[OpenSIPS-Users] TLS Handshake fail issue

Devang Dhandhalya devang.dhandhalya at ecosmob.com
Wed Nov 17 08:33:32 EST 2021 

Hello Bogdan

 I Just casually write , My intention was not rude or anything else , still
it's my bad if any one feeling hurts .

as you say the party you are trying to connect to (1.2.3.4:40945) is not
accepting your connection. i check that but can you please tell me what
type of thing i have to check . means from opensips side or blink user
configuration i have add tls certificate also in user configuration .

In the opensips module parameter any configuration wrong for TLS service ?

Many Thanks
Devang



On Wed, Nov 17, 2021 at 1:32 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
wrote:

> It is quite impolite and rude to put pressure here. This is a public, free
> list where people are voluntarily offer help as they can, with no
> obligation at all.
>
> Now, in terms of your issue - with a bit of an effort, you can read the
> logs which tell you what the problem is "Connection refused", or, the party
> you are trying to connect to (1.2.3.4:40945) is not accepting your
> connection.
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com
> OpenSIPS eBootcamp 2021
>   https://opensips.org/training/OpenSIPS_eBootcamp_2021/
>
> On 11/17/21 8:13 AM, Devang Dhandhalya wrote:
>
> It's the 9th day still not getting any response . Please can Anyone
> suggest a solution to this issue ?
>
> Many Thanks
> Devang
>
> On Tue, Nov 9, 2021 at 4:35 PM Devang Dhandhalya <
> devang.dhandhalya at ecosmob.com> wrote:
>
>> Hi All
>>
>> I Am Trying to Implement opensips with TLS support in a local machine . I
>> generate TLS server (rootCA) and TLS Client (user) certificates using
>> opensips-cli  .
>> softphone : Blink version : 5.1.7
>> opensips version : 3.2.2
>> Registration with tls is working fine for TLS ,  at the time of calling
>> getting below error . I check in logs at DBG level
>> From User A to opensips server tls handshake is working fine but from
>> opensips to User B tls handshake is going to fail please suggest how to
>> resolve this .
>>
>>
>> INFO level Logs :
>>
>> ERROR:core:tcp_async_connect: poll error: flags 1c
>> ERROR:core:tcp_async_connect: failed to retrieve SO_ERROR [server=
>> 1.2.3.4:40945] (111) Connection refused
>> ERROR:proto_tls:proto_tls_send: async TCP connect failed
>> ERROR:tm:msg_send: send() to 1.2.3.4:40945 for proto tls/3 failed
>> ERROR:tm:t_forward_nonack: sending request failed
>> ERROR:tls_openssl:openssl_tls_async_connect: New TLS connection to
>> 1.2.3.4:34463 failed
>> ERROR:tls_openssl:openssl_tls_async_connect: TLS error: 1 (ret=-1)
>> err=Success(0)
>> ERROR:tls_openssl:tls_print_errstack: TLS errstack: error:14094410:SSL
>> routines:ssl3_read_bytes:sslv3 alert handshake failure
>> ERROR:proto_tls:tls_read_req: failed to do pre-tls handshake!
>>
>> DBG level Logs :
>>
>> DBG:core:parse_msg: SIP Request:
>> DBG:core:parse_msg:  method:  <INVITE>
>> DBG:core:parse_msg:  uri:     <sip:14682973 at 1.2.3.4:34463;transport=tls>
>> DBG:core:parse_msg:  version: <SIP/2.0>
>> DBG:core:parse_headers: flags=ffffffffffffffff
>> DBG:core:parse_via_param: found param type 232, <branch> =
>> <z9hG4bK14b8.6a972877.0>; state=6
>> DBG:core:parse_via_param: found param type 236, <i> = <d7b6e394>; state=16
>> DBG:core:parse_via: end of header reached, state=5
>> DBG:core:parse_headers: via found, flags=ffffffffffffffff
>> DBG:core:parse_headers: this is the first via
>> DBG:core:parse_via_param: found param type 234, <received> = <1.2.3.4>;
>> state=6
>> DBG:core:parse_via_param: found param type 235, <rport> = <38119>; state=6
>> DBG:core:parse_via_param: found param type 232, <branch> =
>> <z9hG4bKPja1ee2137-d7f4-4744-89e1-ff53b4b0b06b>; state=6
>> DBG:core:parse_via_param: found param type 237, <alias> = <n/a>; state=16
>> DBG:core:parse_via: end of header reached, state=5
>> DBG:core:parse_headers: via found, flags=ffffffffffffffff
>> DBG:core:parse_headers: parse_headers: this is the second via
>> DBG:core:_parse_to: end of header reached, state=10
>> DBG:core:_parse_to: display={}, ruri={sip:1001 at 1.2.3.4}
>> DBG:core:get_hdr_field: <To> [26]; uri=[sip:1001 at 1.2.3.4]
>> DBG:core:get_hdr_field: to body [<sip:1001 at 1.2.3.4>#015#012]
>> DBG:core:get_hdr_field: cseq <CSeq>: <14318> <INVITE>
>> DBG:core:get_hdr_field: content_length=717
>> DBG:core:get_hdr_field: found end of header
>> DBG:core:parse_headers: flags=ffffffffffffffff
>> DBG:proto_tls:proto_tls_send: no open tcp connection found, opening new
>> one, async = 1
>> DBG:core:probe_max_sock_buff: getsockopt: snd is initially 16384
>> DBG:core:probe_max_sock_buff: using snd buffer of 416 kb
>> DBG:core:init_sock_keepalive: TCP keepalive enabled on socket 141
>> DBG:core:print_ip: tcpconn_new: new tcp connection to: 1.2.3.4
>> DBG:core:tcpconn_new: on port 34463, proto 3
>> DBG:tls_mgm:tls_find_client_domain: found TLS client domain: dom2
>> DBG:tls_openssl:openssl_tls_conn_init: Creating a whole new ssl connection
>> DBG:tls_openssl:openssl_tls_conn_init: Setting in CONNECT mode (client)
>> DBG:proto_tls:proto_tls_send: Successfully connected from interface
>> 1.2.3.4:34463 to 1.2.3.4:36463!
>> DBG:proto_tls:proto_tls_send: First TCP connect attempt succeeded in less
>> than 100ms, proceed to TLS connect
>> DBG:tls_openssl:openssl_tls_update_fd: New fd is 141
>> DBG:core:handle_worker: read response= 7f83eb6b5118, 2, fd 119 from 8
>> (17254)
>> DBG:core:tcpconn_add: hashes: 607, 894
>> DBG:core:io_watch_add: [TCP_main] io_watch_add op (119 on 5)
>> (0x55fd3f789ae0, 119, 19, 0x7f83eb6b5118,1), fd_no=27/1024
>> DBG:core:handle_tcpconn_ev: data available on 0x7f83eb6b5118 119
>> DBG:core:io_watch_del: [TCP_main] io_watch_del op on index 2 119
>> (0x55fd3f789ae0, 119, 2, 0x0,0x1) fd_no=28 called
>> DBG:core:send2worker: to tcp worker 1 (0), 0x7f83eb6b5118 rw 1
>> DBG:core:handle_io: We have received conn 0x7f83eb6b5118 with rw 1 on fd 5
>> DBG:core:io_watch_add: [TCP_worker] io_watch_add op (5 on 102)
>> (0x55fd3f789ae0, 5, 19, 0x7f83eb6b5118,1), fd_no=4/1024
>> DBG:proto_tls:tls_read_req: Using the global ( per process ) buff
>> DBG:tls_openssl:openssl_tls_async_connect: handshake timeout for
>> connection 0x7f83eb6b5118 10ms elapsed
>> DBG:tls_openssl:openssl_tls_update_fd: New fd is 5
>>
>> ERROR:tls_openssl:openssl_tls_async_connect: New TLS connection to
>> 1.2.3.4:34463 failed
>> ERROR:tls_openssl:openssl_tls_async_connect: TLS error: 1 (ret=-1)
>> err=Success(0)
>> ERROR:tls_openssl:tls_print_errstack: TLS errstack: error:14094410:SSL
>> routines:ssl3_read_bytes:sslv3 alert handshake failure
>> ERROR:proto_tls:tls_read_req: failed to do pre-tls handshake!
>>
>> DBG:proto_tls:proto_tls_send: Successfully started async SSL connection
>> DBG:core:io_watch_del: [TCP_worker] io_watch_del op on index 0 5
>> (0x55fd3f789ae0, 5, 0, 0x10,0x3) fd_no=5 called
>> DBG:core:tcpconn_release:  releasing con 0x7f83eb6b5118, state -2, fd=5,
>> id=1228827518
>> DBG:core:tcpconn_release:  extra_data 0x7f83eb6bdd50
>> DBG:tm:insert_timer_unsafe: [0]: 0x7f83eb6a9320 (12)
>> DBG:core:tcpconn_release:  releasing con 0x7f83eb6b5118, state -3, fd=-1,
>> id=1228827518
>> DBG:tm:t_relay_to: new transaction fwd'ed
>> DBG:core:tcpconn_release:  extra_data 0x7f83eb6bdd50
>> DBG:tm:do_t_cleanup: transaction 0x7f83eb6a90d0 already updated! Skipping
>> update!
>> DBG:tm:t_unref: UNREF_UNSAFE: [0x7f83eb6a90d0] after is 0
>> DBG:core:destroy_avp_list: destroying list (nil)
>> DBG:core:receive_msg: cleaning up
>> DBG:proto_tls:tls_read_req: tls_read_req end
>> DBG:core:handle_tcp_worker: response= 7f83eb6b5118, -3 from tcp worker 0
>> (1)
>> DBG:core:tcpconn_destroy: delaying (0x7f83eb6b5118, flags 0038) ref = 1
>> ...
>> DBG:core:handle_tcp_worker: response= 7f83eb6b5118, -2 from tcp worker 0
>> (0)
>> DBG:core:tcpconn_destroy: destroying connection 0x7f83eb6b5118, flags 0038
>> DBG:tls_openssl:openssl_tls_update_fd: New fd is 119
>> DBG:tm:utimer_routine: timer routine:4,tl=0x7f83eb6a5d18 next=(nil),
>> timeout=7700000
>> DBG:tm:retransmission_handler: retransmission_handler : request resending
>> (t=0x7f83eb6a5af8, PUBLISH s ... )
>> root at devang-MS-7817:/usr/local/etc/opensips/range#
>>
>> I am following this OpenSIPS TLS config:
>>
>> socket=udp:1.2.3.4: <http://192.168.0.105:506/>5060
>>
>> socket=tcp:1.2.3.4: <http://192.168.0.105:506/>5060
>>
>> socket=tls:1.2.3.4: <http://192.168.0.105:506>5061
>>
>> loadmodule "tls_openssl.so"
>>
>>
>> loadmodule "tls_mgm.so"
>> # -------- TLS SERVER Certificate ---------#
>> modparam("tls_mgm", "server_domain", "dom1")
>> modparam("tls_mgm", "match_sip_domain", "[dom1]devang.com")
>> modparam("tls_mgm", "match_ip_address", "[dom1]1.2.3.4:5061")
>> modparam("tls_mgm", "verify_cert", "[dom1]0")
>> modparam("tls_mgm", "require_cert", "[dom1]0")
>> modparam("tls_mgm", "tls_method", "[dom1]-")
>> modparam("tls_mgm", "certificate",
>> "[dom1]/usr/local/etc/opensips/tls/rootCA/ca_cert.pem")
>> modparam("tls_mgm", "private_key",
>> "[dom1]/usr/local/etc/opensips/tls/rootCA/private_key.pem")
>>
>> # --------- TLS CLIENT CERTIFICATE --------#
>> modparam("tls_mgm", "client_domain", "dom2")
>> modparam("tls_mgm", "match_sip_domain", "[dom2]*")
>> modparam("tls_mgm", "match_ip_address", "[dom2]*")
>> modparam("tls_mgm", "verify_cert", "[dom2]0")
>> modparam("tls_mgm", "require_cert", "[dom2]0")
>> modparam("tls_mgm", "tls_method", "[dom2]-")
>> modparam("tls_mgm", "certificate",
>> "[dom2]/usr/local/etc/opensips/tls/user/user-cert.pem")
>> modparam("tls_mgm", "private_key",
>> "[dom2]/usr/local/etc/opensips/tls/user/user-privkey.pem")
>> modparam("tls_mgm", "ca_list",
>> "[dom2]/usr/local/etc/opensips/tls/user/user-calist.pem")
>>
>>
>> loadmodule "proto_tls.so"
>>
>> checking the connection with s_client shows below :
>>
>> openssl s_client -showcerts -debug -connect 1.2.3.4:5061 -bugs
>> CONNECTED(00000005)
>> 140510082113984:error:14094458:SSL routines:ssl3_read_bytes:tlsv1
>> unrecognized name:../ssl/record/rec_layer_s3.c:1528:SSL alert number 112
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 7 bytes and written 517 bytes
>> Verification: OK
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> Early data was not sent
>> Verify return code: 0 (ok)
>>
>>
>> Can anyone tell me what I might be missing for tls config or Please
>> advise how to resolve this SSL handshake failure.
>>
>>
>> Many Thanks
>> Devang
>>
>>
>>                                                           70,1          15%
>>
>
> *Disclaimer*
> In addition to generic Disclaimer which you have agreed on our website,
> any views or opinions presented in this email are solely those of the
> originator and do not necessarily represent those of the Company or its
> sister concerns. Any liability (in negligence, contract or otherwise)
> arising from any third party taking any action, or refraining from taking
> any action on the basis of any of the information contained in this email
> is hereby excluded.
>
> *Confidentiality*
> This communication (including any attachment/s) is intended only for the
> use of the addressee(s) and contains information that is PRIVILEGED AND
> CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or copying
> of this communication is prohibited. Please inform originator if you have
> received it in error.
>
> *Caution for viruses, malware etc.*
> This communication, including any attachments, may not be free of viruses,
> trojans, similar or new contaminants/malware, interceptions or
> interference, and may not be compatible with your systems. You shall carry
> out virus/malware scanning on your own before opening any attachment to
> this e-mail. The sender of this e-mail and Company including its sister
> concerns shall not be liable for any damage that may incur to you as a
> result of viruses, incompleteness of this message, a delay in receipt of
> this message or any other computer problems.
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>

-- 
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our 
website, any views or opinions presented in this email are solely those of 
the originator and do not necessarily represent those of the Company or its 
sister concerns. Any liability (in negligence, contract or otherwise) 
arising from any third party taking any action, or refraining from taking 
any action on the basis of any of the information contained in this email 
is hereby excluded.



*Confidentiality*
This communication (including any 
attachment/s) is intended only for the use of the addressee(s) and contains 
information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, 
dissemination, distribution, or copying of this communication is 
prohibited. Please inform originator if you have received it in error.


*Caution for viruses, malware etc.*
This communication, including any 
attachments, may not be free of viruses, trojans, similar or new 
contaminants/malware, interceptions or interference, and may not be 
compatible with your systems. You shall carry out virus/malware scanning on 
your own before opening any attachment to this e-mail. The sender of this 
e-mail and Company including its sister concerns shall not be liable for 
any damage that may incur to you as a result of viruses, incompleteness of 
this message, a delay in receipt of this message or any other computer 
problems. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20211117/76358701/attachment-0001.html>

More information about the Users mailing list