Frequent TLS failures

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Frequent TLS failures

Daniel Lakeland
I have set up monit to monitor TLS connectivity for my opensips
instance. It just connects via openssl s_client and greps for errors, it
reboots openssl if it has errors more than a few times in a row.

I get errors as follows about 3 to 5 times a day:

        Description: status failed (1) -- 140444316333312:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:67:
140444316333312:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:586:
140444316333312:error:1416D07B:SSL routines:tls_process_key_exchange:bad signature:../ssl/statem/statem_clnt.c:1721:


rebooting opensips makes them go away for several hours. For example monit rebooted opensips at 2:37 AM, 4:55 AM, and 6:48 AM so far this morning (it's about 8:55 am where I am now).

This seems suspicious, and btw several other processes use the same certs with no problems day in and day out (prosody jabber server for example, probably some others).

I suspect some memory gets corrupted in opensips and this causes it to fail to work.

Opensips is version 2.3.2-1 installed from the opensips apt repository on a mixed Debian system, openssl and libssl = 1.1.0g

Any thoughts?



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Frequent TLS failures

Abisai Matangira


Sent from Nine

From: Daniel Lakeland <[hidden email]>
Sent: Thursday, 25 January 2018 6:59 pm
To: OpenSIPS users mailling list
Subject: [OpenSIPS-Users] Frequent TLS failures

I have set up monit to monitor TLS connectivity for my opensips
instance. It just connects via openssl s_client and greps for errors, it
reboots openssl if it has errors more than a few times in a row.

I get errors as follows about 3 to 5 times a day:

        Description: status failed (1) -- 140444316333312:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:67:
140444316333312:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:586:
140444316333312:error:1416D07B:SSL routines:tls_process_key_exchange:bad signature:../ssl/statem/statem_clnt.c:1721:


rebooting opensips makes them go away for several hours. For example monit rebooted opensips at 2:37 AM, 4:55 AM, and 6:48 AM so far this morning (it's about 8:55 am where I am now).

This seems suspicious, and btw several other processes use the same certs with no problems day in and day out (prosody jabber server for example, probably some others).

I suspect some memory gets corrupted in opensips and this causes it to fail to work.

Opensips is version 2.3.2-1 installed from the opensips apt repository on a mixed Debian system, openssl and libssl = 1.1.0g

Any thoughts?



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Frequent TLS failures

Abisai Matangira
In reply to this post by Daniel Lakeland


Sent from Nine

From: Daniel Lakeland <[hidden email]>
Sent: Thursday, 25 January 2018 6:59 pm
To: OpenSIPS users mailling list
Subject: [OpenSIPS-Users] Frequent TLS failures

I have set up monit to monitor TLS connectivity for my opensips
instance. It just connects via openssl s_client and greps for errors, it
reboots openssl if it has errors more than a few times in a row.

I get errors as follows about 3 to 5 times a day:

        Description: status failed (1) -- 140444316333312:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:67:
140444316333312:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:586:
140444316333312:error:1416D07B:SSL routines:tls_process_key_exchange:bad signature:../ssl/statem/statem_clnt.c:1721:


rebooting opensips makes them go away for several hours. For example monit rebooted opensips at 2:37 AM, 4:55 AM, and 6:48 AM so far this morning (it's about 8:55 am where I am now).

This seems suspicious, and btw several other processes use the same certs with no problems day in and day out (prosody jabber server for example, probably some others).

I suspect some memory gets corrupted in opensips and this causes it to fail to work.

Opensips is version 2.3.2-1 installed from the opensips apt repository on a mixed Debian system, openssl and libssl = 1.1.0g

Any thoughts?



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users