[OpenSIPS-Users] Opensips error
Govindaraj, Rajesh
Rajesh.Govindaraj at ipc.com
Tue May 15 12:09:48 EDT 2018
Hi Bogdan,
In this case, the TLS session is established fine and previous messages from the endpoint is received by the server and it fails on reading a new message after session established. Please see details below and also logs.
Please find the details of this issue below,
10.204.34.62 is the end point communicating with IPC Server(10.204.5.134) with opensips running. Version 1.11.5
In the logs, the endpoint has 3 TLS sessions.
The first was pre-established and fails on tyring to read INVITE msg which is fragmented. It has received a PUBLISH msg and responded to that publish message before processing the INVITE.
2018-05-11T11:23:16.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS connection to 10.204.34.62:51519 read failed
2018-05-11T11:23:16.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS read error: 1
2018-05-11T11:23:16.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:tls_print_errstack: TLS errstack: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
The second TLS session was established and again receives PUBLISH and then fails while processing INVITE.
2018-05-11T11:24:05.000-04:00 [local2] [debug] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: DBG:core:tls_update_fd: New fd is 46
2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS connection to 10.204.34.62:52094 read failed
2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS read error: 1
2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:tls_print_errstack: TLS errstack: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
The third TLS session was established and again receives PUBLISh and then INVITE is also processed successfully. At time
Opensips logs is also attached in debug mode.
The opensips config file is also attached.
The error indicates no certificate but this end point seems to present the certificate as seen while TLS session establishment in case 2&case 3. Also this issue is seen randomly. Attaching the ZoneInternal.key to decode the pcap file.
11:24:37 is the time.
2018-05-11T11:24:37.000-04:00 [local2] [debug] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: DBG:core:_tls_read: 2194 bytes read
Thanks so much for the time,
version: opensips 1.11.5-tls (x86_64/linux)
flags: STATS: On, EXTRA_DEBUG, USE_IPV6, USE_TCP, USE_TLS, DISABLE_NAGLE, USE_MCAST, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
git revision: 2b3a3ea
main.c compiled on 15:24:32 Sep 15 2015 with gcc 4.4.7
From: Bogdan-Andrei Iancu [mailto:bogdan at opensips.org]
Sent: Tuesday, May 15, 2018 3:41 AM
To: OpenSIPS users mailling list <users at lists.opensips.org>; Govindaraj, Rajesh <Rajesh.Govindaraj at ipc.com>
Subject: Re: [OpenSIPS-Users] Opensips error
Hi,
First of all, carefully read the logs you get as they provide *a lot* of useful hints.
The key log is "SSL3_GET_CLIENT_CERTIFICATE:no certificate returned" - that means the other party did not presented a SSL ceritificate, while your TLS setup for that domain do require one (see the require_certificate option).
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
OpenSIPS Summit 2018
http://www.opensips.org/events/Summit-2018Amsterdam
On 05/14/2018 11:45 PM, Govindaraj, Rajesh wrote:
Hi folks,
Please provide any pointers if you might have.
Thanks,
From: Govindaraj, Rajesh
Sent: Friday, May 11, 2018 5:37 PM
To: users at lists.opensips.org<mailto:users at lists.opensips.org>
Subject: Opensips error
Hi,
In a production environment, the below error is seen. The TLS handshake is fine and messages are being exchanged as seen from pcap and when one of the TCP message is read,
2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS connection to 10.204.34.62:52094 read failed
2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS read error: 1
2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:tls_print_errstack: TLS errstack: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
This error is seen. TLS read error: 1 indicates SSL_ERROR_SSL. Checking the pcap for success and failure case, they are no abnormalities. It fails for only one user randomly. Today in our test it failed twice with the same error when reading a TLS packet. TLS session establishment is fine. Any pointers would really help.
Thanks,
Rajeshkumar Govindaraj
Software Engineer
777 Commerce Drive,
Fairfield, CT-06825
T +1 201 253 7803 • M +1 475 439 9918 • E Rajesh.Govindaraj at ipc.com<mailto:Rajesh.Govindaraj at ipc.com>
Follow us on twitter: @ipc_Systems_Inc www.ipc.com<http://www.ipc.com/>
[cid:image006.jpg at 01D1940F.3E021840]
DISCLAIMER: This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail. E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the risks associated with e-mail messages, you may decide not to use e-mail to communicate with IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems.
_______________________________________________
Users mailing list
Users at lists.opensips.org<mailto:Users at lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20180515/0ee5d4c0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 5263 bytes
Desc: image001.jpg
URL: <http://lists.opensips.org/pipermail/users/attachments/20180515/0ee5d4c0/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: opensips_logs.zip
Type: application/x-zip-compressed
Size: 487019 bytes
Desc: opensips_logs.zip
URL: <http://lists.opensips.org/pipermail/users/attachments/20180515/0ee5d4c0/attachment-0001.bin>
More information about the Users
mailing list