Re: [OpenSIPS-Users] TLS handshake failure: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:

[Răzvan Crainea]

Hi, Nabeel!

Are you using wildcards in your certificate name, or you just can't make 
the names public? Note that wildcards are not supported in OpenSIPS 
certificate/key's name.
Are there any errors in OpenSIPS's logs?
Best regards,

Răzvan Crainea
OpenSIPS Solutions
www.opensips-solutions.com

On 06/22/2015 07:26 AM, Nabeel wrote:
Hi,

I'm trying to set up OpenSIPS with TLS support and connecting to my 
server with an SIP client (Lumicall - http://lumicall.org/).

The settings in my opensips.cfg file are as follows:

    listen=tls:87.xx.xxx.42:5061 as server0.domain.com:5061
    <http://server0.domain.com:5061>

    loadmodule "proto_tls.so"
    modparam("proto_tls", "verify_cert", "0")
    modparam("proto_tls", "require_cert", "0")
    modparam("proto_tls", "ciphers_list", "NULL")
    modparam("proto_tls", "tls_method", "SSLv23")
    modparam("proto_tls", "certificate",
    "/etc/ssl/public/*.domain.com.pem")
    modparam("proto_tls", "private_key",
    "/etc/ssl/private/*.domain.com-key.pem")
    modparam("proto_tls", "ca_list", "/etc/ssl/public/*.domain.com.pem")
    modparam("proto_tls", "ca_dir", "/etc/ssl/public/")


The certificates are from CAcert.org and the SIP client has built in 
support CAcert.org root certificates.

OpenSIPS starts successfully without errors and the following command 
shows listening on the correct port:

    # netstat -tapen | grep ":5061 "
    tcp        0      0 87.81.230.42:5061 <http://87.81.230.42:5061>  
      0.0.0.0:*               LISTEN      0          94449    
    6850/opensips


The command "netstat -tlp | grep 5061" returns no result.  Testing the 
port through remote services and with nmap shows the port is open:

    nmap -p 5061 server0.domain.com <http://server0.domain.com>
    Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-22 04:40 BST
    Nmap scan report for server0.domain.com
    <http://server0.domain.com> (87.81.230.42)
    Host is up (0.000090s latency).
    PORT     STATE SERVICE
    5061/tcp open  sip-tls


However, checking the connection with s_client shows a handshake failure:

    # openssl s_client -connect server0.domain.com:5061
    <http://server0.domain.com:5061> -showcerts -CAfile
    /etc/ssl/public/cacert.org.pem
    CONNECTED(00000003)
    139762069984912:error:14077410:SSL
    routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
    failure:s23_clnt.c:770:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 295 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---


Adding -servername server0.domain.com <http://server0.domain.com> 
shows the same error.

Trying to connect to the server using the SIP client, with 
usern...@server0.domain.com <mailto:usern...@server0.domain.com>, also 
shows a handshake failure in Logcat:

    06-21 18:33:31.790  20121-31973/com.domain
    I/IntegratedSipProvider﹕ no active connection found matching
    tls:87.xx.xxx.xx:5061
    06-21 18:33:31.790  20121-31973/com.domain
    I/IntegratedSipProvider﹕ open tls connection to 87.xx.xxx.42:5061
    06-21 18:33:31.790  20121-31973/com.domain
    I/org.zoolu.net.TcpSocket﹕ Initializing SSLContext for first use
    06-21 18:33:31.790  20121-31973/com.domain
    I/org.zoolu.net.TcpSocket﹕ Adding the customKeyStore to trust
    manager for SSLContext
    06-21 18:33:31.790  20121-31973/com.domain
    I/org.zoolu.net.TcpSocket﹕ Connecting socket to 87.xx.xxx.42,
    port 5061
    06-21 18:33:31.870  20121-31973/com.domain
    I/org.zoolu.net.TcpSocket﹕ Local address is: /10.155.115.36:47549
    <http://10.155.115.36:47549>
    06-21 18:33:31.870  20121-31973/com.domain
    I/org.zoolu.net.TcpSocket﹕ Starting SSL handshake
    06-21 18:33:31.980  20121-31973/com.domain
    W/org.zoolu.net.TcpSocket﹕ Exception while getting
    session/starting handshake
    06-21 18:36:23.210   20121-1693/com.domain
    E/IntegratedSipProvider﹕ java.io.IOException: Failed to handshake
    SSLjavax.net.ssl.SSLHandshakeException: Handshake failed,
    Handshake failed
                at org.zoolu.net.TcpSocket.<init>(TcpSocket.java:199)
                at
    org.zoolu.sip.provider.TcpTransport.<init>(TcpTransport.java:152)
                at
    org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1367)
                at
    org.zoolu.sip.provider.SipProvider.sendMessage(SipProvider.java:1297)
                at
    org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1628)
                at
    org.zoolu.sip.provider.SipProvider$ThreadSend.call(SipProvider.java:1608)
                at
    java.util.concurrent.FutureTask.run(FutureTask.java:237)
                at
    
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
                at
    
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
                at java.lang.Thread.run(Thread.java:818)



I tried setting TLSv1 as 'tls_method' in opensips config (instead of 
SSLv23) but the same error occured.  Please advise how to resolve this 
SSL handshake failure.


_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users