[sr-dev] [kamailio/kamailio] sslv3 errors showing up with 'tls_method' set as 'TLSv1.2+' (Issue #3085)

Wed Apr 13 21:55:41 CEST 2022

### Description

Some users are having issues connecting to kamailio websocket using TLS. The logs show SSLv3 errors. Cannot find why that error would show up if SSLv2/3 is not enabled. Double checked it via SSLLabs that only TLSv1.2 is allowed in the service.

Any pointers would be appreciated. Also, let me know if more debug information is needed.

### Troubleshooting

#### Debugging Data

This is the TLS config:

```
modparam("tls", "tls_method", "TLSv1.2+")
modparam("tls", "verify_certificate", 0)
modparam("tls", "require_certificate", 0)
modparam("tls", "low_mem_threshold1", 0)
modparam("tls", "low_mem_threshold2", 0)
modparam("tls", "private_key", "/etc/certs/tls.key")
modparam("tls", "certificate", "/etc/certs/tls.crt")
```

This is the output from tls module in kamcmd:
```
kamcmd> tls.info
{
        max_connections: 2048
        opened_connections: 353
        clear_text_write_queued_bytes: 0
}
kamcmd> tls.options
{
        force_run: 0
        method: TLSv1.2+
        verify_certificate: 0
        verify_depth: 9
        require_certificate: 0
        private_key: /etc/certs/tls.key
        ca_list: <null string>
        certificate: /etc/certs/tls.crt
        cipher_list: <null string>
        session_cache: 0
        session_id: kamailio-tls-5.x.y
        config: <null string>
        log: 3
        debug: 3
        connection_timeout: 600
        disable_compression: 1
        ssl_release_buffers: -1
        ssl_freelist_max: -1
        ssl_max_send_fragment: -1
        ssl_read_ahead: 0
        send_close_notify: 0
        low_mem_threshold1: 0
        low_mem_threshold2: 0
        ct_wq_max: 10485760
        con_ct_wq_max: 65536
        ct_wq_blk_size: 4096
}
```

#### Log Messages

I see this log messages related to SSLv3:

```
15(36) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
15(36) ERROR: <core> [core/tcp_read.c:1512]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fafc8768190 r: 0x7fafc8768278 (-1)
```

### Additional Information

  * **Kamailio Version** - output of `kamailio -v`

```
version: kamailio 5.3.9 (x86_64/linux) 
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown 
compiled with gcc 6.3.0
```

* **Operating System**:

Debian 9.13.

```
Linux 4.19.112+ #1 SMP Wed Sep 23 07:53:39 PDT 2020 x86_64 GNU/Linux
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3085
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/issues/3085 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20220413/a7c22b80/attachment-0001.htm>