[kamailio/kamailio] sslv3 errors showing up with 'tls_method' set as 'TLSv1.2+' (Issue #3085)
13 Apr
2022
13 Apr
'22
10:55 p.m.
### Description
Some users are having issues connecting to kamailio websocket using TLS. The logs show
SSLv3 errors. Cannot find why that error would show up if SSLv2/3 is not enabled. Double
checked it via SSLLabs that only TLSv1.2 is allowed in the service.
Any pointers would be appreciated. Also, let me know if more debug information is needed.
### Troubleshooting
#### Debugging Data
This is the TLS config:
```
modparam("tls", "tls_method", "TLSv1.2+")
modparam("tls", "verify_certificate", 0)
modparam("tls", "require_certificate", 0)
modparam("tls", "low_mem_threshold1", 0)
modparam("tls", "low_mem_threshold2", 0)
modparam("tls", "private_key", "/etc/certs/tls.key")
modparam("tls", "certificate", "/etc/certs/tls.crt")
```
This is the output from tls module in kamcmd:
```
kamcmd> tls.info
{
max_connections: 2048
opened_connections: 353
clear_text_write_queued_bytes: 0
}
kamcmd> tls.options
{
force_run: 0
method: TLSv1.2+
verify_certificate: 0
verify_depth: 9
require_certificate: 0
private_key: /etc/certs/tls.key
ca_list: <null string>
certificate: /etc/certs/tls.crt
cipher_list: <null string>
session_cache: 0
session_id: kamailio-tls-5.x.y
config: <null string>
log: 3
debug: 3
connection_timeout: 600
disable_compression: 1
ssl_release_buffers: -1
ssl_freelist_max: -1
ssl_max_send_fragment: -1
ssl_read_ahead: 0
send_close_notify: 0
low_mem_threshold1: 0
low_mem_threshold2: 0
ct_wq_max: 10485760
con_ct_wq_max: 65536
ct_wq_blk_size: 4096
}
```
#### Log Messages
I see this log messages related to SSLv3:
```
15(36) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL
routines:ssl3_read_bytes:sslv3 alert certificate unknown
15(36) ERROR: <core> [core/tcp_read.c:1512]: tcp_read_req(): ERROR: tcp_read_req:
error reading - c: 0x7fafc8768190 r: 0x7fafc8768278 (-1)
```
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
```
version: kamailio 5.3.9 (x86_64/linux)
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST,
DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY,
USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR,
USE_DST_BLACKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535,
DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled with gcc 6.3.0
```
* **Operating System**:
Debian 9.13.
```
Linux 4.19.112+ #1 SMP Wed Sep 23 07:53:39 PDT 2020 x86_64 GNU/Linux
```
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3085
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3085(a)github.com>
20 Apr
20 Apr
5:23 p.m.
The log containing `ssl3_read_bytes:sslv3` is not related to the protocol version itself,
it's about internal functions inside libssl that are also used for tls. Besides the
prefix, the log message is retrieved from the libssl, suggesting a possible issue with
certificates or client application. It is before kamailio gets any traffic or control over
the tls connection.
It is more about usage of kamailio and your client apps, i suggest you try to figure out
what kind of clients end up in this case and troubleshoot further using higher debug level
to get more verbosity in the syslog. Then discuss further on sr-users(a)lists.kamailio.org
to get assistance from community. It doesn't look to be an issue in the code of
kamailio.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3085#issuecomment-1103994864
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3085/1103994864(a)github.com>
5:23 p.m.
Closed #3085.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3085#event-6463637435
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issue/3085/issue_event/6463637435(a)github.com>
22 Apr
22 Apr
5:05 p.m.
Thanks for the response @miconda. Sorry for the issue not being related to kamailio code.
My thought was that since sslv3 is disabled, that error would indicate something was
misconfigured. If you have any pointers on how to debug an error like this, would be
appreciated. Anyway, will be hitting up the user list as well.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3085#issuecomment-1106550693
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3085/1106550693(a)github.com>
7 Dec
7 Dec
2:03 a.m.
@vkruoso
I have the same error did you manage to solve the problem!?
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3085#issuecomment-1843898934
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3085/1843898934(a)github.com>
2:59 p.m.
@beshoo not really. Did not had the chance to reproduce it myself, so I didn't figure
out the kind of clients that were generating this kind of errors.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3085#issuecomment-1845300328
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3085/1845300328(a)github.com>
380
days inactive
983
days old
5 comments
3 participants
participants (3)
-
beshoo -
Daniel-Constantin Mierla
-
Vinicius K. Ruoso