<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.pl-en
{mso-style-name:pl-en;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi Bogdan,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">In this case, the TLS session is established fine and previous messages from the endpoint is received by the server and it fails on reading a new message after session established. Please see details below and
also logs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Please find the details of this issue below,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">10.204.34.62 is the end point communicating with IPC Server(10.204.5.134) with opensips running. Version 1.11.5<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">In the logs, the endpoint has 3 TLS sessions.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The first was pre-established and fails on tyring to read INVITE msg which is fragmented. It has received a PUBLISH msg and responded to that publish message before processing the INVITE.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2018-05-11T11:23:16.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS connection to 10.204.34.62:51519 read failed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2018-05-11T11:23:16.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS read error: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2018-05-11T11:23:16.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:tls_print_errstack: TLS errstack: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The second TLS session was established and again receives PUBLISH and then fails while processing INVITE.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2018-05-11T11:24:05.000-04:00 [local2] [debug] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: DBG:core:tls_update_fd: New fd is 46<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS connection to 10.204.34.62:52094 read failed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS read error: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:tls_print_errstack: TLS errstack: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The third TLS session was established and again receives PUBLISh and then INVITE is also processed successfully. At time
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Opensips logs is also attached in debug mode.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The opensips config file is also attached.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The error indicates no certificate but this end point seems to present the certificate as seen while TLS session establishment in case 2&case 3. Also this issue is seen randomly. Attaching the ZoneInternal.key
to decode the pcap file. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">11:24:37 is the time.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2018-05-11T11:24:37.000-04:00 [local2] [debug] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: DBG:core:_tls_read: 2194 bytes read<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks so much for the time,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="color:#1F497D">version:</span></b><span style="color:#1F497D"> opensips 1.11.5-tls (x86_64/linux)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">flags: STATS: On, EXTRA_DEBUG, USE_IPV6, USE_TCP, USE_TLS, DISABLE_NAGLE, USE_MCAST, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">git revision: 2b3a3ea<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">main.c compiled on 15:24:32 Sep 15 2015 with gcc 4.4.7<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> Bogdan-Andrei Iancu [mailto:bogdan@opensips.org]
<br>
<b>Sent:</b> Tuesday, May 15, 2018 3:41 AM<br>
<b>To:</b> OpenSIPS users mailling list <users@lists.opensips.org>; Govindaraj, Rajesh <Rajesh.Govindaraj@ipc.com><br>
<b>Subject:</b> Re: [OpenSIPS-Users] Opensips error<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><tt><span style="font-size:10.0pt">Hi,</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<tt>First of all, carefully read the logs you get as they provide *a lot* of useful hints.</tt><br>
<br>
<tt>The key log is "SSL3_GET_CLIENT_CERTIFICATE:no certificate returned" - that means the other party did not presented a SSL ceritificate, while your TLS setup for that domain do require one (see the require_certificate option).</tt><br>
<br>
<tt>Regards, </tt><br>
<br>
</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<pre>Bogdan-Andrei Iancu<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>OpenSIPS Founder and Developer<o:p></o:p></pre>
<pre> <a href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a><o:p></o:p></pre>
<pre>OpenSIPS Summit 2018<o:p></o:p></pre>
<pre> <a href="http://www.opensips.org/events/Summit-2018Amsterdam">http://www.opensips.org/events/Summit-2018Amsterdam</a><o:p></o:p></pre>
<div>
<p class="MsoNormal">On 05/14/2018 11:45 PM, Govindaraj, Rajesh wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D">Hi folks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Please provide any pointers if you might have.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Govindaraj, Rajesh <br>
<b>Sent:</b> Friday, May 11, 2018 5:37 PM<br>
<b>To:</b> <a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a><br>
<b>Subject:</b> Opensips error <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">In a production environment, the below error is seen. The TLS handshake is fine and messages are being exchanged as seen from pcap and when one of the TCP message is read,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS connection to 10.204.34.62:52094 read failed<o:p></o:p></p>
<p class="MsoNormal">2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS read error: 1<o:p></o:p></p>
<p class="MsoNormal">2018-05-11T11:24:05.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:tls_print_errstack: TLS errstack: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This error is seen. TLS read error: 1 indicates <span class="pl-en">
<span style="font-size:9.0pt;font-family:Consolas;color:#6F42C1;background:white">SSL_ERROR_SSL</span></span><span style="font-size:9.0pt;font-family:Consolas;color:#24292E;background:white">.
</span>Checking the pcap for success and failure case, they are no abnormalities. It fails for only one user randomly. Today in our test it failed twice with the same error when reading a TLS packet. TLS session establishment is fine. Any pointers would really
help.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<span style="font-size:9.0pt;font-family:Consolas;color:#24292E;background:white"> </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:3.0pt;page-break-after:avoid"><b><span lang="EN-GB" style="font-size:12.0pt">Rajeshkumar Govindaraj</span></b><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:6.0pt;page-break-after:avoid"><span lang="EN-GB" style="font-size:12.0pt">Software Engineer<br>
</span><span style="font-size:10.0pt">777 Commerce Drive,<br>
Fairfield, CT-06825<br>
</span><b><span lang="FR" style="font-size:10.0pt">T</span></b><span lang="FR" style="font-size:10.0pt"> +1 201 253 7803
</span><span style="font-size:10.0pt;font-family:Symbol;color:#5B9BD5">|</span><span lang="FR" style="font-size:10.0pt">
<b>M</b> +1 475 439 9918 </span><span style="font-size:10.0pt;font-family:Symbol;color:#5B9BD5">|</span><span lang="FR" style="font-size:10.0pt">
<b>E</b> <a href="mailto:Rajesh.Govindaraj@ipc.com">Rajesh.Govindaraj@ipc.com</a></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;mso-fareast-language:FR">Follow us on twitter:
</span><span style="font-size:10.0pt">@<span style="text-transform:uppercase">ipc</span>_Systems_Inc
</span><a href="http://www.ipc.com/"><span style="font-size:10.0pt">www.ipc.com</span></a><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#44546A"> </span><o:p></o:p></p>
<p class="MsoNormal"><img border="0" width="191" height="79" id="Picture_x0020_2" src="cid:image001.jpg@01D3EC45.84B158B0" alt="cid:image006.jpg@01D1940F.3E021840"><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
<br>
DISCLAIMER: This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments
and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail. E-mail messages may contain computer viruses or other defects, may not be accurately replicated on
other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the risks associated with e-mail messages, you may decide not to use e-mail to communicate with
IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems.
<br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Users mailing list<o:p></o:p></pre>
<pre><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><o:p></o:p></pre>
<pre><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
</div>
</body>
</html>