sr-dev February 2024

sr-dev@lists.kamailio.org

19 participants
242 discussions

git:master:99358301: microhttpd: docs - note about variables available in the event route

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: 993583015b127b0a83603acd352925c8d6e6db70 URL: https://github.com/kamailio/kamailio/commit/993583015b127b0a83603acd352925c… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2024-02-26T13:09:27+01:00 microhttpd: docs - note about variables available in the event route --- Modified: src/modules/microhttpd/doc/microhttpd_admin.xml --- Diff: https://github.com/kamailio/kamailio/commit/993583015b127b0a83603acd352925c… Patch: https://github.com/kamailio/kamailio/commit/993583015b127b0a83603acd352925c… --- diff --git a/src/modules/microhttpd/doc/microhttpd_admin.xml b/src/modules/microhttpd/doc/microhttpd_admin.xml index 1967c845b82..c548d0dfc42 100644 --- a/src/modules/microhttpd/doc/microhttpd_admin.xml +++ b/src/modules/microhttpd/doc/microhttpd_admin.xml @@ -157,6 +157,11 @@ event_route[microhttpd:request] { <para> The event route is executed when a new HTTP request is received. </para> + <para> + Inside it, the $mhttpd(...) group of variables is available, giving + access to several attributes of the HTTP request, such as method, + URL, data (body) or headers. + </para> <programlisting format="linespecific"> ... ...

8 months, 4 weeks

[kamailio/kamailio] TLS certificate decode error / ee key to small with tls_threads_mode = 1 (Issue #3764)

by Matteo

### Description While trying latest kamailio 5.7 branch, when tls_threads_mode is set to 1, it fails to load self signed certificates. Setting tls_threads_mode to 0 works as expected. Certificates are self signed for a local test env, generated with openssl 3.x. ### Troubleshooting The issue is very similar to https://github.com/kamailio/kamailio/issues/3737 but in my case the openssl config seems correct, and happens only enabling the tls_threads_mode #### Reproduction Certs have been generated with `openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out server.pem -keyout server.key` [server.pem.txt](https://github.com/kamailio/kamailio/files/14384611/server.… [server.key.txt](https://github.com/kamailio/kamailio/files/14384612/server.… (these are self signed cert for testing, nothing that cannot be shared) My tls.cfg is very simple: ``` [server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /etc/kamailio/server.key certificate = /etc/kamailio/server.pem [client:default] method = TLSv1.2+ verify_certificate = no require_certificate = no ``` #### Log Messages  ``` 1(35) NOTICE: tls [tls_domain.c:1168]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ... 1(35) ERROR: tls [tls_domain.c:590]: load_cert(): TLSs<default>: Unable to load certificate file '/etc/kamailio/server.pem' 1(35) ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:03000072:digital envelope routines::decode error (sni: unknown) 1(35) ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:0A00018F:SSL routines::ee key too small (sni: unknown) 1(35) ERROR: <core> [core/sr_module.c:913]: init_mod_child(): error while initializing module tls (/usr/lib/x86_64-linux-gnu/kamailio/modules/tls.so) ``` ### Possible Solutions Don't use tls_threads_mode for now. ### Additional Information * **Kamailio Version** - output of `kamailio -v` ``` version: kamailio 5.7.4 (x86_64/linux) a0dfb8 flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: a0dfb8 compiled with gcc 11.4.0 ``` Actually this is built from 5.7 branch, on commit a0dfb8cbdf4282040351e9dc014d9ef13e0e77fd * **Operating System**:  Containerized Ubunu jammy, updated as of today. -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/3764 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/issues/3764(a)github.com>

9 months

git:master:65eef5c5: evrexec: reformat exported structures

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: 65eef5c5446c1f6870eecf8bbc84d68d12271bc7 URL: https://github.com/kamailio/kamailio/commit/65eef5c5446c1f6870eecf8bbc84d68… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2024-02-26T07:29:26+01:00 evrexec: reformat exported structures --- Modified: src/modules/evrexec/evrexec_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/65eef5c5446c1f6870eecf8bbc84d68… Patch: https://github.com/kamailio/kamailio/commit/65eef5c5446c1f6870eecf8bbc84d68… --- diff --git a/src/modules/evrexec/evrexec_mod.c b/src/modules/evrexec/evrexec_mod.c index 96493da0fda..3fb99535a0a 100644 --- a/src/modules/evrexec/evrexec_mod.c +++ b/src/modules/evrexec/evrexec_mod.c @@ -74,29 +74,33 @@ void evrexec_process_socket(evrexec_task_t *it, int idx); static int pv_get_evr(sip_msg_t *msg, pv_param_t *param, pv_value_t *res); static int pv_parse_evr_name(pv_spec_p sp, str *in); +/* clang-format off */ static param_export_t params[] = { - {"exec", PARAM_STRING | USE_FUNC_PARAM, (void *)evrexec_param}, - {0, 0, 0}}; + {"exec", PARAM_STRING | USE_FUNC_PARAM, (void *)evrexec_param}, + {0, 0, 0} +}; static pv_export_t mod_pvs[] = { - {{"evr", (sizeof("evr") - 1)}, PVT_OTHER, pv_get_evr, 0, - pv_parse_evr_name, 0, 0, 0}, + {{"evr", (sizeof("evr") - 1)}, PVT_OTHER, pv_get_evr, 0, + pv_parse_evr_name, 0, 0, 0}, - {{0, 0}, 0, 0, 0, 0, 0, 0, 0}}; + {{0, 0}, 0, 0, 0, 0, 0, 0, 0} +}; /** module exports */ struct module_exports exports = { - "evrexec", /* module name */ - DEFAULT_DLFLAGS, /* dlopen flags */ - 0, /* exported functions */ - params, /* exported parameters */ - 0, /* RPC method exports */ - mod_pvs, /* exported pseudo-variables */ - 0, /* response handling function */ - mod_init, /* module initialization function */ - child_init, /* per-child init function */ - 0 /* module destroy function */ + "evrexec", /* module name */ + DEFAULT_DLFLAGS, /* dlopen flags */ + 0, /* exported functions */ + params, /* exported parameters */ + 0, /* RPC method exports */ + mod_pvs, /* exported pseudo-variables */ + 0, /* response handling function */ + mod_init, /* module initialization function */ + child_init, /* per-child init function */ + 0 /* module destroy function */ }; +/* clang-format on */ static rpc_export_t evr_rpc_methods[]; @@ -583,5 +587,9 @@ void rpc_evr_run(rpc_t *rpc, void *c) /** * */ +/* clang-format off */ static rpc_export_t evr_rpc_methods[] = { - {"evrexec.run", rpc_evr_run, rpc_evr_run_doc, 0}, {0, 0, 0, 0}}; + {"evrexec.run", rpc_evr_run, rpc_evr_run_doc, 0}, + {0, 0, 0, 0} +}; +/* clang-format on */

9 months

git:master:fb21f89d: ndb_redis: reformat exported structures

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: fb21f89dc544551b1bb65805303131fa990d2f44 URL: https://github.com/kamailio/kamailio/commit/fb21f89dc544551b1bb65805303131f… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2024-02-26T07:15:31+01:00 ndb_redis: reformat exported structures --- Modified: src/modules/ndb_redis/ndb_redis_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/fb21f89dc544551b1bb65805303131f… Patch: https://github.com/kamailio/kamailio/commit/fb21f89dc544551b1bb65805303131f…

9 months

git:master:8b2573c1: OpenSSL integration: manage curl_global_init(...) used by modules

by S-P Chan

Module: kamailio Branch: master Commit: 8b2573c1f7c5e4bed24f8c5ca09817f613641a03 URL: https://github.com/kamailio/kamailio/commit/8b2573c1f7c5e4bed24f8c5ca09817f… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-26T10:40:19+08:00 OpenSSL integration: manage curl_global_init(...) used by modules - http_client, http_async_client, xcap_client use libcurl - call curl_global_init in a thread executor as it invokes OpenSSL functions on Debian 12 - clang-format --- Modified: src/core/rthreads.h Modified: src/modules/http_async_client/http_multi.c Modified: src/modules/http_client/http_client.c Modified: src/modules/xcap_client/xcap_client.c --- Diff: https://github.com/kamailio/kamailio/commit/8b2573c1f7c5e4bed24f8c5ca09817f… Patch: https://github.com/kamailio/kamailio/commit/8b2573c1f7c5e4bed24f8c5ca09817f…

9 months

git:5.7:ed9d7bc5: OpenSSL integration: manage curl_global_init(...) used by modules

by S-P Chan

Module: kamailio Branch: 5.7 Commit: ed9d7bc58b1896652f2526daa524531a0945b7b3 URL: https://github.com/kamailio/kamailio/commit/ed9d7bc58b1896652f2526daa524531… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-26T10:45:02+08:00 OpenSSL integration: manage curl_global_init(...) used by modules - http_client, http_async_client, xcap_client use libcurl - call curl_global_init in a thread executor as it invokes OpenSSL functions on Debian 12 - clang-format Cherry-pick from ac4f1be039 --- Modified: src/core/rthreads.h Modified: src/modules/http_async_client/http_multi.c Modified: src/modules/http_client/http_client.c Modified: src/modules/xcap_client/xcap_client.c --- Diff: https://github.com/kamailio/kamailio/commit/ed9d7bc58b1896652f2526daa524531… Patch: https://github.com/kamailio/kamailio/commit/ed9d7bc58b1896652f2526daa524531… --- diff --git a/src/core/rthreads.h b/src/core/rthreads.h index e96f45c9395..0f4f0cf8b8a 100644 --- a/src/core/rthreads.h +++ b/src/core/rthreads.h @@ -254,3 +254,41 @@ static int run_thread4P5I2P2(_thread_proto4P5I2P2 fn, void *arg1, void *arg2, #endif } #endif + +/* + * prototype: CURLcode curl_global_init(long flags) { ... } + */ +#ifdef KSR_RTHREAD_NEED_4L +typedef int (*_thread_proto4L)(long); +struct _thread_args4L +{ + _thread_proto4L fn; + long arg1; + int *ret; +}; +static void *run_thread_wrap4L(struct _thread_args4L *args) +{ + *args->ret = (*args->fn)(args->arg1); + return NULL; +} + +static int run_thread4L(_thread_proto4L fn, long arg1) +{ +#ifdef USE_TLS + pthread_t tid; + int ret; + + if(likely(ksr_tls_threads_mode == 0 + || (ksr_tls_threads_mode == 1 && process_no > 0))) { + return fn(arg1); + } + pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4L, + &(struct _thread_args4L){fn, arg1, &ret}); + pthread_join(tid, NULL); + + return ret; +#else + return fn(arg1) +#endif +} +#endif diff --git a/src/modules/http_async_client/http_multi.c b/src/modules/http_async_client/http_multi.c index a57aba9c951..a0ee1c877cf 100644 --- a/src/modules/http_async_client/http_multi.c +++ b/src/modules/http_async_client/http_multi.c @@ -32,6 +32,9 @@ #include "../../core/mem/mem.h" #include "../../core/ut.h" #include "../../core/hashes.h" +#define KSR_RTHREAD_NEED_4L +#define KSR_RTHREAD_SKIP_P +#include "../../core/rthreads.h" #include "http_multi.h" extern int hash_size; @@ -389,7 +392,8 @@ void set_curl_mem_callbacks(void) break; case 1: LM_DBG("Initilizing cURL with sys malloc\n"); - rc = curl_global_init(CURL_GLOBAL_ALL); + rc = run_thread4L( + (_thread_proto4L)curl_global_init, CURL_GLOBAL_ALL); if(rc != 0) { LM_ERR("Cannot initialize cURL: %d\n", rc); } diff --git a/src/modules/http_client/http_client.c b/src/modules/http_client/http_client.c index 430933e23d2..3cf662820f5 100644 --- a/src/modules/http_client/http_client.c +++ b/src/modules/http_client/http_client.c @@ -64,6 +64,9 @@ #include "../../core/lvalue.h" #include "../../core/pt.h" /* Process table */ #include "../../core/kemi.h" +#define KSR_RTHREAD_NEED_4L +#define KSR_RTHREAD_SKIP_P +#include "../../core/rthreads.h" #include "functions.h" #include "curlcon.h" @@ -278,7 +281,7 @@ static int mod_init(void) LM_DBG("init curl module\n"); /* Initialize curl */ - if(curl_global_init(CURL_GLOBAL_ALL)) { + if(run_thread4L((_thread_proto4L)&curl_global_init, CURL_GLOBAL_ALL)) { LM_ERR("curl_global_init failed\n"); return -1; } diff --git a/src/modules/xcap_client/xcap_client.c b/src/modules/xcap_client/xcap_client.c index ac77228bfde..4de2d367b63 100644 --- a/src/modules/xcap_client/xcap_client.c +++ b/src/modules/xcap_client/xcap_client.c @@ -41,6 +41,9 @@ #include "../../core/mem/shm_mem.h" #include "../../core/rpc.h" #include "../../core/rpc_lookup.h" +#define KSR_RTHREAD_NEED_4L +#define KSR_RTHREAD_SKIP_P +#include "../../core/rthreads.h" #include "../presence/utils_func.h" #include "xcap_functions.h" #include "xcap_client.h" @@ -140,7 +143,7 @@ static int mod_init(void) xcap_dbf.close(xcap_db); xcap_db = NULL; - curl_global_init(CURL_GLOBAL_ALL); + run_thread4L((_thread_proto4L)curl_global_init, CURL_GLOBAL_ALL); if(periodical_query) { register_timer(query_xcap_update, 0, query_period);

9 months

git:5.8:ac4f1be0: OpenSSL integration: manage curl_global_init(...) used by modules

by S-P Chan

Module: kamailio Branch: 5.8 Commit: ac4f1be039809d68483fe39e94b0803da1661a48 URL: https://github.com/kamailio/kamailio/commit/ac4f1be039809d68483fe39e94b0803… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-26T10:36:36+08:00 OpenSSL integration: manage curl_global_init(...) used by modules - http_client, http_async_client, xcap_client use libcurl - call curl_global_init in a thread executor as it invokes OpenSSL functions on Debian 12 - clang-format --- Modified: src/core/rthreads.h Modified: src/modules/http_async_client/http_multi.c Modified: src/modules/http_client/http_client.c Modified: src/modules/xcap_client/xcap_client.c --- Diff: https://github.com/kamailio/kamailio/commit/ac4f1be039809d68483fe39e94b0803… Patch: https://github.com/kamailio/kamailio/commit/ac4f1be039809d68483fe39e94b0803…

9 months

git:master:191efd64: tls: fix OpenSSL 1.1.1 compatibility

by S-P Chan

Module: kamailio Branch: master Commit: 191efd6485989de64713d0644368c2f58d984f5e URL: https://github.com/kamailio/kamailio/commit/191efd6485989de64713d0644368c2f… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-25T20:43:55+08:00 tls: fix OpenSSL 1.1.1 compatibility --- Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/191efd6485989de64713d0644368c2f… Patch: https://github.com/kamailio/kamailio/commit/191efd6485989de64713d0644368c2f… --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 136f0e2deb2..550a1bcc2b5 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -688,6 +688,14 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) * GH #3695: OpenSSL 1.1.1 historical note: it is no longer * needed to replace RAND with cryptorand */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L \ + && OPENSSL_VERSION_NUMBER < 0x030000000L + if(ksr_tls_threads_mode == 0) { + LM_WARN("OpenSSL 1.1.1 setting cryptorand random engine\n"); + RAND_set_rand_method(RAND_ksr_cryptorand_method()); + } +#endif + sr_kemi_modules_add(sr_kemi_tls_exports); return 0;

9 months

git:5.8:b98718c2: tls: fix OpenSSL 1.1.1 compatibility

by S-P Chan

Module: kamailio Branch: 5.8 Commit: b98718c28f72b1372a62b17174b43c403fa6b729 URL: https://github.com/kamailio/kamailio/commit/b98718c28f72b1372a62b17174b43c4… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-02-25T20:42:14+08:00 tls: fix OpenSSL 1.1.1 compatibility --- Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/b98718c28f72b1372a62b17174b43c4… Patch: https://github.com/kamailio/kamailio/commit/b98718c28f72b1372a62b17174b43c4… --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 136f0e2deb2..550a1bcc2b5 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -688,6 +688,14 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) * GH #3695: OpenSSL 1.1.1 historical note: it is no longer * needed to replace RAND with cryptorand */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L \ + && OPENSSL_VERSION_NUMBER < 0x030000000L + if(ksr_tls_threads_mode == 0) { + LM_WARN("OpenSSL 1.1.1 setting cryptorand random engine\n"); + RAND_set_rand_method(RAND_ksr_cryptorand_method()); + } +#endif + sr_kemi_modules_add(sr_kemi_tls_exports); return 0;

9 months

[kamailio/kamailio] broken TLS ciphersuite lookup (Issue #3765)

by Michael Furmur

### Description after some nearest changes, there are problems with the TLS handshake (for at least ECDHE-RSA-AES256-GCM-SHA384) because of the missed `OPENSSL_init_ssl()` call for TCP workers #### Reproduction try to send any SIP message over TLS to the server which accepts ECDHE-RSA-AES256-GCM-SHA384 in Server Hello during handshake the simplest way to reproduce is to add microsoft teams server to the dispatcher and enable probing to send OPTIONS kamailio.cfg: ``` loadmodule "tls.so" modparam("tls", "config", "/etc/kamailio/tls.cfg") loadmodule "dispatcher.so" modparam("dispatcher","flags",2) modparam("dispatcher", "list_file", "/etc/kamailio/dispatcher.list") modparam("dispatcher", "ds_ping_method","OPTIONS") modparam("dispatcher", "ds_ping_interval",5) modparam("dispatcher", "ds_probing_mode",1) ``` tls.cfg: ``` [server:default] certificate = /etc/kamailio/ssl/ssl-cert-snakeoil.pem private_key = /etc/kamailio/ssl/ssl-cert-snakeoil.key [client:default] certificate = /etc/kamailio/ssl/ssl-cert-snakeoil.pem private_key = /etc/kamailio/ssl/ssl-cert-snakeoil.key ``` dispatcher.list: ``` 1 sip:sip.pstnhub.microsoft.com;transport=tls 0 0 ``` #### Debugging Data backtrace for the cipher suite lookup: ``` (gdb) bt #0 ssl_cipher_id_cmp_BSEARCH_CMP_FN (a_=0x7ffd2a0aade0, b_=0x7fa110ceeec0 <ssl3_ciphers+11680>) at ../ssl/ssl_lib.c:4985 #1 0x00007fa110832a95 in ossl_bsearch (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167, size=size@entry=80, cmp=cmp@entry=0x7fa110c7cac0 <ssl_cipher_id_cmp_BSEARCH_CMP_FN>, flags=flags@entry=0) at ../crypto/bsearch.c:28 #2 0x00007fa1108fc229 in OBJ_bsearch_ex_ (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167, size=size@entry=80, cmp=cmp@entry=0x7fa110c7cac0 <ssl_cipher_id_cmp_BSEARCH_CMP_FN>, flags=flags@entry=0) at ../crypto/objects/obj_dat.c:699 #3 0x00007fa1108fc23c in OBJ_bsearch_ (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167, size=size@entry=80, cmp=cmp@entry=0x7fa110c7cac0 <ssl_cipher_id_cmp_BSEARCH_CMP_FN>) at ../crypto/objects/obj_dat.c:691 #4 0x00007fa110c7fb95 in OBJ_bsearch_ssl_cipher_id (key=key@entry=0x7ffd2a0aade0, base=base@entry=0x7fa110cec120 <ssl3_ciphers>, num=num@entry=167) at ../ssl/ssl_lib.c:4985 #5 0x00007fa110c6ed4c in ssl3_get_cipher_by_id (id=<optimized out>) at ../ssl/s3_lib.c:4075 #6 0x00007fa110c76077 in ssl_get_cipher_by_char (ssl=ssl@entry=0x7fa10cfca900, ptr=ptr@entry=0x7fa10cfcc767 "\3000", all=all@entry=0) at ../ssl/ssl_ciph.c:2102 #7 0x00007fa110cae0ee in set_client_ciphersuite (s=s@entry=0x7fa10cfca900, cipherchars=cipherchars@entry=0x7fa10cfcc767 "\3000") at ../ssl/statem/statem_clnt.c:1310 #8 0x00007fa110cb03b3 in tls_process_server_hello (s=0x7fa10cfca900, pkt=<optimized out>) at ../ssl/statem/statem_clnt.c:1614 #9 0x00007fa110cace72 in read_state_machine (s=0x7fa10cfca900) at ../ssl/statem/statem.c:647 #10 state_machine (s=0x7fa10cfca900, server=0) at ../ssl/statem/statem.c:442 #11 0x00007fa110d33aaa in tls_connect (c=c@entry=0x7fa10cfc64e0, error=error@entry=0x7ffd2a0ab0e4) at ./src/modules/tls/tls_server.c:542 #12 0x00007fa110d01edd in ssl_flush (size=413, buf=0x7fa10cfdafdc, error=<synthetic pointer>, tcp_c=0x7fa10cfc64e0) at ./src/modules/tls/tls_ct_wrq.c:101 #13 sbufq_flush (flush_f=<optimized out>, flush_p2=<synthetic pointer>, flush_p1=0x7fa10cfc64e0, flags=0x7ffd2a0ab1ac, q=0x7fa10cfb43a0) at ./src/modules/tls/sbufq.h:247 #14 tls_ct_q_flush (flush_p2=<synthetic pointer>, flush_p1=0x7fa10cfc64e0, flush_f=<optimized out>, flags=0x7ffd2a0ab1ac, tc_q=0x18) at ./src/modules/tls/tls_ct_q.h:122 #15 tls_ct_wq_flush (c=c@entry=0x7fa10cfc64e0, ct_q=ct_q@entry=0x7fa10cfb34c0, flags=flags@entry=0x7ffd2a0ab1ac, ssl_err=ssl_err@entry=0x7ffd2a0ab1a8) at ./src/modules/tls/tls_ct_wrq.c:147 #16 0x00007fa110d386f4 in tls_h_read_f (c=0x7fa10cfc64e0, flags=0x7ffd2a0cb5d0) at ./src/modules/tls/tls_server.c:1140 #17 0x0000562ad6b0c46e in tcp_read_headers (c=c@entry=0x7fa10cfc64e0, read_flags=read_flags@entry=0x7ffd2a0cb5d0) at core/tcp_read.c:445 #18 0x0000562ad6b0f543 in tcp_read_req (con=0x7fa10cfc64e0, bytes_read=bytes_read@entry=0x7ffd2a0cb5cc, read_flags=read_flags@entry=0x7ffd2a0cb5d0) at core/tcp_read.c:1508 #19 0x0000562ad6b14879 in handle_io (fm=fm@entry=0x7fa110ed31c8, events=events@entry=1, idx=idx@entry=-1) at core/tcp_read.c:1832 #20 0x0000562ad6b1a7fd in io_wait_loop_epoll (repeat=repeat@entry=0, t=2, h=0x562ad6de8c20 <io_w>) at core/io_wait.h:1073 #21 0x0000562ad6b1b017 in tcp_receive_loop (unix_sock=<optimized out>) at core/tcp_read.c:2032 #22 0x0000562ad6b02df5 in tcp_init_children (woneinit=woneinit@entry=0x7ffd2a0cbb0c) at core/tcp_main.c:5364 #23 0x0000562ad6928b60 in main_loop () at ./src/main.c:1936 #24 0x0000562ad691a463 in main (argc=<optimized out>, argv=<optimized out>) at ./src/main.c:3212 ``` part of the `ssl3_ciphers` array that should be sorted by id ascending: ``` }, { valid = 1, name = 0x7fa110cc3720 "ECDHE-RSA-AES256-GCM-SHA384", stdname = 0x7fa110cc89f8 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", id = 50380848, ... }, { valid = 1, name = 0x7fa110cc3770 "PSK-NULL-SHA", stdname = 0x7fa110cc373c "TLS_PSK_WITH_NULL_SHA", id = 50331692, ... ``` * `ossl_bsearch` assumes that it works with sorted `ssl3_ciphers` * `ssl3_ciphers` sorting performed by `OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings)` -> `ossl_init_ssl_base()` -> `ssl_sort_cipher_list()` -> `qsort(ssl3_ciphers...` #### Log Messages ``` ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS write:error:0A0000F8:SSL routines::unknown cipher returned (sni: unknown) ``` ### Possible Solutions * ensure `OPENSSL_init_ssl()` to be called (directly or using OPENSSL_INIT_ATFORK) for TCP workers * fixed by `OPENSSL_init_ssl(0, NULL);` call in `tls_init.c:int tls_h_mod_init_f(void)` but it's hardly the fully correct solution ### Additional Information * **Kamailio Version** - output of `kamailio -v` ``` # kamailio -v version: kamailio 5.7.4 (x86_64/linux) flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled with gcc 13.2.0 ``` ``` # apt list kamailio --installed Listing... Done kamailio/testing,now 5.7.4-1 amd64 [installed] ``` * **Operating System**: Debian GNU/Linux trixie/sid (reproduced on Debian bookworm either) -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/3765 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/issues/3765(a)github.com>

9 months

← Newer
1
...
5
6
7
8
9
10
11
...
25
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev February 2024