[OpenSIPS-Devel] [opensips] TLS closing connection under a bit of load (sslv3 alert bad certificate) (#670)

Carlos Oliva carlos.oliva at numintec.com
Thu Oct 15 11:02:35 CEST 2015 

Hi Răzvan!

Thanks for your response. Yes, I can decode with wireshark. If you want I
can send you a pcap (with succesfull and failed calls) and the private key
(obviusly in a private mail)

The only "strange" thing I can see in wireshark is that OpenSips sends to
the UAC a TLS Close Notify just after segment of a reasembled PDU, like
this: Alert (Level: Warning, Description: Close Notify) but this reasembly
works well in another call.


Thank you very much for your help,

Carlos Oliva










* _________________________________________________ Carlos
OlivaDepartamento de Sistemas C/ Pujades, 77-79, 8a Planta 9B | 08005
Barcelona www.numintec.com <http://www.numintec.com/> |
carlos.oliva at numintec.com <carlos.oliva at numintec.com> | T: 902 02 02 97
_________________________________________________ Talking Numintec:
Dialogando con empresarios de éxito <http://www.youtube.com/user/numintec>
<http://www.youtube.com/user/numintec> Las soluciones en la nube de
Numintec - Casos de éxito <http://www.numintec.com/category/caso-de-exito/>
<http://www.numintec.com/category/caso-de-exito/> Solicita una demo
<http://www.numintec.com/demo/>
_________________________________________________ Medio Ambiente: Antes de
imprimir este mensaje, asegúrese de que es necesario. Nota Legal: La
información contenida en la presente transmisión es confidencial y su uso
únicamente está permitido a su(s) destinatario(s). Le informamos que los
datos personales que facilite/ha facilitado pasarán/han pasado a formar
parte de un fichero responsabilidad de NUMINTEC COMUNICACIONES S.L.. y que
tiene por finalidad gestionar las relaciones. Tiene la posibilidad de
ejercitar los derechos de acceso, rectificación, cancelación y oposición
respecto a sus datos ante la empresa, en el e-mail
comunicacion at numintec.com <comunicacion at numintec.com>  o bien en el
 domicilio sito en C/ Pujades, 77-79 8ª Planta 9-B 08005 de Barcelona.*

2015-10-14 20:27 GMT+02:00 Răzvan Crainea <razvan at opensips.org>:

> Hi, Carlos!
>
> Each TLS connection has its own buffer, protected by a locking mechanisms,
> so I don't see how data might get corrupted. Have you tried taking a
> wireshark capture to see if Wireshark manages to parse and validate the TLS
> sessions?
>
> Best regards,
>
> Răzvan Crainea
> OpenSIPS Core Developer
> http://www.opensips-solutions.com
>
> On 10/14/2015 02:55 PM, Carlos Oliva wrote:
>
>> After some tests I was able to reproduce the issue with
>> tls_verify_client = 0 and tls_require_client_certificate = 0 The error
>> now is:
>> "ERROR:core:tls_print_errstack: TLS errstack: error:14094418:SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"
>>
>> Always is reproducible after some tests with a bit of load in the proxy.
>> I was not able to reproduce with only two registered AORs. Maybe (only a
>> supposition) the ssl buffer can be modified by other process while
>> reading and the data is corrupted?
>>
>> In case it can help, here a new paste with debug=6
>> http://pastebin.com/vCmitj0m
>>
>>>> Reply to this email directly or view it on GitHub
>> <https://github.com/OpenSIPS/opensips/issues/670#issuecomment-148027341>.
>>
>>
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
>>
>>
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20151015/2677956b/attachment-0001.htm>

More information about the Devel mailing list