sr-dev February 2024

sr-dev@lists.kamailio.org

19 participants
242 discussions

git:master:ea81e6cb: db_mysql: new module param opt_ssl_ca to configure CA certs

by S-P Chan

Module: kamailio Branch: master Commit: ea81e6cb8b2b2d896de7a07ce191876f9f182673 URL: https://github.com/kamailio/kamailio/commit/ea81e6cb8b2b2d896de7a07ce191876… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-14T15:08:56+08:00 db_mysql: new module param opt_ssl_ca to configure CA certs ERROR: db_mysql [km_my_con.c:200]: db_mysql_new_connection(): driver error: SSL connection error: CA certificate is required if ssl-mode is VERIFY_CA or VERIFY_IDENTITY When opt_ssl_mode = 4 | 5 libmysqclient requires that the trusted CAs be configured. Fixed with: mysql_options(ptr->con, MYSQL_OPT_SSL_CA, (void *)db_mysql_opt_ssl_mode) Note: libmariadb3 doesn't require this setting and uses the system trust store. --- Modified: src/modules/db_mysql/db_mysql.c Modified: src/modules/db_mysql/km_my_con.c --- Diff: https://github.com/kamailio/kamailio/commit/ea81e6cb8b2b2d896de7a07ce191876… Patch: https://github.com/kamailio/kamailio/commit/ea81e6cb8b2b2d896de7a07ce191876… --- diff --git a/src/modules/db_mysql/db_mysql.c b/src/modules/db_mysql/db_mysql.c index 1a698329bac..9a7aa8673b5 100644 --- a/src/modules/db_mysql/db_mysql.c +++ b/src/modules/db_mysql/db_mysql.c @@ -47,6 +47,7 @@ unsigned int my_server_timezone = unsigned long my_client_ver = 0; int db_mysql_unsigned_type = 0; int db_mysql_opt_ssl_mode = 0; +char *db_mysql_opt_ssl_ca = NULL; struct mysql_counters_h mysql_cnts_h; counter_def_t mysql_cnt_defs[] = { @@ -100,6 +101,7 @@ static param_export_t params[] = { {"insert_delayed", INT_PARAM, &db_mysql_insert_all_delayed}, {"update_affected_found", INT_PARAM, &db_mysql_update_affected_found}, {"unsigned_type", PARAM_INT, &db_mysql_unsigned_type}, + {"opt_ssl_ca", PARAM_STRING, &db_mysql_opt_ssl_ca}, {"opt_ssl_mode", PARAM_INT, &db_mysql_opt_ssl_mode}, {0, 0, 0}}; diff --git a/src/modules/db_mysql/km_my_con.c b/src/modules/db_mysql/km_my_con.c index b4c4dca33b0..226d724f1ae 100644 --- a/src/modules/db_mysql/km_my_con.c +++ b/src/modules/db_mysql/km_my_con.c @@ -41,6 +41,7 @@ #include "db_mysql.h" extern int db_mysql_opt_ssl_mode; +extern char *db_mysql_opt_ssl_ca; /*! \brief * Create a new connection structure, @@ -167,6 +168,9 @@ struct my_con *db_mysql_new_connection(const struct db_id *id) } #endif /* MYSQL_VERSION_ID */ #endif /* MARIADB_BASE_VERSION */ + if(db_mysql_opt_ssl_ca) + mysql_options( + ptr->con, MYSQL_OPT_SSL_CA, (const void *)db_mysql_opt_ssl_ca); #if MYSQL_VERSION_ID > 50012 /* set reconnect flag if enabled */

9 months, 1 week

git:5.7:a0dfb8cb: tls: raise logging level of early messages in mod_register

by S-P Chan

Module: kamailio Branch: 5.7 Commit: a0dfb8cbdf4282040351e9dc014d9ef13e0e77fd URL: https://github.com/kamailio/kamailio/commit/a0dfb8cbdf4282040351e9dc014d9ef… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-13T19:11:20+08:00 tls: raise logging level of early messages in mod_register --- Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/a0dfb8cbdf4282040351e9dc014d9ef… Patch: https://github.com/kamailio/kamailio/commit/a0dfb8cbdf4282040351e9dc014d9ef… --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 905ca6f2411..0d8ea3df4c5 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -689,7 +689,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ && OPENSSL_VERSION_NUMBER < 0x030000000L if(ksr_tls_threads_mode == 0) { - LM_DBG("setting cryptorand random engine\n"); + LM_WARN("OpenSSL 1.1.1 setting cryptorand random engine\n"); RAND_set_rand_method(RAND_ksr_cryptorand_method()); } #endif

9 months, 1 week

Fwd: Reject TCP SYN

by David Villasmil

Hello all, Following up on this, I made a patch (attached), could you please review and apply if it looks ok? The patch creates a new core cfg variable which, if set, will reject any incoming NEW tcp connection attempt, so we can use this to gracefully drain kamailio. Thanks & Regards, David Villasmil email: david.villasmil.work(a)gmail.com phone: +34669448337 Forwarded Conversation Subject: Reject TCP SYN ------------------------ From: David Villasmil <david.villasmil.work(a)gmail.com> Date: Thu, Feb 8, 2024 at 2:27 PM To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> Hello all, Is there any way of actually rejecting (RST) NEW tcp connection attempts, while allowing the ongoing ones to finish naturally? I’m thinking maybe we can add this feature? Regards, David Villasmil email: david.villasmil.work(a)gmail.com phone: +34669448337 ---------- From: Henning Westerholt <hw(a)gilawa.com> Date: Fri, Feb 9, 2024 at 2:08 PM To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> Cc: David Villasmil <david.villasmil.work(a)gmail.com> Hello, what about e.g. just using something like iptables, nftables etc..? iptables -A INPUT -p tcp --syn --destination-port <port> -j REJECT --reject-with icmp-host-prohibited Cheers, Henning ---------- From: David Villasmil <david.villasmil.work(a)gmail.com> Date: Fri, Feb 9, 2024 at 2:42 PM To: Henning Westerholt <hw(a)gilawa.com> Cc: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> Hey, Henning, yeah I thought about that, but thought that maybe there was a better way to do it via Kamailio Thanks! Regards, David Villasmil email: david.villasmil.work(a)gmail.com phone: +34669448337

9 months, 1 week

git:5.7:5d7d7ea5: tls: add logging

by S-P Chan

Module: kamailio Branch: 5.7 Commit: 5d7d7ea54c908cae333ed3cafd4a2cc93cacd4db URL: https://github.com/kamailio/kamailio/commit/5d7d7ea54c908cae333ed3cafd4a2cc… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-13T17:23:31+08:00 tls: add logging --- Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/5d7d7ea54c908cae333ed3cafd4a2cc… Patch: https://github.com/kamailio/kamailio/commit/5d7d7ea54c908cae333ed3cafd4a2cc… --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 5d3982b64d9..905ca6f2411 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -458,6 +458,9 @@ static int mod_child(int rank) #else if(rank == PROC_INIT) { #endif + LM_DBG("Loading SSL_CTX in process_no=%d rank=%d " + "ksr_tls_threads_mode=%d\n", + process_no, rank, ksr_tls_threads_mode); if(cfg_get(tls, tls_cfg, config_file).s) { if(tls_fix_domains_cfg( *tls_domains_cfg, &srv_defaults, &cli_defaults)

9 months, 1 week

git:5.7:eb7aa576: tls: restore some function calls in non-threaded mode

by S-P Chan

Module: kamailio Branch: 5.7 Commit: eb7aa57676f48f16cc66a16c511ed45ac9c8f62e URL: https://github.com/kamailio/kamailio/commit/eb7aa57676f48f16cc66a16c511ed45… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-13T11:08:29+08:00 tls: restore some function calls in non-threaded mode In the case that tls_threads_mode = 0 we restore the earlier behaviour of 5.7.3. - OpenSSL 1.1.1: restore early call to RAND_set_rand_method - OpenSSL 3.x: restore enable locking on EVP_RAND_CTX --- Modified: src/modules/tls/tls_init.c Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/eb7aa57676f48f16cc66a16c511ed45… Patch: https://github.com/kamailio/kamailio/commit/eb7aa57676f48f16cc66a16c511ed45…

9 months, 1 week

[kamailio/kamailio] registrar: Consider changing default setting for case matching of username (Issue #3719)

by Morten Tryfoss

### Description I've recently spent some time debugging a case with JsSIP and usernames in form of a generated string which can be both upper and lower case letters plus digits. On BYE from callee to JsSIP, it responded with a "404" and "Request-URI does not point to us" in the console while debugging. JsSIP is using the Contact returned in the 200 OK to REGISTER (which is transformed to all lower case) for new outgoing INVITE. It does not match this against the one used in BYE correctly, and return "404". I see there is a setting in the registrar about this: ``` 3.11. case_sensitive (integer) If set to 1 then AOR comparison and also storing will be case sensitive, if set to 0 then AOR comparison and storing will be case insensitive. This is recommended. This parameter can be modified via Kamailio config framework. Default value is 0. ``` Since the RFC states that username should be handle case-sensitive, maybe it would be smart to change this default? ``` Comparison of the userinfo of SIP and SIPS URIs is case- sensitive. This includes userinfo containing passwords or formatted as telephone-subscribers. ... The URIs within each of the following sets are not equivalent: SIP:ALICE@AtLanTa.CoM;Transport=udp (different usernames) sip:alice@AtLanTa.CoM;Transport=UDP ``` #### Reproduction Make a registration with a username containing both upper and lower case characters. It will be stored in all lower case. ### Possible Solutions Change default value. Regardless of the outcome on this case - at least now there is a note about it here too. -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/3719 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/issues/3719(a)github.com>

9 months, 2 weeks

git:master:c4e4b266: modules: readme files regenerated - influxdbc ... [skip ci]

by Kamailio Dev

Module: kamailio Branch: master Commit: c4e4b266ad6852bacdb4513e9cc79166ac661f23 URL: https://github.com/kamailio/kamailio/commit/c4e4b266ad6852bacdb4513e9cc7916… Author: Kamailio Dev <kamailio.dev(a)kamailio.org> Committer: Kamailio Dev <kamailio.dev(a)kamailio.org> Date: 2024-02-12T10:17:15+01:00 modules: readme files regenerated - influxdbc ... [skip ci] --- Modified: src/modules/influxdbc/README --- Diff: https://github.com/kamailio/kamailio/commit/c4e4b266ad6852bacdb4513e9cc7916… Patch: https://github.com/kamailio/kamailio/commit/c4e4b266ad6852bacdb4513e9cc7916… --- diff --git a/src/modules/influxdbc/README b/src/modules/influxdbc/README index dfd18b57866..e5833a21d20 100644 --- a/src/modules/influxdbc/README +++ b/src/modules/influxdbc/README @@ -33,7 +33,10 @@ Daniel-Constantin Mierla 4.1. influxdbc_measure(name) 4.2. influxdbc_measureend() - 4.3. influxdbc_long(name, value) + 4.3. influxdbc_sub(name) + 4.4. influxdbc_subend() + 4.5. influxdbc_push() + 4.6. influxdbc_long(name, value) List of Examples @@ -42,7 +45,10 @@ Daniel-Constantin Mierla 1.3. Set database parameter 1.4. influxdbc_measure() usage 1.5. influxdbc_measureend() usage - 1.6. influxdbc_long() usage + 1.6. influxdbc_sub() usage + 1.7. influxdbc_subend() usage + 1.8. influxdbc_push() usage + 1.9. influxdbc_long() usage Chapter 1. Admin Guide @@ -64,7 +70,10 @@ Chapter 1. Admin Guide 4.1. influxdbc_measure(name) 4.2. influxdbc_measureend() - 4.3. influxdbc_long(name, value) + 4.3. influxdbc_sub(name) + 4.4. influxdbc_subend() + 4.5. influxdbc_push() + 4.6. influxdbc_long(name, value) 1. Overview @@ -129,7 +138,10 @@ modparam("influxdbc", "database", "stats") 4.1. influxdbc_measure(name) 4.2. influxdbc_measureend() - 4.3. influxdbc_long(name, value) + 4.3. influxdbc_sub(name) + 4.4. influxdbc_subend() + 4.5. influxdbc_push() + 4.6. influxdbc_long(name, value) 4.1. influxdbc_measure(name) @@ -161,14 +173,59 @@ request_route { } ... -4.3. influxdbc_long(name, value) +4.3. influxdbc_sub(name) + + Start a measure subgroup with the given name. + + This function can be used from ANY_ROUTE. + + Example 1.6. influxdbc_sub() usage +... +request_route { + ... + influxdbc_sub("grp1"); + ... +} +... + +4.4. influxdbc_subend() + + End the current measure subgroup. + + This function can be used from ANY_ROUTE. + + Example 1.7. influxdbc_subend() usage +... +request_route { + ... + influxdbc_subend(); + ... +} +... + +4.5. influxdbc_push() + + Push accumulated values to the server. + + This function can be used from ANY_ROUTE. + + Example 1.8. influxdbc_push() usage +... +request_route { + ... + influxdbc_push(); + ... +} +... + +4.6. influxdbc_long(name, value) Save the pair with provided name and value. Both parameters can have variables. This function can be used from ANY_ROUTE. - Example 1.6. influxdbc_long() usage + Example 1.9. influxdbc_long() usage ... request_route { ...

9 months, 2 weeks

git:master:7e1f521f: influxdbc: docs for a couple of existing functions

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: 7e1f521f2086b50b3ad73bc19ea98deb18686e82 URL: https://github.com/kamailio/kamailio/commit/7e1f521f2086b50b3ad73bc19ea98de… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2024-02-12T08:17:50+01:00 influxdbc: docs for a couple of existing functions --- Modified: src/modules/influxdbc/doc/influxdbc_admin.xml --- Diff: https://github.com/kamailio/kamailio/commit/7e1f521f2086b50b3ad73bc19ea98de… Patch: https://github.com/kamailio/kamailio/commit/7e1f521f2086b50b3ad73bc19ea98de… --- diff --git a/src/modules/influxdbc/doc/influxdbc_admin.xml b/src/modules/influxdbc/doc/influxdbc_admin.xml index a02af97e048..e6560bc0d69 100644 --- a/src/modules/influxdbc/doc/influxdbc_admin.xml +++ b/src/modules/influxdbc/doc/influxdbc_admin.xml @@ -156,6 +156,75 @@ request_route { ... } ... +</programlisting> + </example> + </section> + <section id="influxdb.f.influxdbc_sub"> + <title> + <function moreinfo="none">influxdbc_sub(name)</function> + </title> + <para> + Start a measure subgroup with the given name. + </para> + <para> + This function can be used from ANY_ROUTE. + </para> + <example> + <title><function>influxdbc_sub()</function> usage</title> + <programlisting format="linespecific"> +... +request_route { + ... + influxdbc_sub("grp1"); + ... +} +... +</programlisting> + </example> + </section> + <section id="influxdb.f.influxdbc_subend"> + <title> + <function moreinfo="none">influxdbc_subend()</function> + </title> + <para> + End the current measure subgroup. + </para> + <para> + This function can be used from ANY_ROUTE. + </para> + <example> + <title><function>influxdbc_subend()</function> usage</title> + <programlisting format="linespecific"> +... +request_route { + ... + influxdbc_subend(); + ... +} +... +</programlisting> + </example> + </section> + <section id="influxdb.f.influxdbc_push"> + <title> + <function moreinfo="none">influxdbc_push()</function> + </title> + <para> + Push accumulated values to the server. + </para> + <para> + This function can be used from ANY_ROUTE. + </para> + <example> + <title><function>influxdbc_push()</function> usage</title> + <programlisting format="linespecific"> +... +request_route { + ... + influxdbc_push(); + ... +} +... </programlisting> </example> </section>

9 months, 2 weeks

git:5.7:253f13f1: tls: restore default to bypass thread guards

by Victor Seva

Module: kamailio Branch: 5.7 Commit: 253f13f18ec6853764d950d58f467c331d03425a URL: https://github.com/kamailio/kamailio/commit/253f13f18ec6853764d950d58f467c3… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: Victor Seva <linuxmaniac(a)torreviejawireless.org> Date: 2024-02-12T07:52:26+01:00 tls: restore default to bypass thread guards - restore <= 5.7.3 behaviour - require user to opt-in to libssl thread-guards with tls_threads_mode = 1|2 --- Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/253f13f18ec6853764d950d58f467c3… Patch: https://github.com/kamailio/kamailio/commit/253f13f18ec6853764d950d58f467c3… --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index beaf1b7b70b..3359aaffdcc 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -451,9 +451,9 @@ static int mod_child(int rank) #if OPENSSL_VERSION_NUMBER >= 0x010101000L /* * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of - * libssl in rank 0(thread#1) + * libssl in rank 0(thread#1). Requires tls_threads_mode = 1 config. */ - if(rank == PROC_SIPINIT) { + if((rank == PROC_SIPINIT && ksr_tls_threads_mode) || (rank == PROC_INIT && !ksr_tls_threads_mode)) { #else if(rank == PROC_INIT) { #endif

9 months, 2 weeks

git:5.7:2f0cca81: Sample etc/kamailio.cfg: global var tls_threads_mode

by Victor Seva

Module: kamailio Branch: 5.7 Commit: 2f0cca81bfc47783098e4c869b038229cd3e4ed0 URL: https://github.com/kamailio/kamailio/commit/2f0cca81bfc47783098e4c869b03822… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: Victor Seva <linuxmaniac(a)torreviejawireless.org> Date: 2024-02-12T07:52:26+01:00 Sample etc/kamailio.cfg: global var tls_threads_mode - load tls first if used - global var tls_threads_mode --- Modified: etc/kamailio.cfg --- Diff: https://github.com/kamailio/kamailio/commit/2f0cca81bfc47783098e4c869b03822… Patch: https://github.com/kamailio/kamailio/commit/2f0cca81bfc47783098e4c869b03822… --- diff --git a/etc/kamailio.cfg b/etc/kamailio.cfg old mode 100644 new mode 100755 index fe7b111a012..a95a652b935 --- a/etc/kamailio.cfg +++ b/etc/kamailio.cfg @@ -220,6 +220,13 @@ enable_tls=yes /* upper limit for TLS connections */ tls_max_connections=2048 + +/* For OpenSSL 3 integration + * functions calling libssl3 can be invoked in a transient thread + * 0: disable threaded calls + * 1: use threads for process#0 only + * 2: use threads for all processes */ +tls_threads_mode=1 #!endif /* set it to yes to enable sctp and load sctp.so module */ @@ -257,6 +264,12 @@ voicemail.srv_port = "5060" desc "VoiceMail Port" /* set paths to location of modules */ # mpath="/usr/local/lib/kamailio/modules/" +# when using TLS with OpenSSL it is recommended to load this module +# first so that OpenSSL is initialized correctly +#!ifdef WITH_TLS +loadmodule "tls.so" +#!endif + #!ifdef WITH_MYSQL loadmodule "db_mysql.so" #!endif @@ -319,10 +332,6 @@ loadmodule "rtpproxy.so" #!endif #!endif -#!ifdef WITH_TLS -loadmodule "tls.so" -#!endif - #!ifdef WITH_HTABLE loadmodule "htable.so" #!endif

9 months, 2 weeks

← Newer
1
...
11
12
13
14
15
16
17
...
25
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev February 2024