Hello Richard,

 

thanks for working on this topic and providing a way to control this new protection mechanism depending on the requirements and age of systems etc..

 

Cheers,

 

Henning

 

From: Richard Chan via sr-dev <sr-dev@lists.kamailio.org>
Sent: Dienstag, 6. Februar 2024 12:20
To: miconda@gmail.com
Cc: Kamailio (SER) - Development Mailing List <sr-dev@lists.kamailio.org>; Richard Chan <shihping.chan@gmail.com>
Subject: [sr-dev] Re: git:master:ba921b21: core/rthread.h: add prototype for db queries

 

Hi Daniel / Henning,

 

I would like to propose a global config to restore the non-threaded default:

 

enable_tls = no|yes #(EXISTING) boolean

enable_tls_threads = 0 | 1 | 2 #(NEW) int

 

0: disable thread-wrappers (restores kamailio behaviour)

 - default when enable_tls = no

 

1: thread-wrapper only for process_no = 0 (main process)

 - default when enable_tls = yes

 

2: thread-wrapper on for all processes

 

Now the behaviour for the thread wrappers can be

 

/* pseudo-code

*  fn is the wrapped function */

run_threadXXXX (fn, ...)

{

    int flag = cfg_get_tls_threads();

    if (likely(flag == 0 || (flag == 1 && process_no != 0))) {

       return fn(...) ; // execute wrapped function directly - no thread

    } else { /* flag == 2 ||( flag == 1 && process_no == 0) */

        /*

         ** run fn in thread

        */

   }

 

I am not familiar with the bison grammar or parsing of the global config file — I would need your help (or another developer familiar with the core parsing) to set this up. When this cfg flag is available I can change all the thread-runners to check the global config.

With respect to 5.7 - stable branch - unfortunately due to the changes to OpenSSL 3 it is broken - #3635 - with more load there will be double-free errors; #3727 - cannot load tls and db module (even if the db module does not use TLS it may initialize OpenSSL).

 

The changes while more intrusive than usual are the minimal viable set of changes. With the commits on 5.7 you can have a TLS-enabled /etc/kamailio.cfg using OpenSSL 3 and load a db module (with or without TLS). To reiterate - even a  pure in-memory TLS proxy without database is subject to double free corruption.

 

To make the changes less intrusive: backport the global enable_tls_threads config to 5.7.5+ or make the thread wrappers check for process_no = 0. The latter (and more minimal) change would mean that all Kamailio workers will have the existing behaviour and only process_no = 0 tries to run thread wrappers.

 

Options:

A 5.8-pre:. add a global config enable_tls_threads to 5.8-pre (need help on this part - the thread wrappers I would be able to fix)

B. 5.7.5+: backport A to 5.7 OR check for process_no = 0 in thread wrappers(only change in parent process, no change to worker processes)

 

Let me know what you think - thanks for the comments.

 

Cheers

Richard