[OpenSIPS-Devel] [opensips] TLS closing connection andre a bit of load (sslv3 alert bad certificate) (#670)
Carlos Oliva
notifications at github.com
Fri Oct 9 18:46:34 CEST 2015
Using latest 1.11.5 version (from github) and 1.11.3 It seems to be a problem using tls connections with mutual auth (require client certificate=1)
Under a bit of load (about 30 AORs) I started to see failed calls and the log messages:
ERROR:core:tls_print_errstack: TLS errstack: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate (with tls_verify_client = 1 )
and
ERROR:core:tls_print_errstack: TLS errstack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (with tls_verify_client = 0)
The errors seems to be random, the more load I have the more errors I can see. The process is always the same:
OpenSips receive an invite with certificate validated OK and challenge for a password. When the UAC send another invite with the response to the challenge the connection is droped with message like "SSL3_READ_BYTES:sslv3 alert bad certificate"
I tried changing the poll method, disabling tcp aliases, in tcp sync and async mode, changing the MTU of the network, changing the proxy certificate, opensips versions,... nothing seems to work.
The Opensips is compiled under Debian 8.2 and I tested with grandstream phones and Acrobits cloud softphone, with the same simptoms. Maybe there is a bug int the TLS stack?
Iĺl try to attach a full debug log to the isssue (scrubbed) You can see the error in line 206 and the first invite at line 10
---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/issues/670
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20151009/e2f84de8/attachment.htm>
More information about the Devel
mailing list