New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Errormessage TLS read:error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large #3168
Comments
space88man
added a commit
to space88man/kamailio
that referenced
this issue
Jun 29, 2022
8 tasks
@MartinPalmAGDS — I propose a fix here #3171 You can no longer extract the serial number as int from the pv but you can extract as string. |
space88man
added a commit
to space88man/kamailio
that referenced
this issue
Jun 30, 2022
space88man
added a commit
to space88man/kamailio
that referenced
this issue
Jun 30, 2022
space88man
added a commit
to space88man/kamailio
that referenced
this issue
Jun 30, 2022
space88man
added a commit
to space88man/kamailio
that referenced
this issue
Jul 1, 2022
space88man
added a commit
to space88man/kamailio
that referenced
this issue
Jul 1, 2022
space88man
added a commit
to space88man/kamailio
that referenced
this issue
Jul 1, 2022
space88man
added a commit
to space88man/kamailio
that referenced
this issue
Jul 2, 2022
Hello,
fix has been tested – works as intended. Well done!
Mit freundlichen Grüßen / Best regards
Martin Palm
Project Manager and Agile Coach
Phone +49 5306 9219-573<tel:+49%205306%209219-573> | Fax +49 5306 9219-94<tel:+49%205306%209219-94>
E-Mail ***@***.******@***.***>
[https://assets.auerswald.de/mail/2020/icon_website.png] auerswald.de<https://www.auerswald.de> | [https://assets.auerswald.de/mail/2020/icon_onlineshop.png] shop.auerswald.de<https://shop.auerswald.de>
[https://assets.auerswald.de/mail/2020/logo_facebook.png]<https://de-de.facebook.com/Auerswald.GmbH/>
[https://assets.auerswald.de/mail/2020/logo_twitter.png]<https://twitter.com/Auerswald_GmbH>
[https://assets.auerswald.de/mail/2020/logo_linkedin.png]<https://de.linkedin.com/company/auerswald-gmbh-&-co-kg>
[https://assets.auerswald.de/mail/2020/logo_xing.png]<https://www.xing.com/company/auerswald-gmbh>
[https://assets.auerswald.de/mail/2020/logo_youtube.png]<https://www.youtube.com/user/Auerswaldservice>
<https://www.auerswald.de>[https://assets.auerswald.de/mail/2020/logo_auerswald_slogan.png]<https://www.auerswald.de/><https://www.auerswald.de>Auerswald Gesellschaft für Datensysteme mbH
Vor den Grashöfen 1
38162 Cremlingen
Germany
Registered at AG Braunschweig HRB 7499
Management board:
Dipl.-Ing. Gerhard Auerswald
Dipl.-Kfm. (FH) Christian Auerswald
Impressum<https://www.auerswald.de/de/impressum> / Imprint<https://www.auerswald.de/en/imprint>
Von: space88man ***@***.***>
Gesendet: Donnerstag, 30. Juni 2022 01:32
An: kamailio/kamailio ***@***.***>
Cc: Palm, Martin ***@***.***>; Mention ***@***.***>
Betreff: Re: [kamailio/kamailio] Errormessage TLS read:error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large (Issue #3168)
@MartinPalmAGDS<https://github.com/MartinPalmAGDS> — I have a propose fix here #3171<#3171>
Appreciate if you could test it out. It converts the certificate serial number to a BIGNUM and then string.
You cannot extract eh serial number as int from the pv but you can extract as string.
—
Reply to this email directly, view it on GitHub<#3168 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZ2RTMJ323LFBQB7P7AVCQDVRTMH3ANCNFSM52EQU2XA>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
miconda
pushed a commit
that referenced
this issue
Jul 4, 2022
space88man
added a commit
that referenced
this issue
Jul 4, 2022
miconda
pushed a commit
that referenced
this issue
Sep 15, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We use Kamilio as a proxy server to connect softphones to our PBX systems.
We have run into some TLS problems. These problems result in a shut down of the TLS connection after the error is encountered.
We have looked into serial numbers of certificates. The current code in kamailio seems to be broken due to changes in the world around... many certificates today do not adhere to the previously assumed behaviour of certificate serial numbers anymore.
The error which causes the connection to drop seems to be related to a comparison of the certificate serial numbers during renegotiation.
tls_err_ret(): TLS read:error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large
Kamailio expects serial numbers to fit in a 64 bit unsigned, however during the last years, starting around 2003 more and more systems use automatically generated serial numbers, which are frequently 128 bit long.
The serialnumber of our own Auerswald root certificate looks to be only 64 bit long, but during the negotiation is presented as 9 bytes starting with 00h, which is interpreted as a 72bit value. Trying to put this serial number in a 64 bit long kills the connection.
Due to the different ways that are used to generate serial numbers now, there is no simple algorithm to condense the number into a 64bit value, and the whole number should be compared to see if it is same or higher.
We currently have disabled renegotiation to avoid the connection being dropped during renegotiation. Which however can lead to the connection being dropped by the other side during renegotiation, but this is not a good permanent workaround!
Reproduction
This issue happens infrequently
Possible Solutions
No workaround possible on our side
Additional Information
Kamailio Version 5.5.4
LibSSL 1.1.1.n
Linux, Debian oldstable
The text was updated successfully, but these errors were encountered: