Using latest 1.11.5 version (from github) and 1.11.3 It seems to be a problem 
using tls connections with mutual auth (require client certificate=1)

Under a bit of load (about 30 AORs) I started to see failed calls and the log 
messages:
ERROR:core:tls_print_errstack: TLS errstack: error:140890C7:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate (with 
tls_verify_client = 1 )
and 
ERROR:core:tls_print_errstack: TLS errstack: error:14094412:SSL 
routines:SSL3_READ_BYTES:sslv3 alert bad certificate  (with tls_verify_client = 
0)

The errors seems to be random, the more load I have the more errors I can see. 
The process is always the same:
OpenSips receive an invite with certificate validated OK and challenge for a 
password. When the UAC send another invite with the response to the challenge 
the connection is droped with message like "SSL3_READ_BYTES:sslv3 alert bad 
certificate" 

I tried changing the poll method, disabling tcp aliases, in tcp sync and async 
mode, changing the MTU of the network, changing the proxy certificate, opensips 
versions,...  nothing seems to work.

The Opensips is compiled under Debian 8.2 and I tested with grandstream phones 
and Acrobits cloud softphone, with the same simptoms. Maybe there is a bug int 
the TLS stack?

Iĺl try to attach a full debug log to the isssue (scrubbed) You can see the 
error in line 206 and the first invite at line 10










---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/issues/670
_______________________________________________
Devel mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel

Reply via email to