[OpenSIPS-Users] TLS handshake failure: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:

Nabeel nabeelshikder at gmail.com
Mon Jun 22 12:36:30 CEST 2015 

Those were wildcard certificates, but I also tried with specific name
certificates (server0.domain.com) and got the same handshake failure error:

loadmodule "proto_tls.so"
> modparam("proto_tls", "verify_cert", "0")
> modparam("proto_tls", "require_cert", "0")
> modparam("proto_tls", "ciphers_list", "NULL")
> modparam("proto_tls", "tls_method", "SSLv23")
> modparam("proto_tls", "certificate",
> "/etc/ssl/public/server0.domain.com.pem")
> modparam("proto_tls", "private_key",
> "/etc/ssl/private/server0.domain.com-key.pem")
> modparam("proto_tls", "ca_list", "/etc/ssl/public/server0.domain.com.pem")
>
> modparam("proto_tls", "ca_dir", "/etc/ssl/public/")



# openssl s_client -connect server0.domain.com:5061 -showcerts -CAfile
> /etc/ssl/public/cacert.org.pem
> CONNECTED(00000003)
> 140697936070288:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:770:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 324 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---



The same error if I use the IP address in the above command:


# openssl s_client -connect 87.xx.xxx.42:5061 -showcerts -CAfile
> /etc/ssl/public/cacert.org.pem
> CONNECTED(00000003)
> 140347232945808:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:770:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 295 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---



I see the following error in OpenSIPS log when a client fails to connect:


Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]:
> DBG:core:io_watch_add: [TCP_worker] io_watch_add op (16 on 6) (0x8874c0,
> 16, 19, 0x7f5cc27ce1a0,1), fd_no=2/2077

Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]:
> DBG:proto_tls:tls_read_req: Using the global ( per process ) buff

Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]:
> DBG:proto_tls:tls_update_fd: New fd is 16

Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]:
> ERROR:proto_tls:tls_accept: New TLS connection from 87.81.230.42:45098 failed
> to accept: rejected by client

Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]:
> ERROR:proto_tls:tls_read_req: failed to do pre-tls reading

Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]:
> DBG:core:io_watch_del: [TCP_worker] io_watch_del op on index 0 16
> (0x8874c0, 16, 0, 0x10,0x3) fd_no=3 called

Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]:
> DBG:core:tcpconn_release:  releasing con 0x7f5cc27ce1a0, state -2, fd=-1,
> id=3

Jun 22 11:28:03 server0 /usr/local/sbin/opensips[1963]:
> DBG:core:tcpconn_release:  extra_data 0x7f5cc27dae98


On 22 June 2015 at 08:37, Răzvan Crainea <razvan at opensips.org> wrote:

>  Hi, Nabeel!
>
> Are you using wildcards in your certificate name, or you just can't make
> the names public? Note that wildcards are not supported in OpenSIPS
> certificate/key's name.
> Are there any errors in OpenSIPS's logs?
>
> Best regards,
>
> Răzvan Crainea
> OpenSIPS Solutionswww.opensips-solutions.com
>
> On 06/22/2015 07:26 AM, Nabeel wrote:
>
>  Hi,
>
>  I'm trying to set up OpenSIPS with TLS support and connecting to my
> server with an SIP client (Lumicall -  <http://lumicall.org/>
> http://lumicall.org/).
>
>  The settings in my opensips.cfg file are as follows:
>
>  listen=tls:87.xx.xxx.42:5061 as server0.domain.com:5061
>>
>
>
>> loadmodule "proto_tls.so"
>> modparam("proto_tls", "verify_cert", "0")
>> modparam("proto_tls", "require_cert", "0")
>> modparam("proto_tls", "ciphers_list", "NULL")
>> modparam("proto_tls", "tls_method", "SSLv23")
>> modparam("proto_tls", "certificate", "/etc/ssl/public/*.domain.com.pem")
>> modparam("proto_tls", "private_key",
>> "/etc/ssl/private/*.domain.com-key.pem")
>> modparam("proto_tls", "ca_list", "/etc/ssl/public/*.domain.com.pem")
>> modparam("proto_tls", "ca_dir", "/etc/ssl/public/")
>
>
>  The certificates are from CAcert.org and the SIP client has built in
> support CAcert.org root certificates.
>
>  OpenSIPS starts successfully without errors and the following command
> shows listening on the correct port:
>
>  # netstat -tapen | grep ":5061 "
>> tcp        0      0 87.81.230.42:5061       0.0.0.0:*
>> LISTEN      0          94449       6850/opensips
>
>
>  The command "netstat -tlp | grep 5061" returns no result.  Testing the
> port through remote services and with nmap shows the port is open:
>
>  nmap -p 5061 server0.domain.com
>> Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-22 04:40 BST
>> Nmap scan report for server0.domain.com (87.81.230.42)
>> Host is up (0.000090s latency).
>> PORT     STATE SERVICE
>> 5061/tcp open  sip-tls
>
>
>  However, checking the connection with s_client shows a handshake failure:
>
>  # openssl s_client -connect server0.domain.com:5061 -showcerts -CAfile
>> /etc/ssl/public/cacert.org.pem
>> CONNECTED(00000003)
>> 139762069984912:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
>> alert handshake failure:s23_clnt.c:770:
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 7 bytes and written 295 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> ---
>
>
>  Adding -servername server0.domain.com shows the same error.
>
>  Trying to connect to the server using the SIP client, with
> username at server0.domain.com, also shows a handshake failure in Logcat:
>
>  06-21 18:33:31.790  20121-31973/com.domain I/IntegratedSipProvider﹕ no
>> active connection found matching tls:87.xx.xxx.xx:5061
>> 06-21 18:33:31.790  20121-31973/com.domain I/IntegratedSipProvider﹕ open
>> tls connection to 87.xx.xxx.42:5061
>> 06-21 18:33:31.790  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕
>> Initializing SSLContext for first use
>> 06-21 18:33:31.790  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕
>> Adding the customKeyStore to trust manager for SSLContext
>> 06-21 18:33:31.790  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕
>> Connecting socket to 87.xx.xxx.42, port 5061
>> 06-21 18:33:31.870  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕
>> Local address is: /10.155.115.36:47549
>> 06-21 18:33:31.870  20121-31973/com.domain I/org.zoolu.net.TcpSocket﹕
>> Starting SSL handshake
>> 06-21 18:33:31.980  20121-31973/com.domain W/org.zoolu.net.TcpSocket﹕
>> Exception while getting session/starting handshake
>> 06-21 18:36:23.210   20121-1693/com.domain E/IntegratedSipProvider﹕
>> java.io.IOException: Failed to handshake
>> SSLjavax.net.ssl.SSLHandshakeException: Handshake failed, Handshake failed
>>             at org.zoolu.net.TcpSocket.<init>(TcpSocket.java:199)
>>             at
>> org.zoolu.sip.provider.TcpTransport.<init>(TcpTransport.java:152)
>>             at
>> org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1367)
>>             at
>> org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1297)
>>             at
>> org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1628)
>>             at
>> org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1608)
>>             at java.util.concurrent.FutureTask.run(FutureTask.java:237)
>>             at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
>>             at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
>>             at java.lang.Thread.run(Thread.java:818)
>
>
>
>  I tried setting TLSv1 as 'tls_method' in opensips config (instead of
> SSLv23) but the same error occured.  Please advise how to resolve this SSL
> handshake failure.
>
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150622/b7fc14b5/attachment-0001.htm>

More information about the Users mailing list