We use Kamilio as a proxy server to connect softphones to our PBX systems.
We have run into some TLS problems. These problems result in a shut down of the TLS connection after the error is encountered.

We have looked into serial numbers of certificates. The current code in kamailio seems to be broken due to changes in the world around... many certificates today do not adhere to the previously assumed behaviour of certificate serial numbers anymore.
The error which causes the connection to drop seems to be related to a comparison of the certificate serial numbers during renegotiation.
tls_err_ret(): TLS read:error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large
Kamailio expects serial numbers to fit in a 64 bit unsigned, however during the last years, starting around 2003 more and more systems use automatically generated serial numbers, which are frequently 128 bit long.
The serialnumber of our own Auerswald root certificate looks to be only 64 bit long, but during the negotiation is presented as 9 bytes starting with 00h, which is interpreted as a 72bit value. Trying to put this serial number in a 64 bit long kills the connection.
Due to the different ways that are used to generate serial numbers now, there is no simple algorithm to condense the number into a 64bit value, and the whole number should be compared to see if it is same or higher.
We currently have disabled renegotiation to avoid the connection being dropped during renegotiation. Which however can lead to the connection being dropped by the other side during renegotiation, but this is not a good permanent workaround!

Reproduction

This issue happens infrequently

Possible Solutions

No workaround possible on our side

Additional Information

Kamailio Version 5.5.4
LibSSL 1.1.1.n


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/issues/3168@github.com>