<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><tt>Hi,</tt></p>
<p><tt>Looking at both successful and failed attempts, the TLS
connection seems to be properly established in both cases.
However, for some unknown reason, writing the effective data
(from the client side) may either take a quick 400 us, or it may
time out after 60 ms!</tt></p>
<p><tt>As a first way of troubleshooting this, I suggest we increase
the tls_mgm's module "tls_send_timeout" to some ridiculous value
(e.g. 2000 ms) and see if the client write timeouts still happen.<br>
</tt></p>
<p><tt>Best regards,</tt><br>
</p>
<pre class="moz-signature" cols="72">Liviu Chircu
OpenSIPS Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>
<div class="moz-cite-prefix">On 18.06.2018 18:05, Callum Guy wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFjCFzk8vs-LjrT+w5vyVE6jRkqGRVp+E7C_5j366Y=Q9RJwJw@mail.gmail.com">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>Further to this issue I have established that the fault
occurs when the server does not provide a finish "Encrypted
Handshake Message" following key/cert exchange.</div>
<div><br>
</div>
<div>Based on my test patterns it seems to indicate that this
improves <i>slightly</i> over time meaning that its gets a
bit more reliable after a few calls have been processed by the
remote. This doesn't mean that the calls don't ever fail
though, it goes from 50% failure rate to 20% perhaps.</div>
<div><br>
</div>
<div>Does anyone have confidence that this indicates a fault
with the remote system rather than the OpenSIPs
implementation? </div>
<div><br>
</div>
<div>Thanks</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Mon, Jun 18, 2018 at 1:15 PM Callum Guy <<a
href="mailto:callum.guy@x-on.co.uk" moz-do-not-send="true">callum.guy@x-on.co.uk</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><span
style="color:rgb(33,33,33);font-size:13px">Hi All,</span>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">I'm running
a TLS protected service using OpenSIPs 2.3.3
and openssl-1.0.2k-12.el7.x86_64 on a CentOS 7.5 server.
RTPProxy is in place to forward all the media on every
call.</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">OpenSIPs is
acting as a proxy to an internal FreeSWITCH instance and
handling all inbound and outbound TLS negotiation. </div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">The call
scenario is:</div>
<div style="color:rgb(33,33,33);font-size:13px">Leg A:
carrier -> opensips -> freeswitch (answer)</div>
<div style="color:rgb(33,33,33);font-size:13px">Leg B:
freeswitch -> opensips ->carrier</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">I have a
situation where calls sometimes fail during TLS
negotiation on the B leg. The exact same call will work
only seconds before and then the subsequent call will
fail. This is still a test service so there is no traffic
on the platform which would effect the calls.</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">The
destination carrier is Twilio where we are targeting a
custom domain which provides three separate fallback IP's.
The logs (below) show each being attempted in sequence and
OpenSIPs is reporting failure.</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">I have a
packet capture (SIP encrypted) which shows that the
carrier (Twilio) are setting up the connection and
attempting to change the cipher spec, from my
understanding it looks like this is what triggers the
errors in OpenSIPs which then returns a SIP packet to
Twilio before trying the next IP in the list (see screen
shot below).</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">When viewing
the packet capture on a call which was not affected I
don't see wireshark reporting "Change Cipher Spec" from
the carrier network so at present this is the main
suspicion. Unfortunately this is as far as my current
understanding can take me so while i continue to research
i wanted to reach out to see is anyone in the community
can help! Let me know if I can provide any further
information.</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">Thanks! </div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px"><b>OpenSIPs
Log</b></div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">
<div>Jun 18 11:20:33 opensips[6373]: INFO: [INVITE]
(outbound) REST response: RU: sip:<a
href="tel:+353%2061%20234%20567" value="+35361234567"
target="_blank" moz-do-not-send="true">+35361234567</a>@custom.pstn.ie1.twilio.com:5061;transport=tls
DU: sip:<a
href="http://custom.pstn.ie1.twilio.com:5061/"
target="_blank" moz-do-not-send="true">custom.pstn.ie1.twilio.com:5061</a> FU:
"<a href="tel:+49%2040%20261234567"
value="+4940261234567" target="_blank"
moz-do-not-send="true">+4940261234567</a>" <si</div>
<div><a href="mailto:ps%3A%2B4940261234567@172.20.0.101"
target="_blank" moz-do-not-send="true">ps:+4940261234567@172.20.0.101</a>>
To(<a class="moz-txt-link-freetext" href="sip:35361234567@172.18.0.110:5061;transport=tls">sip:35361234567@172.18.0.110:5061;transport=tls</a>)
From(<a href="mailto:sip%3A%2B40261234567@172.20.0.101"
target="_blank" moz-do-not-send="true">sip:+40261234567@172.20.0.101</a>)
ID:137a5be9-ed84-1236-10aa-d0431e9b59cf</div>
<div>Jun 18 11:20:33 opensips[6373]:
<a class="moz-txt-link-freetext" href="INFO:core:probe_max_sock_buff">INFO:core:probe_max_sock_buff</a>: using snd buffer of 416
kb</div>
<div>Jun 18 11:20:33 opensips[6373]:
<a class="moz-txt-link-freetext" href="INFO:core:init_sock_keepalive">INFO:core:init_sock_keepalive</a>: TCP keepalive enabled on
socket 29</div>
<div>Jun 18 11:20:33 opensips[6373]:
NOTICE:tls_mgm:verify_callback: depth = 2</div>
<div>Jun 18 11:20:33 opensips[6373]:
NOTICE:tls_mgm:verify_callback: preverify is good:
verify return: 1</div>
<div>Jun 18 11:20:33 opensips[6373]:
NOTICE:tls_mgm:verify_callback: depth = 1</div>
<div>Jun 18 11:20:33 opensips[6373]:
NOTICE:tls_mgm:verify_callback: preverify is good:
verify return: 1</div>
<div>Jun 18 11:20:33 opensips[6373]:
NOTICE:tls_mgm:verify_callback: depth = 0</div>
<div>Jun 18 11:20:33 opensips[6373]:
NOTICE:tls_mgm:verify_callback: preverify is good:
verify return: 1</div>
<div><b>Jun 18 11:20:34 opensips[6373]:
ERROR:proto_tls:tls_blocking_write: TLS send timeout
(60)</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]:
ERROR:proto_tls:proto_tls_send: failed to send</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]: ERROR:tm:msg_send:
send() to <a href="http://54.171.127.194:5061/"
target="_blank" moz-do-not-send="true">54.171.127.194:5061</a> for
proto tls/3 failed</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]:
ERROR:tm:t_forward_nonack: sending request failed</b></div>
<div>Jun 18 11:20:34 opensips[6373]:
<a class="moz-txt-link-freetext" href="INFO:core:probe_max_sock_buff">INFO:core:probe_max_sock_buff</a>: using snd buffer of 416
kb</div>
<div>Jun 18 11:20:34 opensips[6373]:
<a class="moz-txt-link-freetext" href="INFO:core:init_sock_keepalive">INFO:core:init_sock_keepalive</a>: TCP keepalive enabled on
socket 29</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: depth = 2</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: preverify is good:
verify return: 1</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: depth = 1</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: preverify is good:
verify return: 1</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: depth = 0</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: preverify is good:
verify return: 1</div>
<div><b>Jun 18 11:20:34 opensips[6373]:
ERROR:proto_tls:tls_blocking_write: TLS send timeout
(60)</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]:
ERROR:proto_tls:proto_tls_send: failed to send</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]: ERROR:tm:msg_send:
send() to <a href="http://54.171.127.193:5061/"
target="_blank" moz-do-not-send="true">54.171.127.193:5061</a> for
proto tls/3 failed</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]:
ERROR:tm:t_forward_nonack: sending request failed</b></div>
<div>Jun 18 11:20:34 opensips[6373]:
<a class="moz-txt-link-freetext" href="INFO:core:probe_max_sock_buff">INFO:core:probe_max_sock_buff</a>: using snd buffer of 416
kb</div>
<div>Jun 18 11:20:34 opensips[6373]:
<a class="moz-txt-link-freetext" href="INFO:core:init_sock_keepalive">INFO:core:init_sock_keepalive</a>: TCP keepalive enabled on
socket 29</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: depth = 2</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: preverify is good:
verify return: 1</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: depth = 1</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: preverify is good:
verify return: 1</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: depth = 0</div>
<div>Jun 18 11:20:34 opensips[6373]:
NOTICE:tls_mgm:verify_callback: preverify is good:
verify return: 1</div>
<div><b>Jun 18 11:20:34 opensips[6373]:
ERROR:proto_tls:tls_blocking_write: TLS send timeout
(60)</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]:
ERROR:proto_tls:proto_tls_send: failed to send</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]: ERROR:tm:msg_send:
send() to <a href="http://54.171.127.192:5061/"
target="_blank" moz-do-not-send="true">54.171.127.192:5061</a> for
proto tls/3 failed</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]:
ERROR:tm:t_forward_nonack: sending request failed</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]:
ERROR:tm:w_t_relay: t_forward_nonack failed</b></div>
<div><b>Jun 18 11:20:34 opensips[6373]: ERROR: Failed to
relay call - DU:<null> [INVITE]
To(<a class="moz-txt-link-freetext" href="sip:35361234567@172.18.0.110:5061;transport=tls">sip:35361234567@172.18.0.110:5061;transport=tls</a>)
From(<a
href="mailto:sip%3A%2B40261234567@172.20.0.101"
target="_blank" moz-do-not-send="true">sip:+40261234567@172.20.0.101</a>)
ID:137a5be9-ed84-1236-10aa-d0431e9b59</b></div>
</div>
<div><br>
</div>
<div><b>Wireshark Failure:</b></div>
<div>
<div><a href="https://ibb.co/ici8Ny" target="_blank"
moz-do-not-send="true">https://ibb.co/ici8Ny</a></div>
<div><br>
</div>
<div><b>Wireshark Working:</b></div>
<div><a href="https://ibb.co/kePF2y" target="_blank"
moz-do-not-send="true">https://ibb.co/kePF2y</a></div>
</div>
</div>
<div dir="ltr">
<div><br>
</div>
-- <br>
<div dir="ltr"
class="m_-8423270369103637269m_1292628742324445911gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">Callum Guy
<div>Head of Information Security</div>
<div>X-on</div>
</div>
</div>
</div>
</blockquote>
</div>
-- <br>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">Callum Guy
<div>Head of Information Security</div>
<div>X-on</div>
</div>
</div>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><font
face="Verdana" size="3"><span
style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span></font></p>
<img
src="https://www.x-on.co.uk/email/footer/banner-surgeryconnect-june-july.jpg"
moz-do-not-send="true"><br>
<p><font size="4"><span
style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span><b><sup><font
face="Verdana">0333 332 0000 | <a
href="http://www.x-on.co.uk" target="_blank"
moz-do-not-send="true">www.x-on.co.uk</a> | <sub> </sub></font></sup></b></font><font
size="4"><b><sub><sup><font face="Verdana"><a
href="https://www.linkedin.com/company/x-on"
target="_blank" moz-do-not-send="true"><img
src="http://www.x-on.co.uk//images/icon/linkedin.png"
moz-do-not-send="true" width="24" height="24"></a>
<a href="https://www.facebook.com/XonTel"
target="_blank" moz-do-not-send="true"><img
src="http://www.x-on.co.uk//images/icon/facebook.png"
moz-do-not-send="true" width="24" height="24"></a>
<a href="https://twitter.com/xonuk" target="_blank"
moz-do-not-send="true"><img
src="http://www.x-on.co.uk//images/icon/twitter.png"
moz-do-not-send="true" width="24" height="24"></a></font></sup></sub>
</b></font>
<span style="font-size:6.0pt;font-family:Verdana;color:black"><br>
X-on
is a trading name of Storacall Technology Ltd a limited
company registered in
England and Wales.<br>
Registered Office : Avaland House, 110 London Road, Apsley,
Hemel Hempstead,
Herts, HP3 9SD. Company Registration No. 2578478.<br>
The information in this e-mail is confidential and for use by
the addressee(s)
only. If you are not the intended recipient, please notify
X-on immediately on <span>+44(0)333 332 0000</span> and
delete the<br>
message from your computer. If you are not a named addressee
you must not use,
disclose, disseminate, distribute, copy, print or reply to
this email. </span><span
style="font-size:6.0pt;font-family:Verdana;color:black">Views
or opinions expressed by an individual<br>
within this email may not necessarily
reflect the views of X-on or its associated companies.
Although X-on routinely
screens for viruses, addressees should scan this email and any
attachments<br>
for
viruses. X-on makes no representation or warranty as to the
absence of viruses
in this email or any attachments.</span></p>
<p><span style="font-size:6.0pt;font-family:Verdana;color:black"></span><font
size="2"><span
style="font-size:6.0pt;font-family:Verdana;color:black"></span></font></p>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>