[Devel] send immediate reply when TLS handshake fails

Klaus Darilion klaus.mailinglists at pernau.at
Thu Jan 26 11:47:01 CET 2006 

Hi!

If the TLS handshake fails for an outgoing connection, the ongoing 
INVITE transaction is alive until a timeout occurs. IMO, if the TLS 
handshake fails, openser should immedialtey send back an error response.

tcp_send: no open tcp connection found, opening new one
tcpconn_new: new tcp connection to: 10.10.0.42
tcpconn_new: on port 5065, type 3
tls_tcpconn_init: Entered: Creating a whole new ssl connection
tls_tcpconn_init: Using default tls client settings
tls_tcpconn_init: Setting in CONNECT mode (client)
tcp_send: sending...
tls_update_fd: New fd is 16
tcp_main_loop: read response= 406907b0, 2 from 4 (25478)
tcpconn_add: hashes: 451, 4
tls_init: verify_callback: depth = 1
tls_init: verify_callback: subject = 
/CN=OpenSER/ST=SIP/C=IP/emailAddress=team at openser.org/O=openser.org
tls_init: verify_callback: verify error:num=19:self signed certificate 
in certificate chain
tls_init: verify_callback: error code is 19
tls_init: verify_callback: Self signed certificate issue
tls_init: verify_callback: verify return:0
tls_connect: Error in SSL:
tls_error: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
tcp_send: after write: c= 0x406907b0 n=-1 fd=16
tcp_send: buf= INVITE sip:+43201............................
ERROR: tcp_send: failed to send
DEBUG: add_to_tail_of_timer[0]: 0x4068e794
SER: new transaction fwd'ed
DEBUG:destroy_avp_list: destroying list (nil)
receive_msg: cleaning up
tcp_main_loop: read response= 406907b0, -2 from 4 (25478)
tcp_main_loop: destroying connection
tls_close: Closing SSL connection
tls_update_fd: New fd is 26
tls_shutdown: Shutdown successful
tls_tcpconn_clean: Entered


I think the problem is, that the tcp_send() function in tcp_main.c does 
not return -1 although the tls_blocking_write function fails:

  if (n<0){
   LOG(L_ERR, "ERROR: tcp_send: failed to send\n");
   /* error on the connection , mark it as bad and set 0 timeout */
   c->state=S_CONN_BAD;
   c->timeout=0;
   /* tell "main" it should drop this (optional it will t/o anyway?)*/
   response[0]=(long)c;
   response[1]=CONN_ERROR;
   n=send_all(unix_tcp_sock, response, sizeof(response));
   /* CONN_ERROR will auto-dec refcnt => we must not call tcpconn_put !!*/
   if (n<=0){
    LOG(L_ERR, "BUG: tcp_send: error return failed (write):%s (%d)\n",
      strerror(errno), errno);
    n=-1;
   }
   close(fd);
   return n; /* error return, no tcpconn_put */
  }


I think this is caused by the n=send_all(unix_tcp_sock,... function call 
  , which changes the value of n.

I do not have any glue what the send_all function does. Can someone 
please take a look at this and fix it.

thanks
klaus

More information about the Devel mailing list