Hello,
> Dear all,
>
> Thank you very much for your time. This is my first message in this
> forum.
>
> All, I got error message in minisip command prompt when I tried using
> TLS (Transport Method = TLS and Network Port = 5061).But, without
> TLS , I can make a call with minisip.
> The error message says :
>
> A. in client command prompt
>
> init 6/9: Creating MSip SIP stack
> init 7/9: Connecting GUI to SIP logic
> init 8.2/9: Starting TCP transport worker thread
> init 8.3/9: Starting TLS transport worker thread
> init 9/9: Registering Identities to registrar server
> Registering user [EMAIL PROTECTED] to proxy 202.95.149.251,
> requesting domain
> 202.95.149.251
> SipMessageTransport: sendMessage: creating new socket
> Creating new SSL_CTX
> SSL: connect failed
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: creating new socket
> SSL: connect failed
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: creating new socket
> SSL: connect failed
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: creating new socket
> SSL: connect failed
> SipMessageTransport: sendMessage: exception thrown!
>
> B. in server terminal
>
> tls_tcpconn_init: Setting in ACCEPT mode (server)
> 11(5927) tcpconn_add: hashes: 835, 11
> 11(5927) handle_new_connect: new connection: 0x422d88f0 24 flags: 0002
> 11(5927) send2child: to tcp child 0 7(5919), 0x422d88f0
> 7(5919) received n=4 con=0x422d88f0, fd=20
> 7(5919) DBG: io_watch_add(0x80ed320, 20, 2, 0x422d88f0), fd_no=1
> 7(5919) tls_update_fd: New fd is 20
> 7(5919) tls_accept: Error in SSL:
> 7(5919) tls_error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number
> 7(5919) DBG: io_watch_del (0x80ed320, 20, 1, 0x10) fd_no=2 called
> 7(5919) releasing con 0x422d88f0, state -2, fd=20, id=11
> 7(5919) extra_data 0x422e8a08
> 11(5927) handle_tcp_child: reader response= 422d88f0, -2 from 0
> 11(5927) tcpconn_destroy: destroying connection 0x422d88f0, flags 0002
> 11(5927) tls_close: Closing SSL connection
> 11(5927) tls_update_fd: New fd is 24
> 11(5927) tls_shutdown: Shutdown successful
> 11(5927) tls_tcpconn_clean: Entered
>
> What`s wrong? How to solve the error "SSL3_GET_RECORD:wrong version
> number" and "SSL: connect failed"?
>From server side, you may get this error when:
- server is setup to SSL/TLS and client is connecting in plain mode,
for example:
$ telnet some_server 443
Escape character is '^]'.
lkasdkfgjlasdkfgjsdlkfjgsdfkgjsldkfgjhsdfkgsfgk
bytes 2 and 3 must be proper SSL3/TLS1 version specification:
0x0300 - SSL3
0x0301 - TLS1
or for SSL2 (in handshake negotiation) byte 4 and 5 has version
information:
0x0200 - SSL2
0x0300 - SSL3
0x0301 - TLS1
and of course using SSL2 client_hello TLS1 may be setup (if supported
by client and server)
- server is setup to SSL3/TLS1 (not SSL2) and client sends SSL2
client_hello, for example OpenSSL SSL_CTX created with
SSLv23_client_method() method sends SSL2 client_hello with
version information set to TLS1. But when server is set to
understand SSL3/TLS1 only then SSL2 proposition is not recognized
correctly (version information is at bytes 4 and 5, not 2 and 3)
and we get "wrong version number".
To correct this, on client side disable SSL2 compatibility handshake
if SSL_CTX is created with SSLv23_client_method() with
SSL_OP_NO_SSLv2, or on server side create SSL_CTX with
SSLv23_server_method() instead of SSLv3_server_method()
or TLSv1_server_method().
In other words, both sides should have enabled the same
protocols.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
