[Spce-user] TLS problem

Jirka Jirout jirka.jirout at me.com
Sat Mar 9 16:45:02 EST 2013 

Hello,

I have now spent almost a week trying to figure out some very weird TLS behavior. I am putting together a new client app and I am experiencing strange things here. The new app can connect in about 10 % of all cases. Since SPCE is still working fine with the existing ones, I naturally lamed the new application any me code. 

HOWEVER:
 Today I decided to start from scratch and wrote a simple commmand line application that does only three things: opens a TLS connection, writes the REGISTER SIP message to the socket and prints the response (which should be something like 407 Unauthorized or something, but that would be fine).

The first two steps are fine - ssl_connect() and ssl_write() return success. But then the strange thins start to happen:

- No answer ever comes back
- When I run ngrep-sip on the server, I do not see the message anywhere, although tcpdump shows it on the external interface

I first though this might be a certificate problem or something, but running my app against the spce administration interface on port 1433 returns the data just fine, although the interface uses the same SSL certificates.

Next I tried openssl s_client -connect server:port - The connection is established fine. When I type some nonsense, i. e. GET\r\n\r\n, I end up with "read:errno=0" and a closed socket. But when I try to send the message (copy & paste), I end up with " RENEGOTIATING 11504:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:545:" which is the same error that my new client is getting. To be sure, I tried from several computers with openssl 0.9.8o (also used on the server) and 1.0.1c and got the same results.

The weirdest thing of course is that in about 10 % of cases, my new client connects just fine and works for hours without any problem. And that the older clients work fine.

my kamailio.cfg for lb looks like this in the tls section:

#!ifdef ENABLE_TLS
loadmodule "tls.so"
#!endif
....
#!ifdef ENABLE_TLS
modparam("tls", "certificate", "/crypto-keys/certificate.pem")
modparam("tls", "private_key", "/crypto-keys/private.key")
modparam("tls", "tls_method", "SSLv23")
#!endif

SPCE is v 2.7, openssl 0.9.8.o

Any help would be greatly appreciated as this is slowly starting to drive me nuts ;-)

regards, jj

More information about the Spce-user mailing list