[OpenSIPS-Users] phone not getting regsitered using TLS

Karsten Wemheuer kwem at gmx.de
Sat Jul 16 15:33:56 UTC 2022 

Hi,

unfortunately, I am not familiar with CentOS.

Have a nice weekend

Karsten

Am Samstag, dem 16.07.2022 um 11:57 +1200 schrieb ideanet help:
> Hi Karsten,
> Interesting, i am using centos 7 and /etc/pki/tls/openssl.cnf file
> does not have any settings forCipherString
>
>
> On Sat, Jul 16, 2022 at 3:20 AM Karsten Wemheuer <kwem at gmx.de> wrote:
> > Hi,
> >
> > looking at some search result shows, that TLS_RSA_WITH_RC4_128_SHA
> > is
> > insecure and should not be used. Maybe the setting of CipherString
> > in
> > openssl.cnf is causing the issue. On current Debian it is set like
> > this DEFAULT at SECLEVEL=2.
> >
> > Karsten
> >
> > Am Samstag, dem 16.07.2022 um 03:02 +1200 schrieb ideanet help:
> > > Hi Karsten,
> > > I thought the same initially but then looks like logs are saying:
> > > Client used ciphers are:
> > >         TLS_RSA_WITH_RC4_128_MD5
> > >         TLS_RSA_WITH_RC4_128_SHA
> > > and servers response is cipherSuite
> >  TLS_RSA_WITH_RC4_128_SHA
> > >
> > > isn't it?
> > >
> > >
> > >
> > > On Sat, Jul 16, 2022 at 1:53 AM Karsten Wemheuer <kwem at gmx.de>
> > wrote:
> > > > Hi,
> > > >
> > > > the snom M9 is pretty old (End of Life 12/2016). Maybe the used
> > > > ciphers
> > > > are not secure enough for current TLS.
> > > >
> > > > HTH
> > > >
> > > > Have a nice day and weekend
> > > >
> > > > Karsten
> > > >
> > > > Am Samstag, dem 16.07.2022 um 01:20 +1200 schrieb ideanet help:
> > > > > Hi experts,
> > > > >
> > > > > One of my phones (SNOM M9) is not able to register using TLS.
> > > > >
> > > > > Here are the logs from opensips and ssldump. Maybe someone
> > can
> > > > > pinpoint the issue?
> > > > >
> > > > >
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10604]
> > > > > DBG:core:handle_new_connect: new connection: 0x7f16d2ba3bd8
> > 80
> > > > flags:
> > > > > 001c
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10604]
> > > > > DBG:core:send2worker: to tcp worker 0 (0), 0x7f16d2ba3bd8 rw
> > 1
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > DBG:proto_tls:proto_tls_conn_init: looking up TLS server
> > domain
> > > > > [xx.xx.xx.xx:5061]
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > DBG:tls_mgm:tls_find_server_domain: found TLS server domain:
> > > > > sip.tls.mysipdomain.com
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > DBG:tls_openssl:openssl_tls_conn_init: Creating a whole new
> > ssl
> > > > > connection
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > DBG:tls_openssl:openssl_tls_conn_init: Setting in ACCEPT mode
> > > > > (server)
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > DBG:core:handle_io:
> > > > > We have received conn 0x7f16d2ba3bd8 with rw 1 on fd 4
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > DBG:core:io_watch_add: [TCP_worker] io_watch_add op (4 on 74)
> > > > > (0x8f91e0, 4, 19, 0x7f16d2ba3bd8,1), fd_no=4/83886
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > DBG:proto_tls:tls_read_req: Using the global ( per process )
> > buff
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > DBG:tls_openssl:openssl_tls_update_fd: New fd is 4
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > DBG:proto_tls:tls_read_req: SSL accept/connect still pending!
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > DBG:proto_tls:tls_read_req: Using the global ( per process )
> > buff
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > DBG:tls_openssl:openssl_tls_update_fd: New fd is 4
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > ERROR:tls_openssl:openssl_tls_accept: SSL_ERROR_SYSCALL
> > > > > err=Success(0)
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > ERROR:tls_openssl:openssl_tls_accept: New TLS connection from
> > > > > myphoneIP.xx.xx:2987 failed to accept
> > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598]
> > > > > ERROR:proto_tls:tls_read_req: failed to do pre-tls handshake!
> > > > >
> > > > > _________________________
> > > > >
> > > > > ssldump logs:
> > > > >
> > > > >
> > > > > New TCP connection #3: myphoneIP.xx.xx(2082) <->
> > > > > sip.tls.mysipdomain.com(5061)
> > > > > 3 1  0.0280 (0.0280)  C>S  Handshake
> > > > >       ClientHello
> > > > >         Version 3.1
> > > > >         cipher suites
> > > > >         TLS_RSA_WITH_RC4_128_MD5
> > > > >         TLS_RSA_WITH_RC4_128_SHA
> > > > >         compression methods
> > > > >                   NULL
> > > > >         extensions
> > > > >           server_name
> > > > >               host_name: sip.tls.mysipdomain.com
> > > > >         ja3 string: 769,4-5,0,,
> > > > >         ja3 fingerprint: 8305e724a7c9f16b323465d289bc54a1
> > > > > 3 2  0.0353 (0.0072)  S>C  Handshake
> > > > >       ServerHello
> > > > >         Version 3.1
> > > > >         session_id[0]=
> > > > >
> > > > >         cipherSuite         TLS_RSA_WITH_RC4_128_SHA
> > > > >         compressionMethod                   NULL
> > > > >         extensions
> > > > >           server_name
> > > > >         ja3s string: 769,5,0
> > > > >         ja3s fingerprint: 99f916287a3ac1de732520956ab94b77
> > > > > 3 3  0.0353 (0.0000)  S>C  Handshake
> > > > >       Certificate
> > > > > 3 4  0.0353 (0.0000)  S>C  Handshake
> > > > >       ServerHelloDone
> > > > > 3    0.0653 (0.0299)  C>S  TCP FIN
> > > > > 3    0.0656 (0.0003)  S>C  TCP FIN
> > > > > _______________________________________________
> > > > > Users mailing list
> > > > > Users at lists.opensips.org
> > > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > > >
> > > >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at lists.opensips.org
> > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.opensips.org
> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

More information about the Users mailing list