Hello, We've been experiencing issues with one of our Opensips instances for a few months. Every now and then it appears that we get a bad packet that's part of TLS negotiation (Encrypted Handshake Message.) Opensips rejects this packet by replying with 'Bad Record MAC'. What's interesting is that sometimes this causes all subsequent TLS connections/negotiations to fail yet other times Opensips survives it. The only way that we've found to recover from this failure is to restart the daemon and we haven't found a way to reproduce it. We do have packet captures containing the "bad" packets.
Has anyone out there experienced this issue? We've seen it across different servers, operating systems and Opensips versions. Log output: [2012-08-10 18:38:01.08] [opensips] ERROR:core:tls_accept: New TLS connection from 1.2.3.4:1029 failed to accept: rejected by client [2012-08-10 18:38:01.08] [opensips] WARNING:core:fm_free: free(0) called [2012-08-10 18:38:01.08] [opensips] ERROR:core:tls_accept: New TLS connection from 1.2.3.4:1032 failed to accept: rejected by client [2012-08-10 18:38:01.08] [opensips] WARNING:core:fm_free: free(0) called ... [2012-08-10 18:38:13.72] [opensips] ERROR:core:_tls_read: TLS connection to 9.3.3.4:35951 read failed [2012-08-10 18:38:13.72] [opensips] ERROR:core:_tls_read: TLS read error: 1 [2012-08-10 18:38:13.73] [opensips] ERROR:core:tls_print_errstack: TLS errstack: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [2012-08-10 18:38:13.73] [opensips] ERROR:core:tcp_read_req: failed to read Versions: Opensips: 1.8.0 Kernel: 3.2.0-26-virtual (Ubuntu 12.04) Openssl: 1.0.1-4ubuntu5.3 Thanks, Jared Biel _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
