Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Errormessage TLS read:error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large #3168

Closed
MartinPalmAGDS opened this issue Jun 29, 2022 · 2 comments
Closed

Errormessage TLS read:error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large #3168

MartinPalmAGDS opened this issue Jun 29, 2022 · 2 comments

Comments

@MartinPalmAGDS
Copy link

We use Kamilio as a proxy server to connect softphones to our PBX systems.
We have run into some TLS problems. These problems result in a shut down of the TLS connection after the error is encountered.

We have looked into serial numbers of certificates. The current code in kamailio seems to be broken due to changes in the world around... many certificates today do not adhere to the previously assumed behaviour of certificate serial numbers anymore.
The error which causes the connection to drop seems to be related to a comparison of the certificate serial numbers during renegotiation.
tls_err_ret(): TLS read:error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large
Kamailio expects serial numbers to fit in a 64 bit unsigned, however during the last years, starting around 2003 more and more systems use automatically generated serial numbers, which are frequently 128 bit long.
The serialnumber of our own Auerswald root certificate looks to be only 64 bit long, but during the negotiation is presented as 9 bytes starting with 00h, which is interpreted as a 72bit value. Trying to put this serial number in a 64 bit long kills the connection.
Due to the different ways that are used to generate serial numbers now, there is no simple algorithm to condense the number into a 64bit value, and the whole number should be compared to see if it is same or higher.
We currently have disabled renegotiation to avoid the connection being dropped during renegotiation. Which however can lead to the connection being dropped by the other side during renegotiation, but this is not a good permanent workaround!

Reproduction

This issue happens infrequently

Possible Solutions

No workaround possible on our side

Additional Information

Kamailio Version 5.5.4
LibSSL 1.1.1.n

  • Operating System:
    Linux, Debian oldstable
space88man added a commit to space88man/kamailio that referenced this issue Jun 29, 2022
@space88man
tls: cert serial number can exceed uint64
02cb6fc 
Addresses kamailio#3168
@space88man space88man mentioned this issue Jun 29, 2022
Merged
8 tasks
@space88man
Copy link
Contributor

space88man commented Jun 29, 2022
edited

@MartinPalmAGDS — I propose a fix here #3171
Appreciate if you could test it out. It converts the certificate serial number to a BIGNUM and then string
instead of trying uint64.

You can no longer extract the serial number as int from the pv but you can extract as string.

space88man added a commit to space88man/kamailio that referenced this issue Jun 30, 2022
@space88man
tls: cert serial number can exceed uint64
ced8dd1 
Addresses kamailio#3168
space88man added a commit to space88man/kamailio that referenced this issue Jun 30, 2022
@space88man
tls: cert serial number can exceed uint64
01595e9 
Addresses kamailio#3168
space88man added a commit to space88man/kamailio that referenced this issue Jun 30, 2022
@space88man
tls: cert serial number can exceed uint64
e7839be 
- GH kamailio#3168
space88man added a commit to space88man/kamailio that referenced this issue Jul 1, 2022
@space88man
tls: cert serial number can exceed uint64
83332df 
- GH kamailio#3168
space88man added a commit to space88man/kamailio that referenced this issue Jul 1, 2022
@space88man
tls: cert serial number can exceed uint64
c99eff6 
- GH kamailio#3168
space88man added a commit to space88man/kamailio that referenced this issue Jul 1, 2022
@space88man
tls: cert serial number can exceed uint64
5fa8b62 
- GH kamailio#3168
space88man added a commit to space88man/kamailio that referenced this issue Jul 2, 2022
@space88man
tls: cert serial number can exceed uint64
0538776 
- GH kamailio#3168
@MartinPalmAGDS
Copy link
Author

MartinPalmAGDS commented Jul 4, 2022 via email

miconda pushed a commit that referenced this issue Jul 4, 2022
@space88man @miconda
tls: cert serial number can exceed uint64
996bf4c 
- GH #3168
@miconda miconda closed this as completed Jul 4, 2022
space88man added a commit that referenced this issue Jul 4, 2022
@space88man
tls_wolfssl: cert serial number can exceed uint64
5f26491 
- GH #3168
miconda pushed a commit that referenced this issue Jul 6, 2022
@space88man @miconda
tls: cert serial number can exceed uint64
c4465cf 
- GH #3168

(cherry picked from commit 996bf4c)
miconda pushed a commit that referenced this issue Sep 15, 2022
@space88man @miconda
tls: cert serial number can exceed uint64
8b2b13c 
- GH #3168

(cherry picked from commit 996bf4c)
(cherry picked from commit c4465cf)
miconda pushed a commit that referenced this issue Sep 15, 2022
@space88man @miconda
tls: cert serial number can exceed uint64
7c379f7 
- GH #3168

(cherry picked from commit 996bf4c)
(cherry picked from commit c4465cf)
(cherry picked from commit 8b2b13c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@miconda @space88man @MartinPalmAGDS