search

OpenSIPS / opensips

OpenSIPS is a GPL implementation of a multi-functionality SIP Server that targets to deliver a high-level technical solution (performance, security and quality) to be used in professional SIP server platforms.
https://opensips.org
Other
1.28k stars 581 forks source link

[BUG] tls_wolfssl cipher suite ECDHE-RSA-AES128-SHA256 does not work #2729

Closed vasilevalex closed 2 years ago

vasilevalex commented 2 years ago

OpenSIPS version you are running

version: opensips 3.2.4 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: unknown
main.c compiled on 09:17:12 Jan 12 2022 with gcc 8

Describe the bug Connection can not be established when client uses cipher suite ECDHE-RSA-AES128-SHA256.

To Reproduce

  1. Start OpenSIPS with tls_wolfssl module.
  2. openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-SHA256 -connect <opensips_hostname>:5061
  3. On client side there is error: 139673257969472:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac:ssl/record/ssl3_record.c:521
  4. Check with wolfssl test client app: ./client -A /etc/pki/tls/certs/ca-bundle.crt -l TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -h <opensips_hostname> -p 5061
  5. Error: SSL_read reply error -312, error during decryption

Expected behavior Successful connection without errors.

Relevant System Logs ERROR:tls_wolfssl:_wolfssl_read: TLS read error: -313, received alert fatal error

OS/environment information

Additional context I have tested wolfssl independently. Wolfssl server from examples (build from tag v4.7.1r) works fine and accepts connections from both wolfssl client and openssl client:

$ ./server -d
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL curve name is SECP256R1
Client message: hello wolfssl!

./client -l TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL curve name is SECP256R1
I hear you fa shizzle!
rvlad-patrascu commented 2 years ago

Hi @vasilevalex ,

I'm not getting an error when testing as mentioned above. Have you changed anything in tls_wolfssl's module Makefile?

vasilevalex commented 2 years ago

Hi @rvlad-patrascu Actually, yes, I changed Makefile to disable weak and unsecure cipher suites: --disable-idea and -DNO_DES3 -DNO_DSA -DNO_MD4 -DNO_RC4 -UHAVE_NULL_CIPHER. It worked as expected, just disabling all unsecure stuff, so I even didn't think about this. Please don't close this, so I'll add information, what exactly breaks this cipher suite.

vasilevalex commented 2 years ago

Hi @rvlad-patrascu It does not matter, if these flags are used or not. The only thing, that breaks TLS is when configuration uses range of TLS versions. I.e. with method=TLSv1_2- the issue is reproducible and with method=TLSv1_2 everything works just fine. Can you please look at this one more time?

rvlad-patrascu commented 2 years ago

Hi @vasilevalex,

Indeed using a method range this reproduces for me too (although I don't see this error on opensips side: ERROR:tls_wolfssl:_wolfssl_read: TLS read error: -313, received alert fatal error).

What is strange is that if I actually send data on the connection with openssl s_client (eg. cat ./sip_msg | openssl s_client ...) it works fine. This might even be an issue with wolfSSL implementation when providing a method range. I will look more into it.

github-actions[bot] commented 2 years ago

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

github-actions[bot] commented 2 years ago

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

volga629-1 commented 2 years ago

Hello Everyone, We having troubles with RSA ciphers too 

Mar  4 20:00:47 /usr/sbin/opensips[60230]: ================= start TLS pseudo variables ===============
Mar  4 20:00:47 /usr/sbin/opensips[60230]: $tls_version                   = 'TLSv1.2'
Mar  4 20:00:47  /usr/sbin/opensips[60230]: $tls_cipher_info               = 'ECDHE-RSA-AES256-GCM-SHA384'
Mar  4 20:00:47  /usr/sbin/opensips[60230]: ERROR:tls_wolfssl:get_cert: failed to get certificate from SSL structure
Mar  4 20:00:47 /usr/sbin/opensips[60230]: $tls_peer_san_hostname         = '<null>'
Mar  4 20:00:47  /usr/sbin/opensips[60230]: ERROR:tls_wolfssl:get_cert: failed to get certificate from SSL structure
Mar  4 20:00:47  /usr/sbin/opensips[60230]: $tls_peer_san_ip               = '<null>'
Mar  4 20:00:47  /usr/sbin/opensips[60230]: ================= end TLS pseudo variables ===============
Mar  4 20:00:47  /usr/sbin/opensips[60230]: [REGISTER] Got expires timer inter => <null> customer transport => tls
Mar  4 20:00:47  /usr/sbin/opensips[60230]: ERROR:tls_wolfssl:_wolfssl_read: TLS connection to 47.24.94.64:58684 read failed
Mar  4 20:00:47 /usr/sbin/opensips[60230]: ERROR:tls_wolfssl:_wolfssl_read: TLS read error: -313, received alert fatal error
Mar  4 20:00:47  /usr/sbin/opensips[60230]: ERROR:proto_tls:tls_read_req: failed to read
volga629-1 commented 2 years ago

In 2.4 was patch for wolfssl which include this

diff --git a/modules/tls_wolfssl/Makefile b/modules/tls_wolfssl/Makefile
index 342c14887..c8009d556 100644
--- a/modules/tls_wolfssl/Makefile
+++ b/modules/tls_wolfssl/Makefile
@@ -22,7 +22,7 @@ lib/lib/libwolfssl.a:
                --enable-writedup --enable-tlsv10 --disable-shared --enable-static \
                --disable-jni --disable-crl-monitor \
                --prefix=$(MOD_DIR)/lib \
-               --exec-prefix=$(MOD_DIR)/lib C_EXTRA_FLAGS="-fPIC" CFLAGS="-DWOLFSSL_STATIC_RSA -DWOLFSSL_USER_MUTEX"; \
+               --exec-prefix=$(MOD_DIR)/lib C_EXTRA_FLAGS="-fPIC" CFLAGS="-DWOLFSSL_STATIC_RSA"; \
github-actions[bot] commented 2 years ago

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

volga629-1 commented 2 years ago

in progress

github-actions[bot] commented 2 years ago

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

volga629-1 commented 2 years ago

in progress

github-actions[bot] commented 2 years ago

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

volga629-1 commented 2 years ago

in progress

github-actions[bot] commented 2 years ago

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

github-actions[bot] commented 2 years ago

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

volga629-1 commented 2 years ago

in progress

vasilevalex commented 2 years ago

@rvlad-patrascu Thanks! Works fine.