0

In a production setup, randomly a opensips error comes up indicating tls_read failed due to SSL_error_SSL error.

Opensips fails the tls/tcp session and a new session is created and it works fine.

Please provide any pointers on why tls_read would fail with ssl_error_ssl return code.

Opensips code invokes,

ssl = c->extra_data;

ret = SSL_read(ssl, buf, len);
if (ret >0)
{
}
else
{
    err = SSL_get_error(ssl, ret);
    switch (err) {
    case SSL_ERROR_ZERO_RETURN:
            LM_INFO("TLS connection to %s:%d closed cleanly\n", 
             ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
        /*
        * mark end of file
        */
        c->state = S_CONN_EOF;
        return 0;

    case SSL_ERROR_WANT_READ:
    case SSL_ERROR_WANT_WRITE:
        return 0;

    case SSL_ERROR_SYSCALL:
        LM_ERR("SYSCALL error -> (%d) <%s>\n",errno,strerror(errno));
    default:
            LM_ERR("TLS connection to %s:%d read failed\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
        LM_ERR("TLS read error: %d\n",err);
        c->state = S_CONN_BAD;
        tls_print_errstack();
        return -1;
}

I want to highlight that TLS connection was established fine and a message is successfully received and send. When the second message is received and SSL_read is invoked there is below error,

2018-05-11T11:23:16.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS connection to 10.204.34.62:51519 read failed 2018-05-11T11:23:16.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:_tls_read: TLS read error: 1 2018-05-11T11:23:16.000-04:00 [local2] [err] ffd-alpha-zone1-ccm1.ipc.com /usr/sbin/opensipsInternal[10325]: ERROR:core:tls_print_errstack: TLS errstack: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

In the pcap, there is re-transmission of every tls packet both sides and when this packet is read, there seems the packet is the second portion of fragemented packet.

Thanks,

Rajesh
  • 69
  • 1
  • 9
  • You will need to provide **far** more details than that. Please show the code establishing the connection and the part failing, and the full error message. – Patrick Mevzek May 14 '18 at 20:36
  • Hi Patrick, I have updated the details above. Please comment. – Rajesh May 18 '18 at 13:25
  • Please format the code so it's readable. The easiest way is probably to edit your post, highlight the code portion of it, and simply click on the `{}` code button at the top of the editor pane. – Andrew Henle May 18 '18 at 13:27
  • *SSL3_GET_CLIENT_CERTIFICATE:no certificate returned* you have a problem regarding authentication, one of the endpoint is not sending the correct certificate or one of the endpoint is not able to verify the certificate given because of unknown CA or something like that. – Patrick Mevzek Jun 04 '18 at 02:54

0 Answers0