 all Common CA certificates ``` and just to verify the same number of certs: ``` root@ip-172-31-22-12:~# ls -l /etc/ssl/certs/|wc -l 282 root@ip-172-31-22-12:~# ls -l /etc/ssl/certs/*.crt|wc -l 1 root@ip-172-31-22-12:~# ls -l /etc/ssl/certs/*.pem|wc -l 140 root@ip-172-31-22-12:~# find /etc/ssl/certs/ -mindepth 1 -not -name '*.crt' -and -not -name '*.pem' |wc -l 140 ``` private_key and certificate are files instead of links in my case. the cert is a static self-signed cert, is has not been changed since initial install. the error is consistent on `tls.reload`: ``` Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:345]: ksr_tls_fill_missing(): TLSs<default>: tls_method=25 Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:357]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/dsiprouter/certs/dsiprouter-cert.pem' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:364]: ksr_tls_fill_missing(): TLSs<default>: ca_list='/etc/dsiprouter/certs/ca-list.pem' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:371]: ksr_tls_fill_missing(): TLSs<default>: ca_path='/etc/dsiprouter/certs/ca' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:378]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:382]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=1 Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:397]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/dsiprouter/certs/dsiprouter-key.pem' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:401]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=1 Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:406]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9 Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:410]: ksr_tls_fill_missing(): TLSs<default>: verify_client=0 Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: NOTICE: tls [tls_domain.c:1168]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ... Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: ERROR: tls [tls_domain.c:590]: load_cert(): TLSs<default>: Unable to load certificate file '/etc/dsiprouter/certs/dsiprouter-cert.pem' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:03000072:digital envelope routines::decode error (sni: unknown) Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:0A00018F:SSL routines::ee key too small (sni: unknown) ``` the `tls.reload` error occurs whether kamailio is run as non-root system user and as root user. it is definitely is not permissions. what version of openssl are you on? ``` root@ip-172-31-22-12:~# openssl version OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023) ``` -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/3737#issuecomment-1923988151 You are receiving this because you are subscribed to this thread. Message ID: &lt;kamailio/kamailio/issues/3737/1923988151(a)github.com&gt;