sr-dev February 2024

sr-dev@lists.kamailio.org

19 participants
243 discussions

git:master:eafd93f0: db_mysql: update docs for opt_ssl_ca
by S-P Chan 14 Feb '24

14 Feb '24

Module: kamailio Branch: master Commit: eafd93f0576504ea03fe6b5e3898506072218cef URL: https://github.com/kamailio/kamailio/commit/eafd93f0576504ea03fe6b5e3898506… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-14T15:09:24+08:00 db_mysql: update docs for opt_ssl_ca --- Modified: src/modules/db_mysql/doc/db_mysql_admin.xml --- Diff: https://github.com/kamailio/kamailio/commit/eafd93f0576504ea03fe6b5e3898506… Patch: https://github.com/kamailio/kamailio/commit/eafd93f0576504ea03fe6b5e3898506… --- diff --git a/src/modules/db_mysql/doc/db_mysql_admin.xml b/src/modules/db_mysql/doc/db_mysql_admin.xml index f1ff53df0ed..7297f2d1b15 100644 --- a/src/modules/db_mysql/doc/db_mysql_admin.xml +++ b/src/modules/db_mysql/doc/db_mysql_admin.xml @@ -215,6 +215,30 @@ modparam("db_mysql", "update_affected_found", 1) ... modparam("db_mysql", "opt_ssl_mode", 1) ... +</programlisting> + </example> + </section> + <section id="db_mysql.p.opt_ssl_ca"> + <title><varname>opt_ssl_ca</varname> (integer)</title> + <para> + Configures the CA certs used to verify the MySQL server cert when + SSL is enabled. + </para> + <para> + Required when opt_ssl_mode = 4 or 5 and db_mysql is built + with libmysqlclient. + </para> + <para> + <emphasis> + Default value is NULL (NULL - not configured). + </emphasis> + </para> + <example> + <title>Set <varname>opt_ssl_ca</varname> parameter</title> + <programlisting format="linespecific"> +... +modparam("db_mysql", "opt_ssl_ca", "/etc/ssl/certs/mysql-ca.pem") +... </programlisting> </example> </section>

1 0

git:master:ea81e6cb: db_mysql: new module param opt_ssl_ca to configure CA certs
by S-P Chan 14 Feb '24

14 Feb '24

Module: kamailio Branch: master Commit: ea81e6cb8b2b2d896de7a07ce191876f9f182673 URL: https://github.com/kamailio/kamailio/commit/ea81e6cb8b2b2d896de7a07ce191876… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-14T15:08:56+08:00 db_mysql: new module param opt_ssl_ca to configure CA certs ERROR: db_mysql [km_my_con.c:200]: db_mysql_new_connection(): driver error: SSL connection error: CA certificate is required if ssl-mode is VERIFY_CA or VERIFY_IDENTITY When opt_ssl_mode = 4 | 5 libmysqclient requires that the trusted CAs be configured. Fixed with: mysql_options(ptr->con, MYSQL_OPT_SSL_CA, (void *)db_mysql_opt_ssl_mode) Note: libmariadb3 doesn't require this setting and uses the system trust store. --- Modified: src/modules/db_mysql/db_mysql.c Modified: src/modules/db_mysql/km_my_con.c --- Diff: https://github.com/kamailio/kamailio/commit/ea81e6cb8b2b2d896de7a07ce191876… Patch: https://github.com/kamailio/kamailio/commit/ea81e6cb8b2b2d896de7a07ce191876… --- diff --git a/src/modules/db_mysql/db_mysql.c b/src/modules/db_mysql/db_mysql.c index 1a698329bac..9a7aa8673b5 100644 --- a/src/modules/db_mysql/db_mysql.c +++ b/src/modules/db_mysql/db_mysql.c @@ -47,6 +47,7 @@ unsigned int my_server_timezone = unsigned long my_client_ver = 0; int db_mysql_unsigned_type = 0; int db_mysql_opt_ssl_mode = 0; +char *db_mysql_opt_ssl_ca = NULL; struct mysql_counters_h mysql_cnts_h; counter_def_t mysql_cnt_defs[] = { @@ -100,6 +101,7 @@ static param_export_t params[] = { {"insert_delayed", INT_PARAM, &db_mysql_insert_all_delayed}, {"update_affected_found", INT_PARAM, &db_mysql_update_affected_found}, {"unsigned_type", PARAM_INT, &db_mysql_unsigned_type}, + {"opt_ssl_ca", PARAM_STRING, &db_mysql_opt_ssl_ca}, {"opt_ssl_mode", PARAM_INT, &db_mysql_opt_ssl_mode}, {0, 0, 0}}; diff --git a/src/modules/db_mysql/km_my_con.c b/src/modules/db_mysql/km_my_con.c index b4c4dca33b0..226d724f1ae 100644 --- a/src/modules/db_mysql/km_my_con.c +++ b/src/modules/db_mysql/km_my_con.c @@ -41,6 +41,7 @@ #include "db_mysql.h" extern int db_mysql_opt_ssl_mode; +extern char *db_mysql_opt_ssl_ca; /*! \brief * Create a new connection structure, @@ -167,6 +168,9 @@ struct my_con *db_mysql_new_connection(const struct db_id *id) } #endif /* MYSQL_VERSION_ID */ #endif /* MARIADB_BASE_VERSION */ + if(db_mysql_opt_ssl_ca) + mysql_options( + ptr->con, MYSQL_OPT_SSL_CA, (const void *)db_mysql_opt_ssl_ca); #if MYSQL_VERSION_ID > 50012 /* set reconnect flag if enabled */

1 0

git:5.7:a0dfb8cb: tls: raise logging level of early messages in mod_register
by S-P Chan 13 Feb '24

13 Feb '24

Module: kamailio Branch: 5.7 Commit: a0dfb8cbdf4282040351e9dc014d9ef13e0e77fd URL: https://github.com/kamailio/kamailio/commit/a0dfb8cbdf4282040351e9dc014d9ef… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-13T19:11:20+08:00 tls: raise logging level of early messages in mod_register --- Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/a0dfb8cbdf4282040351e9dc014d9ef… Patch: https://github.com/kamailio/kamailio/commit/a0dfb8cbdf4282040351e9dc014d9ef… --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 905ca6f2411..0d8ea3df4c5 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -689,7 +689,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ && OPENSSL_VERSION_NUMBER < 0x030000000L if(ksr_tls_threads_mode == 0) { - LM_DBG("setting cryptorand random engine\n"); + LM_WARN("OpenSSL 1.1.1 setting cryptorand random engine\n"); RAND_set_rand_method(RAND_ksr_cryptorand_method()); } #endif

1 0

Fwd: Reject TCP SYN
by David Villasmil 13 Feb '24

13 Feb '24

Hello all, Following up on this, I made a patch (attached), could you please review and apply if it looks ok? The patch creates a new core cfg variable which, if set, will reject any incoming NEW tcp connection attempt, so we can use this to gracefully drain kamailio. Thanks & Regards, David Villasmil email: david.villasmil.work(a)gmail.com phone: +34669448337 Forwarded Conversation Subject: Reject TCP SYN ------------------------ From: David Villasmil <david.villasmil.work(a)gmail.com> Date: Thu, Feb 8, 2024 at 2:27 PM To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> Hello all, Is there any way of actually rejecting (RST) NEW tcp connection attempts, while allowing the ongoing ones to finish naturally? I’m thinking maybe we can add this feature? Regards, David Villasmil email: david.villasmil.work(a)gmail.com phone: +34669448337 ---------- From: Henning Westerholt <hw(a)gilawa.com> Date: Fri, Feb 9, 2024 at 2:08 PM To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> Cc: David Villasmil <david.villasmil.work(a)gmail.com> Hello, what about e.g. just using something like iptables, nftables etc..? iptables -A INPUT -p tcp --syn --destination-port <port> -j REJECT --reject-with icmp-host-prohibited Cheers, Henning ---------- From: David Villasmil <david.villasmil.work(a)gmail.com> Date: Fri, Feb 9, 2024 at 2:42 PM To: Henning Westerholt <hw(a)gilawa.com> Cc: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> Hey, Henning, yeah I thought about that, but thought that maybe there was a better way to do it via Kamailio Thanks! Regards, David Villasmil email: david.villasmil.work(a)gmail.com phone: +34669448337

2 1

git:5.7:5d7d7ea5: tls: add logging
by S-P Chan 13 Feb '24

13 Feb '24

Module: kamailio Branch: 5.7 Commit: 5d7d7ea54c908cae333ed3cafd4a2cc93cacd4db URL: https://github.com/kamailio/kamailio/commit/5d7d7ea54c908cae333ed3cafd4a2cc… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-13T17:23:31+08:00 tls: add logging --- Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/5d7d7ea54c908cae333ed3cafd4a2cc… Patch: https://github.com/kamailio/kamailio/commit/5d7d7ea54c908cae333ed3cafd4a2cc… --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 5d3982b64d9..905ca6f2411 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -458,6 +458,9 @@ static int mod_child(int rank) #else if(rank == PROC_INIT) { #endif + LM_DBG("Loading SSL_CTX in process_no=%d rank=%d " + "ksr_tls_threads_mode=%d\n", + process_no, rank, ksr_tls_threads_mode); if(cfg_get(tls, tls_cfg, config_file).s) { if(tls_fix_domains_cfg( *tls_domains_cfg, &srv_defaults, &cli_defaults)

1 0

git:5.7:eb7aa576: tls: restore some function calls in non-threaded mode
by S-P Chan 13 Feb '24

13 Feb '24

Module: kamailio Branch: 5.7 Commit: eb7aa57676f48f16cc66a16c511ed45ac9c8f62e URL: https://github.com/kamailio/kamailio/commit/eb7aa57676f48f16cc66a16c511ed45… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-13T11:08:29+08:00 tls: restore some function calls in non-threaded mode In the case that tls_threads_mode = 0 we restore the earlier behaviour of 5.7.3. - OpenSSL 1.1.1: restore early call to RAND_set_rand_method - OpenSSL 3.x: restore enable locking on EVP_RAND_CTX --- Modified: src/modules/tls/tls_init.c Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/eb7aa57676f48f16cc66a16c511ed45… Patch: https://github.com/kamailio/kamailio/commit/eb7aa57676f48f16cc66a16c511ed45…

1 0

[kamailio/kamailio] registrar: Consider changing default setting for case matching of username (Issue #3719)
by Morten Tryfoss 12 Feb '24

12 Feb '24

### Description I've recently spent some time debugging a case with JsSIP and usernames in form of a generated string which can be both upper and lower case letters plus digits. On BYE from callee to JsSIP, it responded with a "404" and "Request-URI does not point to us" in the console while debugging. JsSIP is using the Contact returned in the 200 OK to REGISTER (which is transformed to all lower case) for new outgoing INVITE. It does not match this against the one used in BYE correctly, and return "404". I see there is a setting in the registrar about this: ``` 3.11. case_sensitive (integer) If set to 1 then AOR comparison and also storing will be case sensitive, if set to 0 then AOR comparison and storing will be case insensitive. This is recommended. This parameter can be modified via Kamailio config framework. Default value is 0. ``` Since the RFC states that username should be handle case-sensitive, maybe it would be smart to change this default? ``` Comparison of the userinfo of SIP and SIPS URIs is case- sensitive. This includes userinfo containing passwords or formatted as telephone-subscribers. ... The URIs within each of the following sets are not equivalent: SIP:ALICE@AtLanTa.CoM;Transport=udp (different usernames) sip:alice@AtLanTa.CoM;Transport=UDP ``` #### Reproduction Make a registration with a username containing both upper and lower case characters. It will be stored in all lower case. ### Possible Solutions Change default value. Regardless of the outcome on this case - at least now there is a note about it here too. -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/3719 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/issues/3719(a)github.com>

2 4

git:master:c4e4b266: modules: readme files regenerated - influxdbc ... [skip ci]
by Kamailio Dev 12 Feb '24

12 Feb '24

Module: kamailio Branch: master Commit: c4e4b266ad6852bacdb4513e9cc79166ac661f23 URL: https://github.com/kamailio/kamailio/commit/c4e4b266ad6852bacdb4513e9cc7916… Author: Kamailio Dev <kamailio.dev(a)kamailio.org> Committer: Kamailio Dev <kamailio.dev(a)kamailio.org> Date: 2024-02-12T10:17:15+01:00 modules: readme files regenerated - influxdbc ... [skip ci] --- Modified: src/modules/influxdbc/README --- Diff: https://github.com/kamailio/kamailio/commit/c4e4b266ad6852bacdb4513e9cc7916… Patch: https://github.com/kamailio/kamailio/commit/c4e4b266ad6852bacdb4513e9cc7916… --- diff --git a/src/modules/influxdbc/README b/src/modules/influxdbc/README index dfd18b57866..e5833a21d20 100644 --- a/src/modules/influxdbc/README +++ b/src/modules/influxdbc/README @@ -33,7 +33,10 @@ Daniel-Constantin Mierla 4.1. influxdbc_measure(name) 4.2. influxdbc_measureend() - 4.3. influxdbc_long(name, value) + 4.3. influxdbc_sub(name) + 4.4. influxdbc_subend() + 4.5. influxdbc_push() + 4.6. influxdbc_long(name, value) List of Examples @@ -42,7 +45,10 @@ Daniel-Constantin Mierla 1.3. Set database parameter 1.4. influxdbc_measure() usage 1.5. influxdbc_measureend() usage - 1.6. influxdbc_long() usage + 1.6. influxdbc_sub() usage + 1.7. influxdbc_subend() usage + 1.8. influxdbc_push() usage + 1.9. influxdbc_long() usage Chapter 1. Admin Guide @@ -64,7 +70,10 @@ Chapter 1. Admin Guide 4.1. influxdbc_measure(name) 4.2. influxdbc_measureend() - 4.3. influxdbc_long(name, value) + 4.3. influxdbc_sub(name) + 4.4. influxdbc_subend() + 4.5. influxdbc_push() + 4.6. influxdbc_long(name, value) 1. Overview @@ -129,7 +138,10 @@ modparam("influxdbc", "database", "stats") 4.1. influxdbc_measure(name) 4.2. influxdbc_measureend() - 4.3. influxdbc_long(name, value) + 4.3. influxdbc_sub(name) + 4.4. influxdbc_subend() + 4.5. influxdbc_push() + 4.6. influxdbc_long(name, value) 4.1. influxdbc_measure(name) @@ -161,14 +173,59 @@ request_route { } ... -4.3. influxdbc_long(name, value) +4.3. influxdbc_sub(name) + + Start a measure subgroup with the given name. + + This function can be used from ANY_ROUTE. + + Example 1.6. influxdbc_sub() usage +... +request_route { + ... + influxdbc_sub("grp1"); + ... +} +... + +4.4. influxdbc_subend() + + End the current measure subgroup. + + This function can be used from ANY_ROUTE. + + Example 1.7. influxdbc_subend() usage +... +request_route { + ... + influxdbc_subend(); + ... +} +... + +4.5. influxdbc_push() + + Push accumulated values to the server. + + This function can be used from ANY_ROUTE. + + Example 1.8. influxdbc_push() usage +... +request_route { + ... + influxdbc_push(); + ... +} +... + +4.6. influxdbc_long(name, value) Save the pair with provided name and value. Both parameters can have variables. This function can be used from ANY_ROUTE. - Example 1.6. influxdbc_long() usage + Example 1.9. influxdbc_long() usage ... request_route { ...

1 0

git:master:7e1f521f: influxdbc: docs for a couple of existing functions
by Daniel-Constantin Mierla 12 Feb '24

12 Feb '24

Module: kamailio Branch: master Commit: 7e1f521f2086b50b3ad73bc19ea98deb18686e82 URL: https://github.com/kamailio/kamailio/commit/7e1f521f2086b50b3ad73bc19ea98de… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2024-02-12T08:17:50+01:00 influxdbc: docs for a couple of existing functions --- Modified: src/modules/influxdbc/doc/influxdbc_admin.xml --- Diff: https://github.com/kamailio/kamailio/commit/7e1f521f2086b50b3ad73bc19ea98de… Patch: https://github.com/kamailio/kamailio/commit/7e1f521f2086b50b3ad73bc19ea98de… --- diff --git a/src/modules/influxdbc/doc/influxdbc_admin.xml b/src/modules/influxdbc/doc/influxdbc_admin.xml index a02af97e048..e6560bc0d69 100644 --- a/src/modules/influxdbc/doc/influxdbc_admin.xml +++ b/src/modules/influxdbc/doc/influxdbc_admin.xml @@ -156,6 +156,75 @@ request_route { ... } ... +</programlisting> + </example> + </section> + <section id="influxdb.f.influxdbc_sub"> + <title> + <function moreinfo="none">influxdbc_sub(name)</function> + </title> + <para> + Start a measure subgroup with the given name. + </para> + <para> + This function can be used from ANY_ROUTE. + </para> + <example> + <title><function>influxdbc_sub()</function> usage</title> + <programlisting format="linespecific"> +... +request_route { + ... + influxdbc_sub("grp1"); + ... +} +... +</programlisting> + </example> + </section> + <section id="influxdb.f.influxdbc_subend"> + <title> + <function moreinfo="none">influxdbc_subend()</function> + </title> + <para> + End the current measure subgroup. + </para> + <para> + This function can be used from ANY_ROUTE. + </para> + <example> + <title><function>influxdbc_subend()</function> usage</title> + <programlisting format="linespecific"> +... +request_route { + ... + influxdbc_subend(); + ... +} +... +</programlisting> + </example> + </section> + <section id="influxdb.f.influxdbc_push"> + <title> + <function moreinfo="none">influxdbc_push()</function> + </title> + <para> + Push accumulated values to the server. + </para> + <para> + This function can be used from ANY_ROUTE. + </para> + <example> + <title><function>influxdbc_push()</function> usage</title> + <programlisting format="linespecific"> +... +request_route { + ... + influxdbc_push(); + ... +} +... </programlisting> </example> </section>

1 0

git:5.7:253f13f1: tls: restore default to bypass thread guards
by Victor Seva 12 Feb '24

12 Feb '24

Module: kamailio Branch: 5.7 Commit: 253f13f18ec6853764d950d58f467c331d03425a URL: https://github.com/kamailio/kamailio/commit/253f13f18ec6853764d950d58f467c3… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: Victor Seva <linuxmaniac(a)torreviejawireless.org> Date: 2024-02-12T07:52:26+01:00 tls: restore default to bypass thread guards - restore <= 5.7.3 behaviour - require user to opt-in to libssl thread-guards with tls_threads_mode = 1|2 --- Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/253f13f18ec6853764d950d58f467c3… Patch: https://github.com/kamailio/kamailio/commit/253f13f18ec6853764d950d58f467c3… --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index beaf1b7b70b..3359aaffdcc 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -451,9 +451,9 @@ static int mod_child(int rank) #if OPENSSL_VERSION_NUMBER >= 0x010101000L /* * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of - * libssl in rank 0(thread#1) + * libssl in rank 0(thread#1). Requires tls_threads_mode = 1 config. */ - if(rank == PROC_SIPINIT) { + if((rank == PROC_SIPINIT && ksr_tls_threads_mode) || (rank == PROC_INIT && !ksr_tls_threads_mode)) { #else if(rank == PROC_INIT) { #endif

1 0

← Newer
1
...
11
12
13
14
15
16
17
...
25
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev February 2024