On 21 Jan 2015, at 21:52, Juha Heinanen <jh@tutpro.com> wrote:

> Juha Heinanen writes:
>
>> when [group] thing didn't work, i added
>>
>> ssl-ca=/etc/mysql/cacert.pem
>>
>> to [client] section of my.cfg that kamailio according to db_mysql/README
>> is reading.
>>
>> after that, kamailio started ok, but didn't use ssl for mysql queries.
>>
>> what is it that i'm missing?  has anyone succeeded in making kamailio to
>> query mysql server over ssl?
>
> based on zero responses, i guess the answer is "no".  if so, that pretty
> much prevents using kamailio in an environment where mysql service is
> provided by a cloud service, such as amazon ec2.
>
> should i put a note in db_mysql module README telling that we don't
> currently know, which [client] params of my.cfg the module supports?

We've seen reports of issues with Postgresql with TLS too, I don't know
what happened, but I think we need to focus on both and fix this.

There is a known geneal problem with libraries using OpenSSL - I don't know if
this has been looked at in Kamailio, but we did a fix in Asterisk a while ago.
If you have modules using libraries that use OpenSSL - like we have in
Curl, Mysql, Postgres and possibly other modules - as well as our own use in
the TLS module - there's a risk that OpenSSL gets initialized too many
times and bad things happen.  ("Bad things" need to be defined here).

I think Kevin did a library trick with the linker so that Asterisk
catch these initialization calls first and use just one. Asterisk is
multithreaded and Kamailio is multiprocess, so I don't know how this
affects Kamailio or if we can get some inspiration by this fix.

Rambling a bit, but trying to point in some sort of general direction. :-)

I will put on my list to set up a lab with Mysql TLS connections and try.