[reSIProcate] Question about last CipherList changes (StrongestSuite and ExportableSuite)

[Dario Bozzali <Dario.Bozzali@xxxxxxxxxxx>]

Hi all,

I hope that someone can help me with an issue that I’m encountering using TLS with the last revision of reSIProcate library.

I wrote a SIP component using reSIProcate that can act as SIP registrar server or client.

It worked correctly using TLS (OpenSSL library version 1.0.1g) with reSIProcate library version of 16^th January 2015 (SHA-1: 0f248f90d750bff13ced3dd62e41bd4e0e8e53a4).

With the last revision, client and server (both are using ExportableSuite CipherList) don’t register anymore. I report below an excerpt of stack diagnostic log.

 

[SERVER]

INFO | 20150529-112843.740 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:229 | TLS handshake starting (Server mode)

INFO | 20150529-112843.740 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:240 | TLS connected

WARNING | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:310 | SSL cipher or certificate failure SSL_ERROR_SSL

DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:328 | protocol did not reach certificate exchange phase, peer does not have a certificate or the certificate was not accepted

ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:348 | TLS handshake failed

ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:54 | error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:55 | Error code = 336109761 file=ssl\s3_srvr.c line=1353

ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:58 | Got TLS SSL_do_handshake error=1 ret=-1

DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | Connection.cxx:422 | Closing connection bytesRead=-1

DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | ConnectionBase.cxx:115 | ConnectionBase::~ConnectionBase 056BD190

……

[CLIENT]

WARNING | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:310 | SSL cipher or certificate failure SSL_ERROR_SSL

DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:328 | protocol did not reach certificate exchange phase, peer does not have a certificate or the certificate was not accepted

ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:340 | Server did not present any certificiate to us, certificate invalid or protocol did not reach certificate exchange

ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:348 | TLS handshake failed

ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:54 | error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:55 | Error code = 336032784 file=ssl\s23_clnt.c line=762

ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:58 | Got TLS SSL_do_handshake error=1 ret=-1

DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | Connection.cxx:422 | Closing connection bytesRead=-1

DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | ConnectionBase.cxx:115 | ConnectionBase::~ConnectionBase 056BDA78

 

Similar error happens when I use the following configurations:

·        Client and Server with ExportableSuite CipherList and last revision of reSIProcate library.

·        Server with ExportableSuite CipherList and last revision of reSIProcate library and Client with ExportableSuite CipherList and reSIProcate library version of 16^th January 2015.

 

Instead Client and Server are able to register using TLS in the following configurations:

·        Client and Server with StrongestSuite CipherList and last revision of reSIProcate library.

·        Server with StrongestSuite CipherList and last revision of reSIProcate library and Client with ExportableSuite CipherList and reSIProcate library version of 16^th January 2015.

·        Client and Server with ExportableSuite CipherList and reSIProcate library version of 16^th January 2015.

 

I noticed that StrongestSuite and ExportableSuite ChiperLists have been changed in last revision and that default value for ChiperList in BaseSecurity is now StrongestSuite instead of ExportableSuite.

 

Could someone help me? Did someone execute similar tests using TLS with the last revision of reSIProcate library?

Thank you in advance.

 

Kind regards,

Dario