Author Topic: <openssl:MILD> Failed SSLv3 read finished A when using a TLS sip-trunk  (Read 11923 times)

abma

  • Newbie
  • *
  • Posts: 19
    • View Profile
I'm trying to configure a yate server using a sip trunk but it seems to fail at an very early stage when a call is made.

Auth is per IP (no username/password needed) and sRTP + TLS must be used.

Code: [Select]
20160229170153.746701 <sip:ALL> Transport(tls:18-[sip trunk ip]:5061) attempt to connect to '[sip trunk ip]:5061' [0x7f519c067420]
20160229170153.763959 <sip:ALL> Transport(tls:18-[sip trunk ip]:5061) connected local=[local server ip]:50943 remote=[sip trunk ip]:5061 [0x7f519c067420]
20160229170153.769137 <sip:INFO> 'tls:[local server ip]:50943-[sip trunk ip]:5061' sending 'INVITE sip:[called number]@[sip trunk ip]:5061' 0x7f519c026390 [0x7f519c067420]
------
INVITE sip:[called number]@[sip trunk ip]:5061 SIP/2.0
Max-Forwards: 19
Via: SIP/2.0/TLS [local server ip]:5061;alias;rport;branch=z9hG4bK137996875
From: <sip:+[caller number]@[local server ip]>;tag=391086973
To: <sip:[called number]@[sip trunk ip]:5061>
Call-ID: 2017592690@[local server ip]
CSeq: 201 INVITE
User-Agent: YATE/5.0.0
Contact: <sip:+[caller number]@[local server ip]:5061>
Allow: ACK, INVITE, BYE, CANCEL, REGISTER, REFER, OPTIONS, INFO
Content-Type: application/sdp
Content-Length: 318

v=0
o=yate 1456765312 1456765312 IN IP4 [local public ip]
s=SIP Call
c=IN IP4 [local public ip]
t=0 0
m=audio 23590 RTP/AVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:yezuQ6YLQ1ZVv6mQU3ugNCCHpac/3jzTLBDhhGsg
a=encryption:optional


------
20160229170153.815592 <openssl:MILD> Failed SSLv3 read finished A [0x7f51a4021100]
20160229170153.815704 <sip:WARN> Transport(tls:18-[sip trunk ip]:5061) Socket send error: Invalid argument (22) [0x7f519c067420]
------

in regexroute i have this:

Code: [Select]
^0.\(.*\)$=sip/sip:${called}@[sip trunk ip]:5061;\
        caller=+[local prefix number]${caller};\
        oip_transport=tls;\


why do i get "Socket send error: Invalid argument (22)"? openssl.conf is configured / the local tls listening port (tcp/5061) seems to basicly work.

(i've replaced ip / number with [ip] [number])


« Last Edit: February 29, 2016, 11:21:44 AM by abma »

abma

  • Newbie
  • *
  • Posts: 19
    • View Profile
Re: <openssl:MILD> Failed SSLv3 read finished A when using a TLS sip-trunk
« Reply #1 on: February 29, 2016, 01:06:14 PM »
with a debug build of yate i got more verbose info:

Code: [Select]
2016-02-29_20:01:10.220295 <openssl:ALL> State before/connect initialization [0x7fffc0000cd0]
2016-02-29_20:01:10.220449 <openssl:ALL> State unknown state [0x7fffc0000cd0]
2016-02-29_20:01:10.241041 <openssl:ALL> State SSLv3 read server hello A [0x7fffc0000cd0]
2016-02-29_20:01:10.241681 <openssl:ALL> State SSLv3 read server certificate A [0x7fffc0000cd0]
2016-02-29_20:01:10.242053 <openssl:ALL> State SSLv3 read server key exchange A [0x7fffc0000cd0]
2016-02-29_20:01:10.242241 <openssl:ALL> State SSLv3 read server certificate request A [0x7fffc0000cd0]
2016-02-29_20:01:10.242309 <openssl:ALL> State SSLv3 read server done A [0x7fffc0000cd0]
2016-02-29_20:01:10.242356 <openssl:ALL> State SSLv3 write client certificate A [0x7fffc0000cd0]
2016-02-29_20:01:10.246400 <openssl:ALL> State SSLv3 write client key exchange A [0x7fffc0000cd0]
2016-02-29_20:01:10.246589 <openssl:ALL> State SSLv3 write change cipher spec A [0x7fffc0000cd0]
2016-02-29_20:01:10.246852 <openssl:ALL> State SSLv3 write finished A [0x7fffc0000cd0]
2016-02-29_20:01:10.246965 <openssl:ALL> State SSLv3 flush data [0x7fffc0000cd0]
2016-02-29_20:01:10.268904 <openssl:MILD> Failed SSLv3 read finished A [0x7fffc0000cd0]
2016-02-29_20:01:10.269184 <sip:WARN> Transport(tls:4-[sip trunk ip]:5061) Socket send error: Invalid argument (22) [0x7fffcc0138d0]

is the server / sip trunk closing the connection?
« Last Edit: February 29, 2016, 01:08:24 PM by abma »

marian

  • Hero Member
  • *****
  • Posts: 513
    • View Profile
The server could close the connection.
You may use tcpdump or wireshark to see TCP messages.

Try also openssl s_client utility to connect to server. It might display more info.

abma

  • Newbie
  • *
  • Posts: 19
    • View Profile
got response from the provider: the sip trunk is expecting a signed certificate and because our certificate isn't signed (yet) it disallows the connection.

abma

  • Newbie
  • *
  • Posts: 19
    • View Profile
if someone runs into this issue, too, the openssl command to test is:

Code: [Select]
openssl s_client -connect <sip trunk ip>:5061 -CAfile server.pem -cert server.pem -key server.key
-CAfile is imporant, else the openssl client doesn't send the certificate / certificate chain.

when it works, the connection stays open.