sslv3 errors showing up with 'tls_method' set as 'TLSv1.2+'

[vkruoso]

Description

Some users are having issues connecting to kamailio websocket using TLS. The logs show SSLv3 errors. Cannot find why that error would show up if SSLv2/3 is not enabled. Double checked it via SSLLabs that only TLSv1.2 is allowed in the service.

Any pointers would be appreciated. Also, let me know if more debug information is needed.

Troubleshooting

Debugging Data

This is the TLS config:

modparam("tls", "tls_method", "TLSv1.2+")
modparam("tls", "verify_certificate", 0)
modparam("tls", "require_certificate", 0)
modparam("tls", "low_mem_threshold1", 0)
modparam("tls", "low_mem_threshold2", 0)
modparam("tls", "private_key", "/etc/certs/tls.key")
modparam("tls", "certificate", "/etc/certs/tls.crt")

This is the output from tls module in kamcmd:

kamcmd> tls.info
{
        max_connections: 2048
        opened_connections: 353
        clear_text_write_queued_bytes: 0
}
kamcmd> tls.options
{
        force_run: 0
        method: TLSv1.2+
        verify_certificate: 0
        verify_depth: 9
        require_certificate: 0
        private_key: /etc/certs/tls.key
        ca_list: <null string>
        certificate: /etc/certs/tls.crt
        cipher_list: <null string>
        session_cache: 0
        session_id: kamailio-tls-5.x.y
        config: <null string>
        log: 3
        debug: 3
        connection_timeout: 600
        disable_compression: 1
        ssl_release_buffers: -1
        ssl_freelist_max: -1
        ssl_max_send_fragment: -1
        ssl_read_ahead: 0
        send_close_notify: 0
        low_mem_threshold1: 0
        low_mem_threshold2: 0
        ct_wq_max: 10485760
        con_ct_wq_max: 65536
        ct_wq_blk_size: 4096
}

Log Messages

I see this log messages related to SSLv3:

15(36) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
15(36) ERROR: <core> [core/tcp_read.c:1512]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fafc8768190 r: 0x7fafc8768278 (-1)

Additional Information

• Kamailio Version - output of kamailio -v

version: kamailio 5.3.9 (x86_64/linux) 
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown 
compiled with gcc 6.3.0

• Operating System:

Debian 9.13.

Linux 4.19.112+ #1 SMP Wed Sep 23 07:53:39 PDT 2020 x86_64 GNU/Linux

[miconda]

The log containing ssl3_read_bytes:sslv3 is not related to the protocol version itself, it's about internal functions inside libssl that are also used for tls. Besides the prefix, the log message is retrieved from the libssl, suggesting a possible issue with certificates or client application. It is before kamailio gets any traffic or control over the tls connection.

It is more about usage of kamailio and your client apps, i suggest you try to figure out what kind of clients end up in this case and troubleshoot further using higher debug level to get more verbosity in the syslog. Then discuss further on sr-users@lists.kamailio.org to get assistance from community. It doesn't look to be an issue in the code of kamailio.

[vkruoso]

Thanks for the response @miconda. Sorry for the issue not being related to kamailio code. My thought was that since sslv3 is disabled, that error would indicate something was misconfigured. If you have any pointers on how to debug an error like this, would be appreciated. Anyway, will be hitting up the user list as well.

[beshoo]

@vkruoso

I have the same error did you manage to solve the problem!?

[vkruoso]

@beshoo not really. Did not had the chance to reproduce it myself, so I didn't figure out the kind of clients that were generating this kind of errors.