[OpenSIPS-Users] Users Digest, Vol 38, Issue 2

Yufei Tao yufei.tao at redembedded.com
Fri Sep 2 12:15:19 CEST 2011 

Hi

Yes I did a ssldump and got the same results - with opensips 1.7.0 there
is an 'alert', which isn't present with opensips 1.6.4.

Yufei
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 1 Sep 2011 09:12:22 +0100
> From: Ian Buckner <ian.buckner1 at googlemail.com>
> Subject: Re: [OpenSIPS-Users] opensips 1.7+tls problems
> To: users at lists.opensips.org
> Message-ID: <7FF98753-BAA8-4941-94F0-61C4C68240C4 at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> I just wanted to pick up on question 1 as I have the same problem and may have got slightly further in tracing this:
>
> Using ssldump I see the following during the initial REGISTER operation:
>
> On OpenSips 1.7.0
> ---------------------------
> New TCP connection #8: 81.5.147.34(61584) <-> myserver(5672)
> 8 1  0.0996 (0.0996)  C>S  Handshake
>      ClientHello
>        Version 3.1
>        cipher suites
>        Unknown value 0x39
>        Unknown value 0x38
>        Unknown value 0x35
>        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>        TLS_RSA_WITH_3DES_EDE_CBC_SHA
>        Unknown value 0x33
>        Unknown value 0x32
>        Unknown value 0x2f
>        TLS_RSA_WITH_RC4_128_SHA
>        TLS_RSA_WITH_RC4_128_MD5
>        TLS_DHE_RSA_WITH_DES_CBC_SHA
>        TLS_DHE_DSS_WITH_DES_CBC_SHA
>        TLS_RSA_WITH_DES_CBC_SHA
>        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
>        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
>        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
>        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
>        TLS_RSA_EXPORT_WITH_RC4_40_MD5
>        compression methods
>                  NULL
> 8 2  0.1001 (0.0005)  S>C  Handshake
>      ServerHello
>        Version 3.1
>        session_id[32]=
>          0a 84 43 7a 4b 15 d9 11 f9 ca 51 f2 33 30 c3 07
>          12 dd 35 a1 33 e1 43 fc 14 84 f6 0d 98 67 93 97
>        cipherSuite         Unknown value 0x35
>        compressionMethod                   NULL
> 8 3  0.1001 (0.0000)  S>C  Handshake
>      Certificate
> 8 4  0.1001 (0.0000)  S>C  Handshake
>      ServerHelloDone
> 8 5  0.1546 (0.0545)  C>S  Handshake
>      ClientKeyExchange
> 8 6  0.1546 (0.0000)  C>S  ChangeCipherSpec
> 8 7  0.1546 (0.0000)  C>S  Handshake
> 8 8  0.1557 (0.0010)  S>C  ChangeCipherSpec
> 8 9  0.1557 (0.0000)  S>C  Handshake
> 8 10 0.2133 (0.0575)  C>S  application_data
> 8 11 0.2133 (0.0000)  C>S  application_data
> 8 12 0.2140 (0.0007)  S>C  application_data
> Unknown SSL content type 83
> 8 13 0.2686 (0.0545)  C>S  Alert
> 8 14 0.2686 (0.0000)  S>CShort record
> 8 15 0.2686 (0.0000)  S>C  Alert
> 8 16 0.2688 (0.0002)  S>C  Alert
> 8    0.2689 (0.0000)  S>C  TCP RST
>
> i.e. an error on the first piece of application data sent from OpenSips back to the client. In my case, the Blink 1.2.0 client shows as registered (confirmed by opensipsctl ul show) but the TLS socket has been torn down.
>
> Rolling back to 1.6.4-2, using the same certificates and TLS configuration:
>
> On OpenSips 1.6.4-2
> ----------------------------
> New TCP connection #7: 81.5.147.34(61303) <-> myserver(5672)
> 7 1  0.0806 (0.0806)  C>S  Handshake
>      ClientHello
>        Version 3.1
>        cipher suites
>        Unknown value 0x39
>        Unknown value 0x38
>        Unknown value 0x35
>        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>        TLS_RSA_WITH_3DES_EDE_CBC_SHA
>        Unknown value 0x33
>        Unknown value 0x32
>        Unknown value 0x2f
>        TLS_RSA_WITH_RC4_128_SHA
>        TLS_RSA_WITH_RC4_128_MD5
>        TLS_DHE_RSA_WITH_DES_CBC_SHA
>        TLS_DHE_DSS_WITH_DES_CBC_SHA
>        TLS_RSA_WITH_DES_CBC_SHA
>        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
>        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
>        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
>        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
>        TLS_RSA_EXPORT_WITH_RC4_40_MD5
>        compression methods
>                  NULL
> 7 2  0.0811 (0.0005)  S>C  Handshake
>      ServerHello
>        Version 3.1
>        session_id[32]=
>          1b 63 c6 56 b0 aa 18 a0 57 3b 26 84 8a d8 5a d1
>          ae 71 b2 9f 87 ff 02 31 d3 33 4d 7f 51 71 73 2e
>        cipherSuite         Unknown value 0x35
>        compressionMethod                   NULL
> 7 3  0.0811 (0.0000)  S>C  Handshake
>      Certificate
> 7 4  0.0811 (0.0000)  S>C  Handshake
>      ServerHelloDone
> 7 5  0.1364 (0.0552)  C>S  Handshake
>      ClientKeyExchange
> 7 6  0.1364 (0.0000)  C>S  ChangeCipherSpec
> 7 7  0.1364 (0.0000)  C>S  Handshake
> 7 8  0.1375 (0.0010)  S>C  ChangeCipherSpec
> 7 9  0.1375 (0.0000)  S>C  Handshake
> 7 10 0.1934 (0.0559)  C>S  application_data
> 7 11 0.1934 (0.0000)  C>S  application_data
> 7 12 0.1942 (0.0007)  S>C  application_data
> 7 13 0.2565 (0.0623)  C>S  application_data
> 7 14 0.2565 (0.0000)  C>S  application_data
> 7 15 0.2587 (0.0022)  S>C  application_data
>
> Register succeeds, no error in the TLS channel, socket connection remains open for subsequent interactions.
>
> @Yufei - perhaps you are able to confirm the same behaviour using ssldump too.
>
>
> best regards,
>
> Ian
>
>

--
Yufei Tao
Red Embedded

This E-mail and any attachments hereto are strictly confidential and intended solely for the addressee. If you are not the intended addressee please notify the sender by return and delete the message.

You must not disclose, forward or copy this E-mail or attachments to any third party without the prior consent of the sender.

Red Embedded Design, Company Number 06688253 Registered in England: The Waterfront, Salts Mill Rd, Saltaire, BD17 7EZ

More information about the Users mailing list