[OpenSIPS-Users] Frequent TLS failures

Abisai Matangira matangiraa at afri-com.net
Thu Jan 25 17:01:01 EST 2018



Sent from Nine<http://www.9folders.com/>
________________________________
From: Daniel Lakeland <dlakelan at street-artists.org>
Sent: Thursday, 25 January 2018 6:59 pm
To: OpenSIPS users mailling list
Subject: [OpenSIPS-Users] Frequent TLS failures

I have set up monit to monitor TLS connectivity for my opensips
instance. It just connects via openssl s_client and greps for errors, it
reboots openssl if it has errors more than a few times in a row.

I get errors as follows about 3 to 5 times a day:

        Description: status failed (1) -- 140444316333312:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:67:
140444316333312:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:586:
140444316333312:error:1416D07B:SSL routines:tls_process_key_exchange:bad signature:../ssl/statem/statem_clnt.c:1721:


rebooting opensips makes them go away for several hours. For example monit rebooted opensips at 2:37 AM, 4:55 AM, and 6:48 AM so far this morning (it's about 8:55 am where I am now).

This seems suspicious, and btw several other processes use the same certs with no problems day in and day out (prosody jabber server for example, probably some others).

I suspect some memory gets corrupted in opensips and this causes it to fail to work.

Opensips is version 2.3.2-1 installed from the opensips apt repository on a mixed Debian system, openssl and libssl = 1.1.0g

Any thoughts?



_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20180125/109010e7/attachment.html>


More information about the Users mailing list