[SR-Users] Help with "routines:ssl3_read_bytes:sslv3 alert bad certificate" kamailio TLS error

Daniel-Constantin Mierla miconda at gmail.com
Thu Sep 12 09:29:16 CEST 2019 

Hello,

set debug=3 in kamailio.cfg, restart kamailio and try to connect again
with the client. Watch the logs and you should get more details about
what happens there.

Cheers,
Daniel

On 06.09.19 19:05, david at aslo.us wrote:
>
> Hello everyone,
>
>  
>
> I am trying to configure TLS in kamailio (5.2.4) following this
> guide: http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates
>
>  
>
> Modules:
>
>  
>
> #!define WITH_MYSQL
>
> #!define WITH_AUTH
>
> #!define WITH_USRLOCDB
>
> #!define WITH_PRESENCE
>
> #!define WITH_ALIASDB
>
> #!define WITH_IMC
>
> #!define WITH_TLS
>
>  
>
> When i try to connect via command line, this is the result (just
> including relevant parts):
>
>  
>
> $ openssl s_client -connect 192.X.X.X:5061 -tls1
>
> CONNECTED(00000003)
>
> depth=1 C = XX, ST = XXXX, L = XXXXXX, O = XXX CA, CN = XXX CA
>
> verify error:num=19:self signed certificate in certificate chain
>
> verify return:0
>
> ---
>
> No client certificate CA names sent
>
> ---
>
> SSL handshake has read 2550 bytes and written 336 bytes
>
> ---
>
> ---
>
>     Start Time: 1567787935
>
>     Timeout   : 7200 (sec)
>
>     Verify return code: 19 (self signed certificate in certificate chain)
>
> ---
>
> read:errno=0
>
>  
>
>  
>
> Now, when I setup my clients, they connect to the server, but they
> can't send messages or make calls.
>
>  
>
>  
>
> This is the TLS startup LOG:
>
>  
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_mod.c:372]: mod_init(): With ECDH-Support!
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_mod.c:375]: mod_init(): With Diffie Hellman
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: CRITICAL: tls
> [tls_init.c:671]: init_tls_h(): installed openssl library version is
> too different from the library the kamailio tls module was compiled
> with: installed "OpenSSL 1.1.1  11 Sep 2018" (0x1010100f), compiled
> "OpenSSL 1.1.0k  28 May 2019" (0x101000bf).#012 Please make sure a
> compatible version is used (tls_force_run in kamailio.cfg will
> override this check)
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: WARNING: tls
> [tls_init.c:680]: init_tls_h(): tls_force_run turned on, ignoring 
> openssl version mismatch
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: WARNING: tls
> [tls_init.c:778]: init_tls_h(): openssl bug #1491 (crash/mem leaks on
> low memory) workaround enabled (on low memory tls operations will fail
> preemptively) with free memory thresholds 12582912 and 6291456 bytes
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core>
> [core/cfg/cfg_ctx.c:595]: cfg_set_now(): tls.low_mem_threshold1 has
> been changed to 12582912
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core>
> [core/cfg/cfg_ctx.c:595]: cfg_set_now(): tls.low_mem_threshold2 has
> been changed to 6291456
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core>
> [main.c:2669]: main(): processes (at least): 24 - shm size: 67108864 -
> pkg size: 8388608
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core>
> [core/udp_server.c:153]: probe_max_receive_buffer(): SO_RCVBUF is
> initially 212992
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core>
> [core/udp_server.c:205]: probe_max_receive_buffer(): SO_RCVBUF is
> finally 425984
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>: tls_method=12
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>:
> certificate='/etc/certs/192.X.X.X/cert.pem'
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>:
> ca_list='/etc/certs/demoCA/cert.pem'
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)'
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>:
> require_certificate=0
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>:
> cipher_list='(null)'
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>:
> private_key='/etc/certs/192.X.X.X/key.pem'
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>:
> verify_certificate=0
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: NOTICE: tls
> [tls_domain.c:1087]: ksr_tls_fix_domain(): registered server_name
> callback handler for socket [:0], server_name='<default>' ...
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:707]: set_verification(): TLSs<default>: No client
> certificate required and no checks performed
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>: tls_method=12
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>:
> certificate='(null)'
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>:
> ca_list='(null)'
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>: crl='(null)'
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>:
> require_certificate=0
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>:
> cipher_list='(null)'
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>:
> private_key='(null)'
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>:
> verify_certificate=0
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>: verify_depth=9
>
> Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls
> [tls_domain.c:710]: set_verification(): TLSc<default>: Server MAY
> present invalid certificate
>
> Sep  6 16:41:58 aslo-kamailio /usr/sbin/kamailio[5862]: INFO: jsonrpcs
> [jsonrpcs_sock.c:443]: jsonrpc_dgram_process(): a new child 0/5862
>
> Sep  6 16:41:58 aslo-kamailio /usr/sbin/kamailio[5866]: INFO: ctl
> [io_listener.c:214]: io_listen_loop(): io_listen_loop:  using epoll_lt
> io watch method (config)
>
>  
>
>  
>
>  
>
> This is my tls.cfg file:
>
>  
>
> [server:default]
>
> method = TLSv1
>
> verify_certificate = no
>
> require_certificate = no
>
> private_key = /etc/certs/192.X.X.X/key.pem
>
> certificate = /etc/certs/192.X.X.X/cert.pem
>
> ca_list = /etc/certs/demoCA/cert.pem
>
> #crl = /etc/kamailio/tls/crl.pem
>
>  
>
> # ---
>
> # This is the default client domain profile.
>
> # Settings in this domain will be used for all outgoing
>
> # TLS connections that do not match any other
>
> # client domain in this configuration file.
>
> # We require that servers present valid certificate.
>
> #
>
> [client:default]
>
> method = TLSv1
>
> verify_certificate = no
>
> require_certificate = no
>
>  
>
>  
>
> These are the relevant parts of my kamailio.cfg:
>
>  
>
> # alias="sip.mydomain.com"
>
>   alias=192.X.X.X:5060
>
>   alias=192.X.X.X:5061
>
> /* uncomment and configure the following line if you want Kamailio to
>
> * bind on a specific interface/port/proto (default bind on all
> available) */
>
>   listen=udp:192.X.X.X:5060
>
>   listen=tcp:192.X.X.X:5060
>
>   listen=tls:192.X.X.X:5061
>
>  
>
>  
>
> #!ifdef WITH_TLS
>
> enable_tls=yes
>
>  
>
> /* upper limit for TLS connections */
>
> tls_max_connections=2048
>
> #!endif
>
>  
>
>  
>
> #!ifdef WITH_TLS
>
> # ----- tls params -----
>
> modparam("tls", "config", "/etc/kamailio/tls.cfg")
>
> modparam("tls", "tls_force_run", 1)
>
> #!endif
>
>  
>
>  
>
> These are the errors that show up everytime i try to connect with a
> client:
>
>  
>
> Sep  6 16:53:42 aslo-kamailio /usr/sbin/kamailio[5870]: ERROR: tls
> [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094412:SSL
> routines:ssl3_read_bytes:sslv3 alert bad certificate
>
> Sep  6 16:53:42 aslo-kamailio /usr/sbin/kamailio[5870]: ERROR: <core>
> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error
> reading - c: 0x7f7c4e3ddd00 r: 0x7f7c4e3ddd80 (-1)
>
> Sep  6 16:53:43 aslo-kamailio /usr/sbin/kamailio[5874]: ERROR: tls
> [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094412:SSL
> routines:ssl3_read_bytes:sslv3 alert bad certificate
>
> Sep  6 16:53:43 aslo-kamailio /usr/sbin/kamailio[5874]: ERROR: <core>
> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error
> reading - c: 0x7f7c4e3ddd00 r: 0x7f7c4e3ddd80 (-1)
>
> Sep  6 16:53:44 aslo-kamailio /usr/sbin/kamailio[5875]: ERROR: tls
> [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094412:SSL
> routines:ssl3_read_bytes:sslv3 alert bad certificate
>
> Sep  6 16:53:44 aslo-kamailio /usr/sbin/kamailio[5875]: ERROR: <core>
> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error
> reading - c: 0x7f7c4e3ddd00 r: 0x7f7c4e3ddd80 (-1)
>
>  
>
> Any help would be greatly appreciated.
>
>  
>
> Regards.
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Oct 21-23, 2019, Berlin, Germany -- https://asipto.com/u/kat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190912/36af9615/attachment.html>

More information about the sr-users mailing list