SipSeb created an issue (kamailio/kamailio#4445)
### Description
<!--
Explain what you did, what you expected to happen, and what actually happened.
-->
After a small outage, where a large number of TLS clients had to reconnect, we
see this error on some of our Kamailio proxies. The Kamailio processes were not
restarted. See log messages below. These errors did not occur before the
outage. And on some hosts we still don't see them.
It can also be reproduced with running openssl manually, and our monitoring
script registering through each proxy is also affected. A pcap trace shows that
Kamailio sends its Server Hello, Change Cipher Spec message and some
application data and then the client drops the connection with a "Decrypt
Error". The next monitoring check run mostly works.
Below is a graph showing the log volume of lines containing "decrypt error" in
the time before and after the outage.
<img width="1385" height="223" alt="Image"
src="https://github.com/user-attachments/assets/f9522986-ef10-4798-bd8c-5dd51abd504b";
/>
#### Log Messages
<!--
Check the syslog file and if there are relevant log messages printed by
Kamailio, add them next, or attach to issue, or provide a link to download them
(e.g., to a pastebin site).
-->
```
ERROR: tls [tls_server.c:1312]: tls_h_read_f(): protocol level error
ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS accept:error:0A00041B:SSL
routines::tlsv1 alert decrypt error (sni: unknown)
ERROR: tls [tls_server.c:1316]: tls_h_read_f(): src addr:
2a05:d014:85b:a080:f1e7:affe:affe:cc1e:35604
ERROR: tls [tls_server.c:1319]: tls_h_read_f(): dst addr:
2a05:d014:cda:9301:81e5:affe:affe:251a:5061
ERROR: <core> [core/tcp_read.c:1524]: tcp_read_req(): error reading - c:
0x784904a5bfa0 r: 0x784904a5c0c8 (-1)
ERROR: tls [tls_server.c:1312]: tls_h_read_f(): protocol level error
ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS accept:error:0A00041B:SSL
routines::tlsv1 alert decrypt error (sni: unknown)
ERROR: tls [tls_server.c:1316]: tls_h_read_f(): src addr: 192.0.2.42:33278
ERROR: tls [tls_server.c:1319]: tls_h_read_f(): dst addr: 100.68.1.13:5061
ERROR: <core> [core/tcp_read.c:1524]: tcp_read_req(): error reading - c:
0x784904a5bfa0 r: 0x784904a5c0c8 (-1)
```
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
```
root@sipproxy:/WORKSPACE/sipproxy-container# kamailio -V
version: kamailio 5.8.6 (x86_64/linux)
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE,
USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC,
F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT,
USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES,
TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE
262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled with gcc 13.3.0
```
* **Operating System**:
<!--
Details about the operating system, the type: Linux (e.g.,: Debian 8.4, Ubuntu
16.04, CentOS 7.1, ...), MacOS, xBSD, Solaris, ...;
Kernel details (output of `lsb_release -a` and `uname -a`)
-->
Running in a podman container. Underlying system is Ubuntu Noble as well.
```
root@sipproxy:/WORKSPACE/sipproxy-container# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.3 LTS
Release: 24.04
Codename: noble
root@sipproxy:/WORKSPACE/sipproxy-container# uname -a
Linux sipproxy 6.8.0-83-generic #83-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 5
21:46:54 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
```
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4445
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/[email protected]>
_______________________________________________
Kamailio - Development Mailing List -- [email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!
