[Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure

Assaf Dahary adahary at gmail.com
Tue Apr 22 22:59:20 MSD 2014


Steven,

 

Following your tip I've verified the 'dates' and also disabled the tls date verification to be on the safe side:

<param name="tls-verify-date" value="false"/>

# openssl x509 -noout -in agent.pem -dates

notBefore=Apr 20 00:00:00 2014 GMT

notAfter=Apr 20 23:59:59 2015 GMT

 

my vars.xml:

<X-PRE-PROCESS cmd="set" data="sip_tls_version=sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2"/>

<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>

  

  <!-- Internal SIP Profile -->

  <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>

  <X-PRE-PROCESS cmd="set" data="internal_sip_port=5090"/>

  <X-PRE-PROCESS cmd="set" data="internal_tls_port=5091"/>

  <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>

  <X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${base_dir}/conf/ssl"/>

 

I assume that you apply that there is something wrong with agent.pem  (cat  crt + key).

 

Is there any better way to verify the usage of FS with the crt/key pair beside loading the agent.pem and verifying it via 'sofia status' (display alias and tls port) ? Is it enough (apparently not) ?

I set 'sofia loglevel all 9' but cannot see much beside the regular tls error line.

 

Regards

Assaf

 

 

From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Steven Ayre
Sent: Tuesday, April 22, 2014 8:03 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure

 

I wasn't suggesting the version was the issue, just warning you that you're on an old version. Date/time was in case the certificate was expired / not valid yet - I've seen that before on an embedded system where connections would fail before NTP set the correct time. OpenSSL error messages aren't always user friendly...

 

On 22 April 2014 16:11, Assaf Dahary <adahary at gmail.com> wrote:

The date/time is OK (1 year from now).

 

The thing with openssl version is that I have the same installation with another box with version 1.0.1e and I can connect over TLS with same kind of PositiveSSL CA (but different sub domain). The Heartbleed bug is known but that shouldn't be the problem.

 

It looks like something with the FS is broken with the cipher list which I cannot figure out, because the PossitveSSL CA works on the same box on different port with apache.

Sp the apache can mange the right cipher but the FS does not. Why?

 

I read more about Centos/RedHat which is missing EC ciphers. I see that also the gentls script requires it (I got PossitiveSSL to get around this self-signed option).    

 

I'll try anyway to upgrade openssl to the latest (http://www.openssl.org/source/openssl-1.0.1g.tar.gz) and see if it will resolve it – hopefully.

 

Assaf

 

 

 

From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Steven Ayre
Sent: Tuesday, April 22, 2014 5:32 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure

 

Can't help you with what the issue would be (though I'd verify your date/time settings are correct)... but I would update your OpenSSL version since 1.0.1e is vulnerable to the heartbleed bug.

 

On 22 April 2014 13:46, Assaf Dahary <adahary at gmail.com> wrote:

Hi,

 

I've successfully installed a FS server with TLS using PsitiveSSL and it is working great.

 

Few days ago I've followed the same installation on another standalone machine with the same FS-1.2.22 and  PsitivieSSL CA but this time I cannot connect over TLS. 

 

It seems that FS has no cipher to response with and it fails on negotiations.

 

The PositiveSSL is OK because I verified it locally with "openssl s_client" and from the internet using browser/https.

 

My ssl/ pem files are made with (like I did with the first server - OK):

#cat mysite_com.crt myserver.key > agent.pem

#cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cafile.pem

# chown freeswitch.freeswitch *.pem

#chmod 640 *.pem

 

When issuing "$ sslscan myfs.com:5091 | grep Accepted " 
I get no single cipher. I get long list of 'Rejected' ciphers.
When I'm running the same command for my first server I get a list of supported ciphers – which is OK.
 
When 
[root at www ~]# openssl s_client -connect myfs.com:5091
CONNECTED(00000003)
 
 
 
 
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
 
 
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = myfs.com
verify return:1
140160541112136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
140160541112136:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
 
 
I've already re-installed FS with clean config files.
 
 
 
 
 
Centos 6.x 64, OpenSSL 1.0.1e-fips 11 Feb 2013.
 
 
 
I would appreciate any help/tip on this TLS fail issue.
 
Regards
 
 
 
 
 
 
 
Assaf
 


_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com




Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

 


_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com




Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140422/20865fd1/attachment-0001.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list