[OpenSIPS-Users] TLS handshake failure: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:
Răzvan Crainea
razvan at opensips.org
Mon Jun 22 09:37:56 CEST 2015
Hi, Nabeel!
Are you using wildcards in your certificate name, or you just can't make
the names public? Note that wildcards are not supported in OpenSIPS
certificate/key's name.
Are there any errors in OpenSIPS's logs?
Best regards,
Răzvan Crainea
OpenSIPS Solutions
www.opensips-solutions.com
On 06/22/2015 07:26 AM, Nabeel wrote:
> Hi,
>
> I'm trying to set up OpenSIPS with TLS support and connecting to my
> server with an SIP client (Lumicall - http://lumicall.org/).
>
> The settings in my opensips.cfg file are as follows:
>
> listen=tls:87.xx.xxx.42:5061 as server0.domain.com:5061
> <http://server0.domain.com:5061>
>
> loadmodule "proto_tls.so"
> modparam("proto_tls", "verify_cert", "0")
> modparam("proto_tls", "require_cert", "0")
> modparam("proto_tls", "ciphers_list", "NULL")
> modparam("proto_tls", "tls_method", "SSLv23")
> modparam("proto_tls", "certificate",
> "/etc/ssl/public/*.domain.com.pem")
> modparam("proto_tls", "private_key",
> "/etc/ssl/private/*.domain.com-key.pem")
> modparam("proto_tls", "ca_list", "/etc/ssl/public/*.domain.com.pem")
> modparam("proto_tls", "ca_dir", "/etc/ssl/public/")
>
>
> The certificates are from CAcert.org and the SIP client has built in
> support CAcert.org root certificates.
>
> OpenSIPS starts successfully without errors and the following command
> shows listening on the correct port:
>
> # netstat -tapen | grep ":5061 "
> tcp 0 0 87.81.230.42:5061 <http://87.81.230.42:5061>
> 0.0.0.0:* LISTEN 0 94449
> 6850/opensips
>
>
> The command "netstat -tlp | grep 5061" returns no result. Testing the
> port through remote services and with nmap shows the port is open:
>
> nmap -p 5061 server0.domain.com <http://server0.domain.com>
> Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-22 04:40 BST
> Nmap scan report for server0.domain.com
> <http://server0.domain.com> (87.81.230.42)
> Host is up (0.000090s latency).
> PORT STATE SERVICE
> 5061/tcp open sip-tls
>
>
> However, checking the connection with s_client shows a handshake failure:
>
> # openssl s_client -connect server0.domain.com:5061
> <http://server0.domain.com:5061> -showcerts -CAfile
> /etc/ssl/public/cacert.org.pem
> CONNECTED(00000003)
> 139762069984912:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:770:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 295 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
>
> Adding -servername server0.domain.com <http://server0.domain.com>
> shows the same error.
>
> Trying to connect to the server using the SIP client, with
> username at server0.domain.com <mailto:username at server0.domain.com>, also
> shows a handshake failure in Logcat:
>
> 06-21 18:33:31.790 20121-31973/com.domain
> I/IntegratedSipProvider﹕ no active connection found matching
> tls:87.xx.xxx.xx:5061
> 06-21 18:33:31.790 20121-31973/com.domain
> I/IntegratedSipProvider﹕ open tls connection to 87.xx.xxx.42:5061
> 06-21 18:33:31.790 20121-31973/com.domain
> I/org.zoolu.net.TcpSocket﹕ Initializing SSLContext for first use
> 06-21 18:33:31.790 20121-31973/com.domain
> I/org.zoolu.net.TcpSocket﹕ Adding the customKeyStore to trust
> manager for SSLContext
> 06-21 18:33:31.790 20121-31973/com.domain
> I/org.zoolu.net.TcpSocket﹕ Connecting socket to 87.xx.xxx.42,
> port 5061
> 06-21 18:33:31.870 20121-31973/com.domain
> I/org.zoolu.net.TcpSocket﹕ Local address is: /10.155.115.36:47549
> <http://10.155.115.36:47549>
> 06-21 18:33:31.870 20121-31973/com.domain
> I/org.zoolu.net.TcpSocket﹕ Starting SSL handshake
> 06-21 18:33:31.980 20121-31973/com.domain
> W/org.zoolu.net.TcpSocket﹕ Exception while getting
> session/starting handshake
> 06-21 18:36:23.210 20121-1693/com.domain
> E/IntegratedSipProvider﹕ java.io.IOException: Failed to handshake
> SSLjavax.net.ssl.SSLHandshakeException: Handshake failed,
> Handshake failed
> at org.zoolu.net.TcpSocket.<init>(TcpSocket.java:199)
> at
> org.zoolu.sip.provider.TcpTransport.<init>(TcpTransport.java:152)
> at
> org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1367)
> at
> org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1297)
> at
> org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1628)
> at
> org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1608)
> at
> java.util.concurrent.FutureTask.run(FutureTask.java:237)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
> at java.lang.Thread.run(Thread.java:818)
>
>
>
> I tried setting TLSv1 as 'tls_method' in opensips config (instead of
> SSLv23) but the same error occured. Please advise how to resolve this
> SSL handshake failure.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150622/9580aa4f/attachment.htm>
More information about the Users
mailing list