Hello,
We have one Kamailio Instance connected with MS Teams (based on this instruction: https://skalatan.de/en/blog/kamailio-sbc-teams), which worked fine for a while until recently we noticed that calls from teams are not working anymore. When I looked through the logs I found that Microsoft cannot establish a TLS connection to our server because of the cipher: TLS accept:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (sni: sbc.example.com - domain is obfuscated). Certificate is valid, the configuration is below:
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /usr/local/etc/kamailio/certs/example.net/sbc1-teams_example_net.key certificate = /usr/local/etc/kamailio/certs/example.net/sbc1-teams_example_net.crt server_name = sbc1-teams.example.net ca_list = /usr/local/etc/kamailio/certs/sectigo_ca.pem #ca_list=/etc/ssl/certs/ca-bundle.crt
[client:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /usr/local/etc/kamailio/certs/example.net/sbc1-teams_example_net.key certificate = /usr/local/etc/kamailio/certs/example.net/sbc1-teams_example_net.crt ca_list = /usr/local/etc/kamailio/certs/sectigo_ca.pem #ca_list=/etc/ssl/certs/ca-bundle.crt
We use a certificate from Sectigo, but I've tried with Let's Encrypt - and it's the same. Any idea what could be the reason?
You can capture pcap via TLS port and check using Wireshark. It may provided some info.
On Thu, Feb 23, 2023, 8:33 PM iliusha.md@gmail.com wrote:
Hello,
We have one Kamailio Instance connected with MS Teams (based on this instruction: https://skalatan.de/en/blog/kamailio-sbc-teams), which worked fine for a while until recently we noticed that calls from teams are not working anymore. When I looked through the logs I found that Microsoft cannot establish a TLS connection to our server because of the cipher: TLS accept:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (sni: sbc.example.com - domain is obfuscated). Certificate is valid, the configuration is below:
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /usr/local/etc/kamailio/certs/ example.net/sbc1-teams_example_net.key certificate = /usr/local/etc/kamailio/certs/ example.net/sbc1-teams_example_net.crt server_name = sbc1-teams.example.net ca_list = /usr/local/etc/kamailio/certs/sectigo_ca.pem #ca_list=/etc/ssl/certs/ca-bundle.crt
[client:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /usr/local/etc/kamailio/certs/ example.net/sbc1-teams_example_net.key certificate = /usr/local/etc/kamailio/certs/ example.net/sbc1-teams_example_net.crt ca_list = /usr/local/etc/kamailio/certs/sectigo_ca.pem #ca_list=/etc/ssl/certs/ca-bundle.crt
We use a certificate from Sectigo, but I've tried with Let's Encrypt - and it's the same. Any idea what could be the reason? __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
In Wireshark I see an Alert Handshake failure, coming from the Kamailio server.
[image: image.png] The same in ssldump:
[image: image.png]
My first thought is that something is wrong with the SSL ciphers on the server where Kamailio is running, this is the list I'm getting from the MS in the Client Hello packet:
[image: image.png] Maybe the openssl version is too old on the server running kamailio? OpenSSL 1.0.2k-fips 26 Jan 2017
On Fri, 24 Feb 2023 at 08:31, Sergey Safarov s.safarov@gmail.com wrote:
You can capture pcap via TLS port and check using Wireshark. It may provided some info.
On Thu, Feb 23, 2023, 8:33 PM iliusha.md@gmail.com wrote:
Hello,
We have one Kamailio Instance connected with MS Teams (based on this
instruction: https://skalatan.de/en/blog/kamailio-sbc-teams), which worked fine for a while until recently we noticed that calls from teams are not working anymore. When I looked through the logs I found that Microsoft cannot establish a TLS connection to our server because of the cipher:
TLS accept:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
cipher (sni: sbc.example.com - domain is obfuscated).
Certificate is valid, the configuration is below:
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /usr/local/etc/kamailio/certs/
example.net/sbc1-teams_example_net.key
certificate = /usr/local/etc/kamailio/certs/
example.net/sbc1-teams_example_net.crt
server_name = sbc1-teams.example.net ca_list = /usr/local/etc/kamailio/certs/sectigo_ca.pem #ca_list=/etc/ssl/certs/ca-bundle.crt
[client:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /usr/local/etc/kamailio/certs/
example.net/sbc1-teams_example_net.key
certificate = /usr/local/etc/kamailio/certs/
example.net/sbc1-teams_example_net.crt
ca_list = /usr/local/etc/kamailio/certs/sectigo_ca.pem #ca_list=/etc/ssl/certs/ca-bundle.crt
We use a certificate from Sectigo, but I've tried with Let's Encrypt -
and it's the same. Any idea what could be the reason?
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
In Wireshark I see an Alert Handshake failure, coming from the Kamailio server.
Transport Layer Security TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 2 Alert Message Level: Fatal (2) Description: Handshake Failure (40)
My first thought is that something is wrong with the SSL ciphers on the server where Kamailio is running, this is the list I'm getting from the MS in the Client Hello packet: Cipher Suites (8 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
And I see some of them available on the server: [root@srv kamailio]# openssl ciphers -v | grep 'ECDHE-RSA-AES' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
TLS module configuration is very basic: # ----- tls settings ----- modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg") modparam("tls", "tls_disable_compression", 1) modparam("tls", "connection_timeout", 300)
Can be that the openssl version is pretty old maybe? [root@srv kamailio]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
Kamailio Version: version: kamailio 5.6.3 (x86_64/linux) ea782b
Hi, Try this:
modparam("tls", "renegotiation", 1)
Best regards, Leonid Fainshtein
On Fri, Feb 24, 2023 at 12:47 PM iliusha.md@gmail.com wrote:
In Wireshark I see an Alert Handshake failure, coming from the Kamailio server.
Transport Layer Security TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 2 Alert Message Level: Fatal (2) Description: Handshake Failure (40)
My first thought is that something is wrong with the SSL ciphers on the server where Kamailio is running, this is the list I'm getting from the MS in the Client Hello packet: Cipher Suites (8 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
And I see some of them available on the server: [root@srv kamailio]# openssl ciphers -v | grep 'ECDHE-RSA-AES' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
TLS module configuration is very basic: # ----- tls settings ----- modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg") modparam("tls", "tls_disable_compression", 1) modparam("tls", "connection_timeout", 300)
Can be that the openssl version is pretty old maybe? [root@srv kamailio]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
Kamailio Version: version: kamailio 5.6.3 (x86_64/linux) ea782b __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi,
Have you tried using the tlsa module and linking it to a modern openssl 1 release, had similar problems due to an old version of openssl lurking in the package repositories of the distro I was using
Get Outlook for Androidhttps://aka.ms/AAb9ysg ________________________________ From: Leonid Fainshtein leonid.fainshtein@xorcom.com Sent: Sunday, February 26, 2023 6:51:19 AM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: [SR-Users] Re: Kamailio MS Teams TLS Issue
Hi, Try this:
modparam("tls", "renegotiation", 1)
Best regards, Leonid Fainshtein
[https://gmopn.com/api/v1/track/email/view/608535f77fc26b8402a04a3e/167739423...]
On Fri, Feb 24, 2023 at 12:47 PM <iliusha.md@gmail.commailto:iliusha.md@gmail.com> wrote: In Wireshark I see an Alert Handshake failure, coming from the Kamailio server.
Transport Layer Security TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 2 Alert Message Level: Fatal (2) Description: Handshake Failure (40)
My first thought is that something is wrong with the SSL ciphers on the server where Kamailio is running, this is the list I'm getting from the MS in the Client Hello packet: Cipher Suites (8 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
And I see some of them available on the server: [root@srv kamailio]# openssl ciphers -v | grep 'ECDHE-RSA-AES' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
TLS module configuration is very basic: # ----- tls settings ----- modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg") modparam("tls", "tls_disable_compression", 1) modparam("tls", "connection_timeout", 300)
Can be that the openssl version is pretty old maybe? [root@srv kamailio]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
Kamailio Version: version: kamailio 5.6.3 (x86_64/linux) ea782b __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
I upgraded OS to the newest version and it seems to be working now. But, just curious why it didn't work in the old version and what was changed recently on the MS Side.
Thanks Tim.
-
Ilie Soltanici -
iliusha.md@gmail.com
-
Leonid Fainshtein -
Sergey Safarov -
Tim Chubb