[sr-dev] [kamailio/kamailio] TLS Module Regression (ee key too small) (Issue #3737)

Wed, 31 Jan 2024 06:53:35 -0800 

### Description

The TLS module seems to have some regression from 5.7.3 to 5.7.4 causing 
`tls.reload` to fail loading certificates.

### Troubleshooting

#### System Info

- kamailio version: 5.7.4 (from official kamailio repos)
- distro version: debian 12
- OS/kernel version: Linux ip-172-31-30-183 6.1.0-17-cloud-amd64 #1 SMP 
PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64 GNU/Linux
- openssl version: 3.0.11 (from official debian repos)

#### Reproduction

On a fresh install of debian 12:
- install openssl from debian repos
- install kamailio 5.7.4 from kamailio repos
- install kamailio-tls-modules from kamailio repos
- create a self signed cert with 4096 bit rsa key
- create a basic tls.cfg to load those files on the client/server default domain
- reload kamailio
- try running `kamcmd tls.reload`

#### Debugging Data

Example tls.cfg

```
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/dsiprouter/certs/dsiprouter-key.pem
certificate = /etc/dsiprouter/certs/dsiprouter-cert.pem
ca_list = /etc/dsiprouter/certs/ca-list.pem
ca_path = /etc/dsiprouter/certs/ca

[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/dsiprouter/certs/dsiprouter-key.pem
certificate = /etc/dsiprouter/certs/dsiprouter-cert.pem
ca_list = /etc/dsiprouter/certs/ca-list.pem
ca_path = /etc/dsiprouter/certs/ca
```

Example tls cert:

```
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7a:43:b8:fa:df:c9:ed:a7:d6:ab:bb:9a:89:c0:8e:95:fd:62:de:26
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = MI, L = Detroit, O = dSIPRouter, CN = 
ec2-34-224-90-100.compute-1.amazonaws.com
        Validity
            Not Before: Jan 30 15:28:11 2024 GMT
            Not After : Jan 29 15:28:11 2025 GMT
        Subject: C = US, ST = MI, L = Detroit, O = dSIPRouter, CN = 
ec2-34-224-90-100.compute-1.amazonaws.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
...
```

Example tls key:

```
Private-Key: (4096 bit, 2 primes)
modulus:
...
```

#### Log Messages

```
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:345]: ksr_tls_fill_missing(): TLSs<default>: tls_method=25
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:357]: ksr_tls_fill_missing(): TLSs<default>: 
certificate='/etc/dsiprouter/certs/dsiprouter-cert.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:364]: ksr_tls_fill_missing(): TLSs<default>: 
ca_list='/etc/dsiprouter/certs/ca-list.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:371]: ksr_tls_fill_missing(): TLSs<default>: 
ca_path='/etc/dsiprouter/certs/ca'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:378]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:382]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=1
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:397]: ksr_tls_fill_missing(): TLSs<default>: 
private_key='/etc/dsiprouter/certs/dsiprouter-key.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:401]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=1
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:406]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls 
[tls_domain.c:410]: ksr_tls_fill_missing(): TLSs<default>: verify_client=0
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: NOTICE: tls 
[tls_domain.c:1168]: ksr_tls_fix_domain(): registered server_name callback 
handler for socket [:0], server_name='<default>' ...
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls 
[tls_domain.c:590]: load_cert(): TLSs<default>: Unable to load certificate file 
'/etc/dsiprouter/certs/dsiprouter-cert.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls 
[tls_util.h:49]: tls_err_ret(): load_cert:error:03000072:digital envelope 
routines::decode error (sni: unknown)
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls 
[tls_util.h:49]: tls_err_ret(): load_cert:error:0A00018F:SSL routines::ee key 
too small (sni: unknown)
```

#### SIP Traffic

N/A

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3737
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/issues/3...@github.com>
_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

Reply via email to