Hi, looking at some search result shows, that TLS_RSA_WITH_RC4_128_SHA is insecure and should not be used. Maybe the setting of CipherString in openssl.cnf is causing the issue. On current Debian it is set like this DEFAULT@SECLEVEL=2.
Karsten Am Samstag, dem 16.07.2022 um 03:02 +1200 schrieb ideanet help: > Hi Karsten, > I thought the same initially but then looks like logs are saying: > Client used ciphers are: > TLS_RSA_WITH_RC4_128_MD5 > TLS_RSA_WITH_RC4_128_SHA > and servers response is cipherSuite TLS_RSA_WITH_RC4_128_SHA > > isn't it? > > > > On Sat, Jul 16, 2022 at 1:53 AM Karsten Wemheuer <[email protected]> wrote: > > Hi, > > > > the snom M9 is pretty old (End of Life 12/2016). Maybe the used > > ciphers > > are not secure enough for current TLS. > > > > HTH > > > > Have a nice day and weekend > > > > Karsten > > > > Am Samstag, dem 16.07.2022 um 01:20 +1200 schrieb ideanet help: > > > Hi experts, > > > > > > One of my phones (SNOM M9) is not able to register using TLS. > > > > > > Here are the logs from opensips and ssldump. Maybe someone can > > > pinpoint the issue? > > > > > > > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10604] > > > DBG:core:handle_new_connect: new connection: 0x7f16d2ba3bd8 80 > > flags: > > > 001c > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10604] > > > DBG:core:send2worker: to tcp worker 0 (0), 0x7f16d2ba3bd8 rw 1 > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > DBG:proto_tls:proto_tls_conn_init: looking up TLS server domain > > > [xx.xx.xx.xx:5061] > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > DBG:tls_mgm:tls_find_server_domain: found TLS server domain: > > > sip.tls.mysipdomain.com > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > DBG:tls_openssl:openssl_tls_conn_init: Creating a whole new ssl > > > connection > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > DBG:tls_openssl:openssl_tls_conn_init: Setting in ACCEPT mode > > > (server) > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > DBG:core:handle_io: > > > We have received conn 0x7f16d2ba3bd8 with rw 1 on fd 4 > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > DBG:core:io_watch_add: [TCP_worker] io_watch_add op (4 on 74) > > > (0x8f91e0, 4, 19, 0x7f16d2ba3bd8,1), fd_no=4/83886 > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > DBG:proto_tls:tls_read_req: Using the global ( per process ) buff > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > DBG:tls_openssl:openssl_tls_update_fd: New fd is 4 > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > DBG:proto_tls:tls_read_req: SSL accept/connect still pending! > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > DBG:proto_tls:tls_read_req: Using the global ( per process ) buff > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > DBG:tls_openssl:openssl_tls_update_fd: New fd is 4 > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > ERROR:tls_openssl:openssl_tls_accept: SSL_ERROR_SYSCALL > > > err=Success(0) > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > ERROR:tls_openssl:openssl_tls_accept: New TLS connection from > > > myphoneIP.xx.xx:2987 failed to accept > > > Jul 15 13:02:12 opensips: Jul 15 13:02:12 [10598] > > > ERROR:proto_tls:tls_read_req: failed to do pre-tls handshake! > > > > > > _________________________ > > > > > > ssldump logs: > > > > > > > > > New TCP connection #3: myphoneIP.xx.xx(2082) <-> > > > sip.tls.mysipdomain.com(5061) > > > 3 1 0.0280 (0.0280) C>S Handshake > > > ClientHello > > > Version 3.1 > > > cipher suites > > > TLS_RSA_WITH_RC4_128_MD5 > > > TLS_RSA_WITH_RC4_128_SHA > > > compression methods > > > NULL > > > extensions > > > server_name > > > host_name: sip.tls.mysipdomain.com > > > ja3 string: 769,4-5,0,, > > > ja3 fingerprint: 8305e724a7c9f16b323465d289bc54a1 > > > 3 2 0.0353 (0.0072) S>C Handshake > > > ServerHello > > > Version 3.1 > > > session_id[0]= > > > > > > cipherSuite TLS_RSA_WITH_RC4_128_SHA > > > compressionMethod NULL > > > extensions > > > server_name > > > ja3s string: 769,5,0 > > > ja3s fingerprint: 99f916287a3ac1de732520956ab94b77 > > > 3 3 0.0353 (0.0000) S>C Handshake > > > Certificate > > > 3 4 0.0353 (0.0000) S>C Handshake > > > ServerHelloDone > > > 3 0.0653 (0.0299) C>S TCP FIN > > > 3 0.0656 (0.0003) S>C TCP FIN > > > _______________________________________________ > > > Users mailing list > > > [email protected] > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
