[OpenSIPS-Users] opensips 1.7+tls problems
Ian Buckner
ian.buckner1 at googlemail.com
Wed Aug 31 13:44:49 CEST 2011
I just wanted to pick up on question 1 as I have the same problem and may have got slightly further in tracing this:
Using ssldump I see the following during the initial REGISTER operation:
On OpenSips 1.7.0
---------------------------
New TCP connection #8: 81.5.147.34(61584) <-> myserver(5672)
8 1 0.0996 (0.0996) C>S Handshake
ClientHello
Version 3.1
cipher suites
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0x33
Unknown value 0x32
Unknown value 0x2f
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
compression methods
NULL
8 2 0.1001 (0.0005) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
0a 84 43 7a 4b 15 d9 11 f9 ca 51 f2 33 30 c3 07
12 dd 35 a1 33 e1 43 fc 14 84 f6 0d 98 67 93 97
cipherSuite Unknown value 0x35
compressionMethod NULL
8 3 0.1001 (0.0000) S>C Handshake
Certificate
8 4 0.1001 (0.0000) S>C Handshake
ServerHelloDone
8 5 0.1546 (0.0545) C>S Handshake
ClientKeyExchange
8 6 0.1546 (0.0000) C>S ChangeCipherSpec
8 7 0.1546 (0.0000) C>S Handshake
8 8 0.1557 (0.0010) S>C ChangeCipherSpec
8 9 0.1557 (0.0000) S>C Handshake
8 10 0.2133 (0.0575) C>S application_data
8 11 0.2133 (0.0000) C>S application_data
8 12 0.2140 (0.0007) S>C application_data
Unknown SSL content type 83
8 13 0.2686 (0.0545) C>S Alert
8 14 0.2686 (0.0000) S>CShort record
8 15 0.2686 (0.0000) S>C Alert
8 16 0.2688 (0.0002) S>C Alert
8 0.2689 (0.0000) S>C TCP RST
i.e. an error on the first piece of application data sent from OpenSips back to the client. In my case, the Blink 1.2.0 client shows as registered (confirmed by opensipsctl ul show) but the TLS socket has been torn down.
Rolling back to 1.6.4-2, using the same certificates and TLS configuration:
On OpenSips 1.6.4-2
----------------------------
New TCP connection #7: 81.5.147.34(61303) <-> myserver(5672)
7 1 0.0806 (0.0806) C>S Handshake
ClientHello
Version 3.1
cipher suites
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0x33
Unknown value 0x32
Unknown value 0x2f
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
compression methods
NULL
7 2 0.0811 (0.0005) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
1b 63 c6 56 b0 aa 18 a0 57 3b 26 84 8a d8 5a d1
ae 71 b2 9f 87 ff 02 31 d3 33 4d 7f 51 71 73 2e
cipherSuite Unknown value 0x35
compressionMethod NULL
7 3 0.0811 (0.0000) S>C Handshake
Certificate
7 4 0.0811 (0.0000) S>C Handshake
ServerHelloDone
7 5 0.1364 (0.0552) C>S Handshake
ClientKeyExchange
7 6 0.1364 (0.0000) C>S ChangeCipherSpec
7 7 0.1364 (0.0000) C>S Handshake
7 8 0.1375 (0.0010) S>C ChangeCipherSpec
7 9 0.1375 (0.0000) S>C Handshake
7 10 0.1934 (0.0559) C>S application_data
7 11 0.1934 (0.0000) C>S application_data
7 12 0.1942 (0.0007) S>C application_data
7 13 0.2565 (0.0623) C>S application_data
7 14 0.2565 (0.0000) C>S application_data
7 15 0.2587 (0.0022) S>C application_data
Register succeeds, no error in the TLS channel, socket connection remains open for subsequent interactions.
@Yufei - perhaps you are able to confirm the same behaviour using ssldump too.
best regards,
Ian
More information about the Users
mailing list