[kamailio/kamailio] sslv3 errors showing up with 'tls_method' set as 'TLSv1.2+' (Issue #3085)
### Description
Some users are having issues connecting to kamailio websocket using TLS. The logs show SSLv3 errors. Cannot find why that error would show up if SSLv2/3 is not enabled. Double checked it via SSLLabs that only TLSv1.2 is allowed in the service.
Any pointers would be appreciated. Also, let me know if more debug information is needed.
### Troubleshooting
#### Debugging Data
This is the TLS config:
``` modparam("tls", "tls_method", "TLSv1.2+") modparam("tls", "verify_certificate", 0) modparam("tls", "require_certificate", 0) modparam("tls", "low_mem_threshold1", 0) modparam("tls", "low_mem_threshold2", 0) modparam("tls", "private_key", "/etc/certs/tls.key") modparam("tls", "certificate", "/etc/certs/tls.crt") ```
This is the output from tls module in kamcmd: ``` kamcmd> tls.info { max_connections: 2048 opened_connections: 353 clear_text_write_queued_bytes: 0 } kamcmd> tls.options { force_run: 0 method: TLSv1.2+ verify_certificate: 0 verify_depth: 9 require_certificate: 0 private_key: /etc/certs/tls.key ca_list: <null string> certificate: /etc/certs/tls.crt cipher_list: <null string> session_cache: 0 session_id: kamailio-tls-5.x.y config: <null string> log: 3 debug: 3 connection_timeout: 600 disable_compression: 1 ssl_release_buffers: -1 ssl_freelist_max: -1 ssl_max_send_fragment: -1 ssl_read_ahead: 0 send_close_notify: 0 low_mem_threshold1: 0 low_mem_threshold2: 0 ct_wq_max: 10485760 con_ct_wq_max: 65536 ct_wq_blk_size: 4096 } ```
#### Log Messages
I see this log messages related to SSLv3:
``` 15(36) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown 15(36) ERROR: <core> [core/tcp_read.c:1512]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fafc8768190 r: 0x7fafc8768278 (-1) ```
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
``` version: kamailio 5.3.9 (x86_64/linux) flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled with gcc 6.3.0 ```
* **Operating System**:
Debian 9.13.
``` Linux 4.19.112+ #1 SMP Wed Sep 23 07:53:39 PDT 2020 x86_64 GNU/Linux ```
The log containing `ssl3_read_bytes:sslv3` is not related to the protocol version itself, it's about internal functions inside libssl that are also used for tls. Besides the prefix, the log message is retrieved from the libssl, suggesting a possible issue with certificates or client application. It is before kamailio gets any traffic or control over the tls connection.
It is more about usage of kamailio and your client apps, i suggest you try to figure out what kind of clients end up in this case and troubleshoot further using higher debug level to get more verbosity in the syslog. Then discuss further on sr-users@lists.kamailio.org to get assistance from community. It doesn't look to be an issue in the code of kamailio.
Closed #3085.
Thanks for the response @miconda. Sorry for the issue not being related to kamailio code. My thought was that since sslv3 is disabled, that error would indicate something was misconfigured. If you have any pointers on how to debug an error like this, would be appreciated. Anyway, will be hitting up the user list as well.
@vkruoso
I have the same error did you manage to solve the problem!?
@beshoo not really. Did not had the chance to reproduce it myself, so I didn't figure out the kind of clients that were generating this kind of errors.
-
beshoo -
Daniel-Constantin Mierla
-
Vinicius K. Ruoso