[OpenSIPS-Users] TLS handshake failure: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:

Răzvan Crainea razvan at opensips.org
Mon Jun 22 09:37:56 CEST 2015


Hi, Nabeel!

Are you using wildcards in your certificate name, or you just can't make 
the names public? Note that wildcards are not supported in OpenSIPS 
certificate/key's name.
Are there any errors in OpenSIPS's logs?

Best regards,

Răzvan Crainea
OpenSIPS Solutions
www.opensips-solutions.com

On 06/22/2015 07:26 AM, Nabeel wrote:
> Hi,
>
> I'm trying to set up OpenSIPS with TLS support and connecting to my 
> server with an SIP client (Lumicall - http://lumicall.org/).
>
> The settings in my opensips.cfg file are as follows:
>
>     listen=tls:87.xx.xxx.42:5061 as server0.domain.com:5061
>     <http://server0.domain.com:5061>
>
>     loadmodule "proto_tls.so"
>     modparam("proto_tls", "verify_cert", "0")
>     modparam("proto_tls", "require_cert", "0")
>     modparam("proto_tls", "ciphers_list", "NULL")
>     modparam("proto_tls", "tls_method", "SSLv23")
>     modparam("proto_tls", "certificate",
>     "/etc/ssl/public/*.domain.com.pem")
>     modparam("proto_tls", "private_key",
>     "/etc/ssl/private/*.domain.com-key.pem")
>     modparam("proto_tls", "ca_list", "/etc/ssl/public/*.domain.com.pem")
>     modparam("proto_tls", "ca_dir", "/etc/ssl/public/")
>
>
> The certificates are from CAcert.org and the SIP client has built in 
> support CAcert.org root certificates.
>
> OpenSIPS starts successfully without errors and the following command 
> shows listening on the correct port:
>
>     # netstat -tapen | grep ":5061 "
>     tcp        0      0 87.81.230.42:5061 <http://87.81.230.42:5061>  
>       0.0.0.0:*               LISTEN      0          94449    
>     6850/opensips
>
>
> The command "netstat -tlp | grep 5061" returns no result.  Testing the 
> port through remote services and with nmap shows the port is open:
>
>     nmap -p 5061 server0.domain.com <http://server0.domain.com>
>     Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-22 04:40 BST
>     Nmap scan report for server0.domain.com
>     <http://server0.domain.com> (87.81.230.42)
>     Host is up (0.000090s latency).
>     PORT     STATE SERVICE
>     5061/tcp open  sip-tls
>
>
> However, checking the connection with s_client shows a handshake failure:
>
>     # openssl s_client -connect server0.domain.com:5061
>     <http://server0.domain.com:5061> -showcerts -CAfile
>     /etc/ssl/public/cacert.org.pem
>     CONNECTED(00000003)
>     139762069984912:error:14077410:SSL
>     routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>     failure:s23_clnt.c:770:
>     ---
>     no peer certificate available
>     ---
>     No client certificate CA names sent
>     ---
>     SSL handshake has read 7 bytes and written 295 bytes
>     ---
>     New, (NONE), Cipher is (NONE)
>     Secure Renegotiation IS NOT supported
>     Compression: NONE
>     Expansion: NONE
>     ---
>
>
> Adding -servername server0.domain.com <http://server0.domain.com> 
> shows the same error.
>
> Trying to connect to the server using the SIP client, with 
> username at server0.domain.com <mailto:username at server0.domain.com>, also 
> shows a handshake failure in Logcat:
>
>     06-21 18:33:31.790  20121-31973/com.domain
>     I/IntegratedSipProvider﹕ no active connection found matching
>     tls:87.xx.xxx.xx:5061
>     06-21 18:33:31.790  20121-31973/com.domain
>     I/IntegratedSipProvider﹕ open tls connection to 87.xx.xxx.42:5061
>     06-21 18:33:31.790  20121-31973/com.domain
>     I/org.zoolu.net.TcpSocket﹕ Initializing SSLContext for first use
>     06-21 18:33:31.790  20121-31973/com.domain
>     I/org.zoolu.net.TcpSocket﹕ Adding the customKeyStore to trust
>     manager for SSLContext
>     06-21 18:33:31.790  20121-31973/com.domain
>     I/org.zoolu.net.TcpSocket﹕ Connecting socket to 87.xx.xxx.42,
>     port 5061
>     06-21 18:33:31.870  20121-31973/com.domain
>     I/org.zoolu.net.TcpSocket﹕ Local address is: /10.155.115.36:47549
>     <http://10.155.115.36:47549>
>     06-21 18:33:31.870  20121-31973/com.domain
>     I/org.zoolu.net.TcpSocket﹕ Starting SSL handshake
>     06-21 18:33:31.980  20121-31973/com.domain
>     W/org.zoolu.net.TcpSocket﹕ Exception while getting
>     session/starting handshake
>     06-21 18:36:23.210   20121-1693/com.domain
>     E/IntegratedSipProvider﹕ java.io.IOException: Failed to handshake
>     SSLjavax.net.ssl.SSLHandshakeException: Handshake failed,
>     Handshake failed
>                 at org.zoolu.net.TcpSocket.<init>(TcpSocket.java:199)
>                 at
>     org.zoolu.sip.provider.TcpTransport.<init>(TcpTransport.java:152)
>                 at
>     org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1367)
>                 at
>     org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1297)
>                 at
>     org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1628)
>                 at
>     org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1608)
>                 at
>     java.util.concurrent.FutureTask.run(FutureTask.java:237)
>                 at
>     java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
>                 at
>     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
>                 at java.lang.Thread.run(Thread.java:818)
>
>
>
> I tried setting TLSv1 as 'tls_method' in opensips config (instead of 
> SSLv23) but the same error occured.  Please advise how to resolve this 
> SSL handshake failure.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150622/9580aa4f/attachment.htm>


More information about the Users mailing list