[OpenSIPS-Devel] [ opensips-Bugs-3581600 ] TLS: "failed to accept: rejected by client"
SourceForge.net
noreply at sourceforge.net
Thu Nov 8 14:53:50 CET 2012
Bugs item #3581600, was opened at 2012-10-29 04:56
Message generated for change (Comment added) made by dragosoancea
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3581600&group_id=232389
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: 1.8.x
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Dragos Oancea (dragosoancea)
Assigned to: Nobody/Anonymous (nobody)
Summary: TLS: "failed to accept: rejected by client"
Initial Comment:
Hi
There is a weird behaviour in opensips-tls. It happened to me a 4 or 5 times in the last 3 months.
Sometimes I get a lot of messages like this in the logs:
"ERROR:core:tls_accept: New TLS connection from ip:port failed to accept: rejected by client"
This usually means that some TLS client which is not under my control is hammering on the SSL port, never completing a full SSL/TLS handshake.
But whithin few minutes after these appear, nothing works on opensips anymore, you send an INVITE and it does not get relay-ed, nothing hapends , it's just stuck. Then I firewall the IP from where the connection requests come from, and everything starts to work fine again.
Regards,
Dragos
PS: Vlad, thx for fixing bug #3570495. It does not crash anymore.
----------------------------------------------------------------------
>Comment By: Dragos Oancea (dragosoancea)
Date: 2012-11-08 05:53
Message:
anyone else experiencing this bad DoS ?
I only have TLS phones, and some of them are under development, so a single
TLS phone that goes crazy and cannot perform the SSL handshake for some
reason can put down the whole SIP proxy.
----------------------------------------------------------------------
Comment By: Dragos Oancea (dragosoancea)
Date: 2012-11-06 08:48
Message:
some info from /proc (not sure if it helps) :
http://pastebin.com/KULvTY8x
----------------------------------------------------------------------
Comment By: Dragos Oancea (dragosoancea)
Date: 2012-11-06 06:21
Message:
Hi
Some more info:
After opening 10 ssl connections and sending junk instead of an SSL
handshake, things start to go wrong.
A legitimate TLS client (already REGISTERed) would try to send an INVITE.
This is what opensips shows in the logs instead of just relay-ing the
INVITE :
Nov 6 15:05:10 [25062] DBG:core:send2child: to tcp child 0 0(25030),
0x7f39127846c0
Nov 6 15:05:10 [25030] DBG:core:handle_io: received n=8
con=0x7f39127846c0, fd=27
Nov 6 15:05:10 [25030] DBG:core:io_watch_add: io_watch_add(0x74a0a0, 27,
2, 0x7f39127846c0), fd_no=1
Nov 6 15:05:10 [25030] DBG:core:tls_update_fd: New fd is 27
Nov 6 15:05:10 [25030] ERROR:core:_tls_read: TLS connection to
80.187.x.x:39337 read failed
Nov 6 15:05:10 [25030] ERROR:core:_tls_read: TLS read error: 1
Nov 6 15:05:10 [25030] ERROR:core:tls_print_errstack: TLS errstack:
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Nov 6 15:05:10 [25030] ERROR:core:tcp_read_req: failed to read
Nov 6 15:05:10 [25030] DBG:core:io_watch_del: io_watch_del (0x74a0a0, 27,
-1, 0x10) fd_no=2 called
Nov 6 15:05:10 [25030] DBG:core:release_tcpconn: releasing con
0x7f39127846c0, state -2, fd=27, id=1343
Nov 6 15:05:10 [25030] DBG:core:release_tcpconn: extra_data
0x7f39127f0010
Nov 6 15:05:10 [25062] DBG:core:handle_tcp_child: reader response=
7f39127846c0, -2 from 0
Nov 6 15:05:10 [25062] DBG:core:tcpconn_destroy: destroying connection
0x7f39127846c0, flags 0002
Nov 6 15:05:10 [25062] DBG:core:tls_close: closing TLS connection
Nov 6 15:05:10 [25062] DBG:core:tls_update_fd: New fd is 83
Nov 6 15:05:10 [25062] DBG:core:tls_shutdown: first phase of 2-way
handshake completed succesfuly
Nov 6 15:05:10 [25062] DBG:core:tls_tcpconn_clean: entered
Looks like the TCP/TLS connection gets closed. Why ? It's the same client
that completed the SSL handshake and it was registered just before this
"attack" . The problem is easily reproduce-able with the small bash script
in my previous comment.
Regards,
Dragos
----------------------------------------------------------------------
Comment By: Dragos Oancea (dragosoancea)
Date: 2012-11-06 05:36
Message:
Hi
If I run this against my opensips-1.8.2-tls it will stop relay-ing INIVITEs
after less than 1 minute:
-------
#!/bin/bash
count=1
while [[ $count -le 1000 ]]
do
echo "$count"
echo "giberish" | nc X.X.X.X 5061
sleep 1
(( count++ ))
done
-------
I have:
open_files_limit=81920
tcp_max_connections=40960
It happens under VMWare with only two registered TLS clients on a test box.
Regards,
Dragos
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3581600&group_id=232389
More information about the Devel
mailing list