[OpenSIPS-Users] opensips 1.7+tls problems

Thu Sep 1 10:12:22 CEST 2011

I just wanted to pick up on question 1 as I have the same problem and may have got slightly further in tracing this:

Using ssldump I see the following during the initial REGISTER operation:

On OpenSips 1.7.0
---------------------------
New TCP connection #8: 81.5.147.34(61584) <-> myserver(5672)
8 1  0.0996 (0.0996)  C>S  Handshake
     ClientHello
       Version 3.1 
       cipher suites
       Unknown value 0x39
       Unknown value 0x38
       Unknown value 0x35
       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
       TLS_RSA_WITH_3DES_EDE_CBC_SHA
       Unknown value 0x33
       Unknown value 0x32
       Unknown value 0x2f
       TLS_RSA_WITH_RC4_128_SHA
       TLS_RSA_WITH_RC4_128_MD5
       TLS_DHE_RSA_WITH_DES_CBC_SHA
       TLS_DHE_DSS_WITH_DES_CBC_SHA
       TLS_RSA_WITH_DES_CBC_SHA
       TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
       TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
       TLS_RSA_EXPORT_WITH_RC4_40_MD5
       compression methods
                 NULL
8 2  0.1001 (0.0005)  S>C  Handshake
     ServerHello
       Version 3.1 
       session_id[32]=
         0a 84 43 7a 4b 15 d9 11 f9 ca 51 f2 33 30 c3 07 
         12 dd 35 a1 33 e1 43 fc 14 84 f6 0d 98 67 93 97 
       cipherSuite         Unknown value 0x35
       compressionMethod                   NULL
8 3  0.1001 (0.0000)  S>C  Handshake
     Certificate
8 4  0.1001 (0.0000)  S>C  Handshake
     ServerHelloDone
8 5  0.1546 (0.0545)  C>S  Handshake
     ClientKeyExchange
8 6  0.1546 (0.0000)  C>S  ChangeCipherSpec
8 7  0.1546 (0.0000)  C>S  Handshake
8 8  0.1557 (0.0010)  S>C  ChangeCipherSpec
8 9  0.1557 (0.0000)  S>C  Handshake
8 10 0.2133 (0.0575)  C>S  application_data
8 11 0.2133 (0.0000)  C>S  application_data
8 12 0.2140 (0.0007)  S>C  application_data
Unknown SSL content type 83
8 13 0.2686 (0.0545)  C>S  Alert
8 14 0.2686 (0.0000)  S>CShort record
8 15 0.2686 (0.0000)  S>C  Alert
8 16 0.2688 (0.0002)  S>C  Alert
8    0.2689 (0.0000)  S>C  TCP RST

i.e. an error on the first piece of application data sent from OpenSips back to the client. In my case, the Blink 1.2.0 client shows as registered (confirmed by opensipsctl ul show) but the TLS socket has been torn down.

Rolling back to 1.6.4-2, using the same certificates and TLS configuration:

On OpenSips 1.6.4-2
----------------------------
New TCP connection #7: 81.5.147.34(61303) <-> myserver(5672)
7 1  0.0806 (0.0806)  C>S  Handshake
     ClientHello
       Version 3.1 
       cipher suites
       Unknown value 0x39
       Unknown value 0x38
       Unknown value 0x35
       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
       TLS_RSA_WITH_3DES_EDE_CBC_SHA
       Unknown value 0x33
       Unknown value 0x32
       Unknown value 0x2f
       TLS_RSA_WITH_RC4_128_SHA
       TLS_RSA_WITH_RC4_128_MD5
       TLS_DHE_RSA_WITH_DES_CBC_SHA
       TLS_DHE_DSS_WITH_DES_CBC_SHA
       TLS_RSA_WITH_DES_CBC_SHA
       TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
       TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
       TLS_RSA_EXPORT_WITH_RC4_40_MD5
       compression methods
                 NULL
7 2  0.0811 (0.0005)  S>C  Handshake
     ServerHello
       Version 3.1 
       session_id[32]=
         1b 63 c6 56 b0 aa 18 a0 57 3b 26 84 8a d8 5a d1 
         ae 71 b2 9f 87 ff 02 31 d3 33 4d 7f 51 71 73 2e 
       cipherSuite         Unknown value 0x35
       compressionMethod                   NULL
7 3  0.0811 (0.0000)  S>C  Handshake
     Certificate
7 4  0.0811 (0.0000)  S>C  Handshake
     ServerHelloDone
7 5  0.1364 (0.0552)  C>S  Handshake
     ClientKeyExchange
7 6  0.1364 (0.0000)  C>S  ChangeCipherSpec
7 7  0.1364 (0.0000)  C>S  Handshake
7 8  0.1375 (0.0010)  S>C  ChangeCipherSpec
7 9  0.1375 (0.0000)  S>C  Handshake
7 10 0.1934 (0.0559)  C>S  application_data
7 11 0.1934 (0.0000)  C>S  application_data
7 12 0.1942 (0.0007)  S>C  application_data
7 13 0.2565 (0.0623)  C>S  application_data
7 14 0.2565 (0.0000)  C>S  application_data
7 15 0.2587 (0.0022)  S>C  application_data

Register succeeds, no error in the TLS channel, socket connection remains open for subsequent interactions.

@Yufei - perhaps you are able to confirm the same behaviour using ssldump too.

best regards,

Ian