On Nov 12, 2024, at 4:03 PM, dries--- via sr-users sr-users@lists.kamailio.org wrote:
(Snip) INFO: {1 600000 SUBSCRIBE 319937814-5062-3@BHC.DA.GB.CD} presence [notify.c:1744]: send_notify_request(): NOTIFY sip:544460@sbctest.tel.redacted.xx via sip:544460@172.30.61.23:5062;transport=tls on behalf of sip:544460@sbctest.tel.redacted.xx for event as-feature-event : 319937814-5062-3@BHC.DA.GB.CD ERROR: tls [tls_server.c:1312]: tls_h_read_f(): protocol level error ERROR: tls [tls_util.h:50]: tls_err_ret(): TLS connect:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure (sni: unknown) ERROR: tls [tls_server.c:1316]: tls_h_read_f(): src addr: 172.30.61.23:5062 ERROR: tls [tls_server.c:1319]: tls_h_read_f(): dst addr: 193.19x.x.x:0 ERROR: <core> [core/tcp_read.c:1526]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f6d55b4b360 r: 0x7f6d55b4b488 (-1)
Your advice is most appreciated!
Cheers, Dries
To me, the place to focus on is:
TLS connect:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure (sni: unknown)
CloudFlare has a decent write up on SNI (https://www.cloudflare.com/learning/ssl/what-is-sni/) and you want to make sure that for Kamailio, you’re setting the default client to not verify (verify_certificate = no, require_certificate = no) as well as enabling a protocol version that all your clients will allow.
That would be the first thing I’d recommend trying.
Regards,
Fred Posner