Open nvwx opened 1 year ago
try with TLSv1.3 version
Hi @Sivasundareswaran, here are the logs when specifying -tls1_3 with s_client.
Edited to provide better example content...
Successful s_client side:
$ openssl s_client -debug -connect sofia:5061 -tls1_3
CONNECTED(00000003)
write to 0x561ee9fa63e0 [0x561ee9fb8320] (248 bytes => 248 (0xF8))
[ content ]
read from 0x561ee9fa63e0 [0x561ee9faf013] (5 bytes => 5 (0x5))
[ more content as handshake completes. ]
Then on the sofia side:
2023-02-27 20:54:15.924922 tport.c:2806 tport_wakeup_pri() tport_wakeup_pri(0x555d194b7a30): events IN
2023-02-27 20:54:15.925081 tport_type_tcp.c:202 tport_tcp_init_secondary() tport_tcp_init_secondary(0x555d19503cb0): Setting TCP_KEEPIDLE to 30
2023-02-27 20:54:15.925114 tport_type_tcp.c:208 tport_tcp_init_secondary() tport_tcp_init_secondary(0x555d19503cb0): Setting TCP_KEEPINTVL to 30
2023-02-27 20:54:15.925182 tport.c:1088 tport_register_secondary() tport_register_secondary(0x555d194b7a30): register secondary tport 0x555d19503cb0 from tls/incoming_IP_address:57776, count(wss) is 0, count(tcp) is 2
2023-02-27 20:54:15.925204 tport_type_tls.c:620 tport_tls_accept() tport_tls_accept(0x555d19503cb0): new connection from tls/incoming_IP_address:57776
2023-02-27 20:54:15.925513 tport_tls.c:970 tls_connect() tls_connect(0x555d19503cb0): events NEGOTIATING
2023-02-27 20:54:15.963909 tport_tls.c:970 tls_connect() tls_connect(0x555d19503cb0): events NEGOTIATING
2023-02-27 20:54:15.964191 tport_tls.c:610 tls_post_connection_check() tls_post_connection_check(0x555d19503cb0): TLS cipher chosen (name): TLS_AES_256_GCM_SHA384
2023-02-27 20:54:15.964232 tport_tls.c:612 tls_post_connection_check() tls_post_connection_check(0x555d19503cb0): TLS cipher chosen (version): TLSv1.3
2023-02-27 20:54:15.964256 tport_tls.c:615 tls_post_connection_check() tls_post_connection_check(0x555d19503cb0): TLS cipher chosen (bits/alg_bits): 256/256
2023-02-27 20:54:15.964292 tport_tls.c:618 tls_post_connection_check() tls_post_connection_check(0x555d19503cb0): TLS cipher chosen (description): TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
2023-02-27 20:54:15.964315 tport_tls.c:623 tls_post_connection_check() tls_post_connection_check(0x555d19503cb0): Peer did not provide X.509 Certificate.
2023-02-27 20:54:15.964333 tport_tls.c:634 tls_post_connection_check() tls_post_connection_check(0x555d19503cb0): returning X509_V_OK
2023-02-27 20:54:15.964357 tport_tls.c:1043 tls_connect() tls_connect: TLS handshake complete.
2023-02-27 20:54:15.964396 tport.c:2345 tport_set_secondary_timer() tport(0x555d19503cb0): reset timer
2023-02-27 20:54:16.947604 tport.c:2832 tport_wakeup() tport_wakeup(0x555d19503cb0): events IN
2023-02-27 20:54:16.947756 tport.c:2201 tport_shutdown0() tport_shutdown0(0x555d19503cb0, 2) tls/incoming_IP_address:57776
2023-02-27 20:54:16.947786 tport.c:2132 tport_close() tport_close(0x555d19503cb0): tls/incoming_IP_address:57776
2023-02-27 20:54:16.947919 tport.c:2208 tport_shutdown0() tport_shutdown0(0x555d19503cb0): after tport_close refcount is now 0
Failed s_client side:
openssl s_client -debug -connect sofia:5061 -tls1_3
CONNECTED(00000003)
write to 0x5654be97b3e0 [0x5654be98d320] (248 bytes => 248 (0xF8))
[ content ]
^C break after ~7 seconds
sofia side:
2023-02-27 20:54:49.479559 tport.c:2806 tport_wakeup_pri() tport_wakeup_pri(0x555d194b7550): events IN
2023-02-27 20:54:49.479715 tport_type_tcp.c:202 tport_tcp_init_secondary() tport_tcp_init_secondary(0x555d194fdc10): Setting TCP_KEEPIDLE to 30
2023-02-27 20:54:49.479746 tport_type_tcp.c:208 tport_tcp_init_secondary() tport_tcp_init_secondary(0x555d194fdc10): Setting TCP_KEEPINTVL to 30
2023-02-27 20:54:49.479780 tport.c:1088 tport_register_secondary() tport_register_secondary(0x555d194b7550): register secondary tport 0x555d194fdc10 from tcp/incoming_IP_address:40054, count(wss) is 0, count(tcp) is 3
2023-02-27 20:54:49.479809 tport.c:2700 tport_accept() tport_accept(0x555d194fdc10): new connection from tcp/incoming_IP_address:40054
2023-02-27 20:54:49.480563 tport.c:2832 tport_wakeup() tport_wakeup(0x555d194fdc10): events IN
2023-02-27 20:54:49.480627 tport.c:2929 tport_recv_event() tport_recv_event(0x555d194fdc10)
2023-02-27 20:54:49.480662 tport.c:3270 tport_recv_iovec() tport_recv_iovec(0x555d194fdc10) msg 0x555d194fce90 from (tcp/incoming_IP_address:40054) has 248 bytes, veclen = 1
2023-02-27 20:54:49.480699 tport.c:2345 tport_set_secondary_timer() tport(0x555d194fdc10): reset timer
<break on s_client side>
2023-02-27 20:54:57.762442 tport.c:2832 tport_wakeup() tport_wakeup(0x555d194fdc10): events IN
2023-02-27 20:54:57.762585 tport.c:2929 tport_recv_event() tport_recv_event(0x555d194fdc10)
2023-02-27 20:54:57.762625 tport.c:3088 tport_deliver() tport_deliver(0x555d194fdc10): bad msg 0x555d194fce90 (0 bytes) from tcp/incoming_IP_address:40054 next=(nil)
2023-02-27 20:54:57.762645 tport.c:1171 tport_ref() tport_ref(0x555d194fdc10): refcount is now 1
2023-02-27 20:54:57.762666 tport.c:1184 tport_unref() tport_unref(0x555d194fdc10): refcount is now 0
2023-02-27 20:54:57.762686 tport.c:2345 tport_set_secondary_timer() tport(0x555d194fdc10): reset timer
2023-02-27 20:54:57.762712 tport.c:852 tport_set_events() tport_set_events(0x555d194fdc10): events
2023-02-27 20:54:57.762733 tport.c:2965 tport_recv_event() tport_recv_event(0x555d194fdc10): end of stream from tcp/incoming_IP_address:40054 refcount is 0
2023-02-27 20:54:57.762751 tport.c:2201 tport_shutdown0() tport_shutdown0(0x555d194fdc10, 2) tcp/incoming_IP_address:40054
2023-02-27 20:54:57.762769 tport.c:2132 tport_close() tport_close(0x555d194fdc10): tcp/incoming_IP_address:40054
2023-02-27 20:54:57.762816 tport.c:2208 tport_shutdown0() tport_shutdown0(0x555d194fdc10): after tport_close refcount is now 0
2023-02-27 20:54:57.762841 tport.c:2971 tport_recv_event() tport_recv_event(0x555d194fdc10): back from tport_shutdown0 refcount is now 0
2023-02-27 20:54:57.762859 tport.c:2311 tport_set_secondary_timer() tport(0x555d194fdc10): set timer at 0 ms because zap
2023-02-27 20:54:57.762884 tport.c:1155 tport_zap_secondary() tport_zap_secondary(0x555d194b7550): zap tport 0x555d194fdc10 from tcp/incoming_IP_address:40054, count(wss) is 0, count(tcp) is 2
Please check the openssl version of both client and server ,if both are different use same version
Version 1.12.10devel
When a customer attempts to connect and send an INVITE over a TLS connection, we see the customer SBC send us the Client Hello, but the initial connection attempt is logged as a TCP connection and sofia does not respond and continue the exchange. However, if the customer attempts to make the call again, the subsequent connection works. We've verified certificates are not expired and we can reproduce the issue using openssl.
I have logs below and a pcap I can share privately.
failed call
successful call