[OpenSIPS-Users] TLS connection problem

Tue Apr 23 05:08:01 EDT 2019

Hi,
I'm getting a problem connecting to one of my uplink peers, every time I
can see this error:

Apr 23 19:01:04 INFO:core:probe_max_sock_buff: using snd buffer of 416 kb
Apr 23 19:01:04 INFO:core:init_sock_keepalive: TCP keepalive enabled on
socket 6
Apr 23 19:01:04 ERROR:core:tcp_connect_blocking_timeout: timeout 99221 ms
elapsed from 100000 s
Apr 23 19:01:04 ERROR:proto_tls:tls_sync_connect: tcp_blocking_connect
failed
Apr 23 19:01:04 ERROR:proto_tls:proto_tls_send: connect failed
Apr 23 19:01:04 ERROR:tm:msg_send: send() to X.X.X.X:5061 for proto tls/3
failed
Apr 23 19:01:04 ERROR:tm:t_forward_nonack: sending request failed

At the very same time from the same server I can issue a curl -vvvI
https://X.X.X.X:5061 and it connects fine, gets SSL certificate and
validates it fine too. Also I can connect with telnet on that port without
any issues. But every time OpenSIPS tries to connect it just logs the error
above. From tcpdump I can see that server has replied and OpenSIPS
immediately sent a TCP RESET packet:

19:01:50.337572 IP OpenSIPS.42145 > X.X.X.X.5061: Flags [S], seq
2223035123, win 29200, options [mss 1460,sackOK,TS val 1224726953 ecr
0,nop,wscale 7], length 0
.-..p%.PV.gx..E..<*. at .@...g]R.4rK...............r.9%.........
H...........
19:01:50.634142 IP X.X.X.X.5061 > OpenSIPS.42145: Flags [S.], seq
4293652737, ack 2223035124, win 8192, options [mss 1440,nop,wscale
8,sackOK,TS val 789606171 ecr 1224726953], length 0
.PV.gx.-..p%..E..<`<@.d.}.4rK.g]R............... .-n.............
/.o.H...
19:01:50.634219 IP OpenSIPS.42145 > X.X.X.X.5061: Flags [R], seq
2223035124, win 0, length 0
.-..p%.PV.gx..E..(^q at .@..hg]R.4rK.............P...g...

I've got a very basic TLS configuration on my server, here it is:

modparam("tls_mgm", "tls_method", "TLSv1_2")
modparam("tls_mgm", "tls_handshake_timeout", 20000)
modparam("tls_mgm", "tls_send_timeout", 20000)

modparam("tls_mgm", "client_domain_avp", "tls_sip_dom")

modparam("tls_mgm", "ca_list", "/etc/opensips/ssl/ca_list.crt")
modparam("tls_mgm", "certificate", "/etc/opensips/ssl/wildcard.crt")
modparam("tls_mgm", "private_key", "/etc/opensips/ssl/wildcard.pem")
modparam("tls_mgm", "verify_cert", "0")
modparam("tls_mgm", "require_cert", "0")

loadmodule "proto_udp.so"
loadmodule "proto_hep.so"

loadmodule "proto_tls.so"
modparam("proto_tls", "tls_port", 7061)

In the routing logic script I'm doing this (it's a test server so I'm only
trying to connect via TLS):

add_uri_param("transport=TLS");
rewritehostport("X.X.X.X:5061");
t_relay("tls:X.X.X.X:5061");

Any ideas why this may be happening? Thanks a lot!

Best regards,
Yury.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190423/70476a66/attachment.html>