[OpenSIPS-Users] TLS handshake failure: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:

Nabeel nabeelshikder at gmail.com
Mon Jun 22 06:26:33 CEST 2015 

Hi,

I'm trying to set up OpenSIPS with TLS support and connecting to my server
with an SIP client (Lumicall - http://lumicall.org/).

The settings in my opensips.cfg file are as follows:

listen=tls:87.xx.xxx.42:5061 as server0.domain.com:5061
>


> loadmodule "proto_tls.so"
> modparam("proto_tls", "verify_cert", "0")
> modparam("proto_tls", "require_cert", "0")
> modparam("proto_tls", "ciphers_list", "NULL")
> modparam("proto_tls", "tls_method", "SSLv23")
> modparam("proto_tls", "certificate", "/etc/ssl/public/*.domain.com.pem")
> modparam("proto_tls", "private_key",
> "/etc/ssl/private/*.domain.com-key.pem")
> modparam("proto_tls", "ca_list", "/etc/ssl/public/*.domain.com.pem")
> modparam("proto_tls", "ca_dir", "/etc/ssl/public/")


The certificates are from CAcert.org and the SIP client has built in
support CAcert.org root certificates.

OpenSIPS starts successfully without errors and the following command shows
listening on the correct port:

# netstat -tapen | grep ":5061 "
> tcp        0      0 87.81.230.42:5061       0.0.0.0:*
> LISTEN      0          94449       6850/opensips


The command "netstat -tlp | grep 5061" returns no result.  Testing the port
through remote services and with nmap shows the port is open:

nmap -p 5061 server0.domain.com
> Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-22 04:40 BST
> Nmap scan report for server0.domain.com (87.81.230.42)
> Host is up (0.000090s latency).
> PORT     STATE SERVICE
> 5061/tcp open  sip-tls


However, checking the connection with s_client shows a handshake failure:

# openssl s_client -connect server0.domain.com:5061 -showcerts -CAfile
> /etc/ssl/public/cacert.org.pem
> CONNECTED(00000003)
> 139762069984912:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:770:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 295 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---


Adding -servername server0.domain.com shows the same error.

Trying to connect to the server using the SIP client, with
username at server0.domain.com, also shows a handshake failure in Logcat:

06-21 18:33:31.790  20121-31973/com.domain I/IntegratedSipProvider﹕ no
> active connection found matching tls:87.xx.xxx.xx:5061
> 06-21 18:33:31.790  20121-31973/com.domain I/IntegratedSipProvider﹕ open
> tls connection to 87.xx.xxx.42:5061
> 06-21 18:33:31.790  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕
> Initializing SSLContext for first use
> 06-21 18:33:31.790  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕
> Adding the customKeyStore to trust manager for SSLContext
> 06-21 18:33:31.790  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕
> Connecting socket to 87.xx.xxx.42, port 5061
> 06-21 18:33:31.870  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕
> Local address is: /10.155.115.36:47549
> 06-21 18:33:31.870  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕
> Starting SSL handshake
> 06-21 18:33:31.980  20121-31973/com.domain W/org.zoolu.net.TcpSocket﹕
> Exception while getting session/starting handshake
> 06-21 18:36:23.210   20121-1693/com.domain E/IntegratedSipProvider﹕
> java.io.IOException: Failed to handshake
> SSLjavax.net.ssl.SSLHandshakeException: Handshake failed, Handshake failed
>             at org.zoolu.net.TcpSocket.<init>(TcpSocket.java:199)
>             at
> org.zoolu.sip.provider.TcpTransport.<init>(TcpTransport.java:152)
>             at
> org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1367)
>             at
> org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1297)
>             at
> org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1628)
>             at
> org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1608)
>             at java.util.concurrent.FutureTask.run(FutureTask.java:237)
>             at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
>             at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
>             at java.lang.Thread.run(Thread.java:818)



I tried setting TLSv1 as 'tls_method' in opensips config (instead of
SSLv23) but the same error occured.  Please advise how to resolve this SSL
handshake failure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150622/fe4fce9b/attachment.htm>

More information about the Users mailing list