[reSIProcate] Question about last CipherList changes (StrongestSuite and ExportableSuite)

Dario Bozzali Dario.Bozzali at ifmgroup.it
Fri May 29 05:04:26 CDT 2015 

Hi all,
I hope that someone can help me with an issue that I'm encountering using TLS with the last revision of reSIProcate library.
I wrote a SIP component using reSIProcate that can act as SIP registrar server or client.
It worked correctly using TLS (OpenSSL library version 1.0.1g) with reSIProcate library version of 16th January 2015 (SHA-1: 0f248f90d750bff13ced3dd62e41bd4e0e8e53a4).
With the last revision, client and server (both are using ExportableSuite CipherList) don't register anymore. I report below an excerpt of stack diagnostic log.

[SERVER]
INFO | 20150529-112843.740 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:229 | TLS handshake starting (Server mode)
INFO | 20150529-112843.740 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:240 | TLS connected
WARNING | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:310 | SSL cipher or certificate failure SSL_ERROR_SSL
DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:328 | protocol did not reach certificate exchange phase, peer does not have a certificate or the certificate was not accepted
ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:348 | TLS handshake failed
ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:54 | error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:55 | Error code = 336109761 file=ssl\s3_srvr.c line=1353
ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:58 | Got TLS SSL_do_handshake error=1 ret=-1
DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | Connection.cxx:422 | Closing connection bytesRead=-1
DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | ConnectionBase.cxx:115 | ConnectionBase::~ConnectionBase 056BD190
......
[CLIENT]
WARNING | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:310 | SSL cipher or certificate failure SSL_ERROR_SSL
DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:328 | protocol did not reach certificate exchange phase, peer does not have a certificate or the certificate was not accepted
ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:340 | Server did not present any certificiate to us, certificate invalid or protocol did not reach certificate exchange
ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:348 | TLS handshake failed
ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:54 | error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:55 | Error code = 336032784 file=ssl\s23_clnt.c line=762
ERR | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | TlsConnection.cxx:58 | Got TLS SSL_do_handshake error=1 ret=-1
DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | Connection.cxx:422 | Closing connection bytesRead=-1
DEBUG | 20150529-112843.741 | SIP | RESIP:TRANSPORT | 11924 | ConnectionBase.cxx:115 | ConnectionBase::~ConnectionBase 056BDA78

Similar error happens when I use the following configurations:

*        Client and Server with ExportableSuite CipherList and last revision of reSIProcate library.

*        Server with ExportableSuite CipherList and last revision of reSIProcate library and Client with ExportableSuite CipherList and reSIProcate library version of 16th January 2015.

Instead Client and Server are able to register using TLS in the following configurations:

*        Client and Server with StrongestSuite CipherList and last revision of reSIProcate library.

*        Server with StrongestSuite CipherList and last revision of reSIProcate library and Client with ExportableSuite CipherList and reSIProcate library version of 16th January 2015.

*        Client and Server with ExportableSuite CipherList and reSIProcate library version of 16th January 2015.

I noticed that StrongestSuite and ExportableSuite ChiperLists have been changed in last revision and that default value for ChiperList in BaseSecurity is now StrongestSuite instead of ExportableSuite.

Could someone help me? Did someone execute similar tests using TLS with the last revision of reSIProcate library?
Thank you in advance.

Kind regards,
Dario
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20150529/50bd914c/attachment.htm>

More information about the resiprocate-devel mailing list