### Description
When invoking jwt_verify with an expired JWT, it causes TLS termination with
log print from the tls_server and tls_util.
While trying to debug the issue, I tried to give the method an invalid key
path.
I got the following log (as expected):
```
failed to read key file
```
Then the flow continued just fine (fallback to proxy_authorization).
When I gave it a correct file path, but the content is wrong, the problem still
occurred.
This makes me think the problem is in the method :
```
static int ki_jwt_verify_key(sip_msg_t* msg, str *key, str *alg, str *claims,
str *jwtval)
```
### Troubleshooting
#### Reproduction
Use an expired JWT
#### Log Messages
```
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: INFO: {1 13605 INVITE
71a5d88a-b485-43c0-bac4-a2723333efeb} <script>: request_route: method [INVITE]
from [sip:[email protected]] to [sip:[email protected]]
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: {1 13605 INVITE
71a5d88a-b485-43c0-bac4-a2723333efeb} jwt [jwt_mod.c:514]: ki_jwt_verify():
failed to decode jwt value
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: INFO: {1 13605 INVITE
71a5d88a-b485-43c0-bac4-a2723333efeb} <script>: route[AUTH] failed to verify
jwt token.
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls
[tls_server.c:1330]: tls_h_read_f(): protocol level error
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls
[tls_util.h:51]: tls_err_ret(): TLS read:error:0407008A:rsa
routines:RSA_padding_check_PKCS1_type_1:invalid padding (sni:
dev-proxy.barash.com)
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls
[tls_util.h:51]: tls_err_ret(): TLS read:error:04067072:rsa
routines:rsa_ossl_public_decrypt:padding check failed (sni:
dev-proxy.barash.com)
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls
[tls_server.c:1334]: tls_h_read_f(): src addr: 172.19.140.11:37188
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls
[tls_server.c:1337]: tls_h_read_f(): dst addr: 172.19.140.70:5061
May 4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: <core>
[core/tcp_read.c:1478]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f731ec677f8 r: 0x7f731ec67920 (-1)
```
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
```
version: kamailio 5.6.4 (x86_64/linux) a004cf
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE,
USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC,
DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES,
TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024,
BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: a004cf
compiled on 09:56:56 Mar 22 2023 with gcc 8.3.0
```
* **Operating System**:
```
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
Linux kamailio01.dev.wb.internal 4.19.0-23-amd64 #1 SMP Debian 4.19.269-1
(2022-12-20) x86_64 GNU/Linux
```
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3434
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/[email protected]>_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to [email protected]
