[OpenSIPS-Users] opensips 1.7+tls problems

yufei.tao yufei.tao at redembedded.com
Thu Oct 13 11:38:24 CEST 2011 

Hi

As I've got no help on this since I posted this problem, I've been assuming that opensips users are mostly on UDP and TLS problems are known but not shared by many. 

For your information, I've been looking at Kamailio (3.1.5), which is supposed to have better TLS support (non-blocking TCP). Initial stress tests did suggest that it is far better in handling TLS connections, especially when you have many of them coming in at the same time, which could get opensips into the unrecoverable 'bad record mac' errors easily, while Kamailio had no problem at all. So we are moving to Kamailio. By the way, this 'bad record mac' problem has made me to write a script that looks out for this error and restart opensips automatically when that happens. But after a restart, opensips may get into the errors again. So we've seen that it's been restarted non-stop when we had many sip clients. So we had to turn off some of them so the restarting cycle could eventually stop.

As far as my very limited experience on Kamailio is concerned, it has a better organized config file supporting 'defines' which I like very much. You don't need to compile the TLS support as the debian packages already have it in, which is very convenient as TLS is a 'must' for us. I do realize its dialog module is not as advanced as opensips's in terms of calculating call durations etc, so you'll have to use the mysql procedure to handle this as what you used to do with opensips.

That's what I've been doing to 'solve' this problem. But I'd very much appreciate it if you could share your experience, or any good/bad things you know about Kamailio, or any other open source sip servers.

Yufei

----------------------------------------------------------------------

Message: 1
Date: Wed, 12 Oct 2011 06:41:20 -0700 (PDT)
From: jarle <jarle.lervik at sipcom.no>
Subject: Re: [OpenSIPS-Users] opensips 1.7+tls problems
To: users at lists.opensips.org
Message-ID: <1318426880055-6885031.post at n2.nabble.com>
Content-Type: text/plain; charset=us-ascii

I have the exact same issue. Did you figure this one out?



Ian Buckner wrote:

> > 
> > I just wanted to pick up on question 1 as I have the same problem and may
> > have got slightly further in tracing this:
> > 
> > Using ssldump I see the following during the initial REGISTER operation:
> > 
> > On OpenSips 1.7.0
> > ---------------------------
> > New TCP connection #8: 81.5.147.34(61584) <-> myserver(5672)
> > 8 1  0.0996 (0.0996)  C>S  Handshake
> >      ClientHello
> >        Version 3.1 
> >        cipher suites
> >        Unknown value 0x39
> >        Unknown value 0x38
> >        Unknown value 0x35
> >        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> >        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> >        TLS_RSA_WITH_3DES_EDE_CBC_SHA
> >        Unknown value 0x33
> >        Unknown value 0x32
> >        Unknown value 0x2f
> >        TLS_RSA_WITH_RC4_128_SHA
> >        TLS_RSA_WITH_RC4_128_MD5
> >        TLS_DHE_RSA_WITH_DES_CBC_SHA
> >        TLS_DHE_DSS_WITH_DES_CBC_SHA
> >        TLS_RSA_WITH_DES_CBC_SHA
> >        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
> >        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
> >        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
> >        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
> >        TLS_RSA_EXPORT_WITH_RC4_40_MD5
> >        compression methods
> >                  NULL
> > 8 2  0.1001 (0.0005)  S>C  Handshake
> >      ServerHello
> >        Version 3.1 
> >        session_id[32]=
> >          0a 84 43 7a 4b 15 d9 11 f9 ca 51 f2 33 30 c3 07 
> >          12 dd 35 a1 33 e1 43 fc 14 84 f6 0d 98 67 93 97 
> >        cipherSuite         Unknown value 0x35
> >        compressionMethod                   NULL
> > 8 3  0.1001 (0.0000)  S>C  Handshake
> >      Certificate
> > 8 4  0.1001 (0.0000)  S>C  Handshake
> >      ServerHelloDone
> > 8 5  0.1546 (0.0545)  C>S  Handshake
> >      ClientKeyExchange
> > 8 6  0.1546 (0.0000)  C>S  ChangeCipherSpec
> > 8 7  0.1546 (0.0000)  C>S  Handshake
> > 8 8  0.1557 (0.0010)  S>C  ChangeCipherSpec
> > 8 9  0.1557 (0.0000)  S>C  Handshake
> > 8 10 0.2133 (0.0575)  C>S  application_data
> > 8 11 0.2133 (0.0000)  C>S  application_data
> > 8 12 0.2140 (0.0007)  S>C  application_data
> > Unknown SSL content type 83
> > 8 13 0.2686 (0.0545)  C>S  Alert
> > 8 14 0.2686 (0.0000)  S>CShort record
> > 8 15 0.2686 (0.0000)  S>C  Alert
> > 8 16 0.2688 (0.0002)  S>C  Alert
> > 8    0.2689 (0.0000)  S>C  TCP RST
> > 
> > i.e. an error on the first piece of application data sent from OpenSips
> > back to the client. In my case, the Blink 1.2.0 client shows as registered
> > (confirmed by opensipsctl ul show) but the TLS socket has been torn down.
> > 
> > Rolling back to 1.6.4-2, using the same certificates and TLS
> > configuration:
> > 
> > On OpenSips 1.6.4-2
> > ----------------------------
> > New TCP connection #7: 81.5.147.34(61303) <-> myserver(5672)
> > 7 1  0.0806 (0.0806)  C>S  Handshake
> >      ClientHello
> >        Version 3.1 
> >        cipher suites
> >        Unknown value 0x39
> >        Unknown value 0x38
> >        Unknown value 0x35
> >        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> >        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> >        TLS_RSA_WITH_3DES_EDE_CBC_SHA
> >        Unknown value 0x33
> >        Unknown value 0x32
> >        Unknown value 0x2f
> >        TLS_RSA_WITH_RC4_128_SHA
> >        TLS_RSA_WITH_RC4_128_MD5
> >        TLS_DHE_RSA_WITH_DES_CBC_SHA
> >        TLS_DHE_DSS_WITH_DES_CBC_SHA
> >        TLS_RSA_WITH_DES_CBC_SHA
> >        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
> >        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
> >        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
> >        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
> >        TLS_RSA_EXPORT_WITH_RC4_40_MD5
> >        compression methods
> >                  NULL
> > 7 2  0.0811 (0.0005)  S>C  Handshake
> >      ServerHello
> >        Version 3.1 
> >        session_id[32]=
> >          1b 63 c6 56 b0 aa 18 a0 57 3b 26 84 8a d8 5a d1 
> >          ae 71 b2 9f 87 ff 02 31 d3 33 4d 7f 51 71 73 2e 
> >        cipherSuite         Unknown value 0x35
> >        compressionMethod                   NULL
> > 7 3  0.0811 (0.0000)  S>C  Handshake
> >      Certificate
> > 7 4  0.0811 (0.0000)  S>C  Handshake
> >      ServerHelloDone
> > 7 5  0.1364 (0.0552)  C>S  Handshake
> >      ClientKeyExchange
> > 7 6  0.1364 (0.0000)  C>S  ChangeCipherSpec
> > 7 7  0.1364 (0.0000)  C>S  Handshake
> > 7 8  0.1375 (0.0010)  S>C  ChangeCipherSpec
> > 7 9  0.1375 (0.0000)  S>C  Handshake
> > 7 10 0.1934 (0.0559)  C>S  application_data
> > 7 11 0.1934 (0.0000)  C>S  application_data
> > 7 12 0.1942 (0.0007)  S>C  application_data
> > 7 13 0.2565 (0.0623)  C>S  application_data
> > 7 14 0.2565 (0.0000)  C>S  application_data
> > 7 15 0.2587 (0.0022)  S>C  application_data
> > 
> > Register succeeds, no error in the TLS channel, socket connection remains
> > open for subsequent interactions.
> > 
> > @Yufei - perhaps you are able to confirm the same behaviour using ssldump
> > too.
> > 
> > 
> > best regards,
> > 
> > Ian
> > _______________________________________________
> > Users mailing list
> > Users at .opensips
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >

More information about the Users mailing list