[OpenSIPS-Devel] [ opensips-Bugs-3581600 ] TLS: "failed to accept: rejected by client"

SourceForge.net noreply at sourceforge.net
Thu Nov 8 14:53:50 CET 2012


Bugs item #3581600, was opened at 2012-10-29 04:56
Message generated for change (Comment added) made by dragosoancea
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3581600&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: 1.8.x
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Dragos Oancea (dragosoancea)
Assigned to: Nobody/Anonymous (nobody)
Summary: TLS:  "failed to accept: rejected by client"

Initial Comment:
Hi

There is a weird behaviour in opensips-tls. It happened to me a 4 or 5 times in the last 3 months.
Sometimes I get a lot of messages like this in the logs:
"ERROR:core:tls_accept: New TLS connection from ip:port failed to accept: rejected by client"
This usually means that some TLS client which is not under my control is hammering on the SSL port, never completing a full SSL/TLS handshake. 
But whithin few minutes after these appear, nothing works on opensips anymore, you send an INVITE and it does not get relay-ed, nothing hapends , it's just stuck. Then I firewall the IP from where the connection requests come from, and everything starts to work fine again.


Regards,
Dragos

PS: Vlad, thx for fixing bug #3570495. It does not crash anymore. 

----------------------------------------------------------------------

>Comment By: Dragos Oancea (dragosoancea)
Date: 2012-11-08 05:53

Message:
anyone else experiencing this bad DoS ? 
I only have TLS phones, and some of them are under development, so a single
TLS phone that goes crazy and cannot perform the SSL handshake for some
reason can put down the whole SIP proxy. 

----------------------------------------------------------------------

Comment By: Dragos Oancea (dragosoancea)
Date: 2012-11-06 08:48

Message:
some info from /proc (not sure if it helps) :

http://pastebin.com/KULvTY8x

----------------------------------------------------------------------

Comment By: Dragos Oancea (dragosoancea)
Date: 2012-11-06 06:21

Message:
Hi

Some more info: 

After opening 10 ssl connections and sending junk instead of an SSL
handshake, things start to go wrong. 
A legitimate TLS client  (already REGISTERed) would try to send an INVITE. 
This is what opensips shows in the logs instead  of just relay-ing the
INVITE :

Nov  6 15:05:10 [25062] DBG:core:send2child: to tcp child 0 0(25030),
0x7f39127846c0
Nov  6 15:05:10 [25030] DBG:core:handle_io: received n=8
con=0x7f39127846c0, fd=27
Nov  6 15:05:10 [25030] DBG:core:io_watch_add: io_watch_add(0x74a0a0, 27,
2, 0x7f39127846c0), fd_no=1
Nov  6 15:05:10 [25030] DBG:core:tls_update_fd: New fd is 27
Nov  6 15:05:10 [25030] ERROR:core:_tls_read: TLS connection to
80.187.x.x:39337 read failed
Nov  6 15:05:10 [25030] ERROR:core:_tls_read: TLS read error: 1
Nov  6 15:05:10 [25030] ERROR:core:tls_print_errstack: TLS errstack:
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Nov  6 15:05:10 [25030] ERROR:core:tcp_read_req: failed to read 
Nov  6 15:05:10 [25030] DBG:core:io_watch_del: io_watch_del (0x74a0a0, 27,
-1, 0x10) fd_no=2 called
Nov  6 15:05:10 [25030] DBG:core:release_tcpconn:  releasing con
0x7f39127846c0, state -2, fd=27, id=1343
Nov  6 15:05:10 [25030] DBG:core:release_tcpconn:  extra_data
0x7f39127f0010
Nov  6 15:05:10 [25062] DBG:core:handle_tcp_child: reader response=
7f39127846c0, -2 from 0 
Nov  6 15:05:10 [25062] DBG:core:tcpconn_destroy: destroying connection
0x7f39127846c0, flags 0002
Nov  6 15:05:10 [25062] DBG:core:tls_close: closing TLS connection
Nov  6 15:05:10 [25062] DBG:core:tls_update_fd: New fd is 83
Nov  6 15:05:10 [25062] DBG:core:tls_shutdown: first phase of 2-way
handshake completed succesfuly
Nov  6 15:05:10 [25062] DBG:core:tls_tcpconn_clean: entered

Looks like the TCP/TLS connection gets closed. Why ? It's the same client
that completed the SSL handshake and it was registered just before this
"attack" . The problem is easily reproduce-able with the small bash script
in my previous comment.  

Regards,
Dragos  

----------------------------------------------------------------------

Comment By: Dragos Oancea (dragosoancea)
Date: 2012-11-06 05:36

Message:
Hi 

If I run this against my opensips-1.8.2-tls it will stop relay-ing INIVITEs
after less than 1 minute:

-------
#!/bin/bash 

count=1
while [[ $count -le 1000 ]]
do
    echo "$count"
    echo "giberish" | nc X.X.X.X 5061     
    sleep 1
    (( count++ ))       

done
-------

I have:
open_files_limit=81920
tcp_max_connections=40960

It happens under VMWare with only two registered TLS clients on a test box.


Regards,
Dragos

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3581600&group_id=232389



More information about the Devel mailing list