[SR-Users] Strange TLS issue

Olle E. Johansson oej at edvina.net
Tue Mar 12 08:46:40 CET 2013 

11 mar 2013 kl. 19:02 skrev Jirka Jirout <jirka.jirout at mac.com>:

> Hello,
> 
> I have a very strange issue - we are running kamailio 3.3.2 as a part of Sip Provider CE and some of our clients have issues with TLS connectivity. 
> 
> 1. some clients such as Jitsi on Mac OS X and Bria or idoubs on iOS can always connect
> 2. imsdroid on Android can sometimes connect and works (about 10 % of attempts)
> 
> When I run tcpudmp on the server during the unsuccessfull attempts, I see something like this:
> 
>> 1 1  0.0347 (0.0347)  C>S SSLv2 compatible client hello
>> Version 3.1 
>> cipher suites
>> TLS_RSA_WITH_AES_128_CBC_SHA  
>> 1 2  0.0360 (0.0013)  S>C  Handshake
>>     ServerHello
>>       Version 3.1 
>>       session_id[0]=
>>       cipherSuite         TLS_RSA_WITH_AES_128_CBC_SHA
>>       compressionMethod                   NULL
>> 1 3  0.0361 (0.0001)  S>C  Handshake
>>     Certificate
>> 1 4  0.0361 (0.0000)  S>C  Handshake ServerHelloDone
>> 1 5  0.0782 (0.0420)  C>S  Alert
>>   level           fatal
>>   value           unexpected_message
>> 1    0.0785 (0.0002)  S>C  TCP FIN
>> 1 6  0.1092 (0.0307)  C>S  Handshake
>>     ClientKeyExchange
>> 1 7  0.1092 (0.0000)  C>S  ChangeCipherSpec
>> 1 8  0.1092 (0.0000)  C>S  Handshake
> 
> 
> What I find particularly strange is that the client sends fatal alert and then attempts to continue with handshake. What exactly does this "unexpected_message" mean? Is the client letting the server know the last message was unexpected? Or is this telling me the server had not expected the message? It cannot be a certificate problem, can it?
> 
> Considering other clients were fine, I blamed our code at first, but I am no longer sure that is the (only) reason for this behavior. I decided to start from scratch and wrote an extremely simple application in plain C, that connects to the TLS port using openssl (which imsdroid also uses), sends some query and then prints response. It works fine on https sites, even on the same server kamailio is running and with the same certificates (our certificates come from Verisign CA G3). When I run ssldump, I can see handshake is fine, socket opened, the client is sending application data. I can see data coming in on the server using tcpdump. However, the data never reaches Kamailio - no sign of the packets in the log and no answer whatsoever (I use a fake REGISTER message so I would expect to get something like "Unauthorized" back).
> 
> The same happens, when I try to use openssl s_client to connect to the site and send "register" message (because R at the start of packet triggers renegotiation in s_client, uff).
> 
> My TLS settings in Kamailio are pretty much default, only using my own key and certificate.
> 
Just for the record, I noticed similar issues with some clients at SIPit, using an older version of Kamailio for the TLS tests. I haven't had time to dig deeper into it, but it feels very similar to what you see here.

/O

More information about the sr-users mailing list