On 22/01/15 16:51, Matthew Jordan wrote:


On Thu, Jan 22, 2015 at 2:47 AM, Olle E. Johansson <oej@edvina.net> wrote:

On 21 Jan 2015, at 21:52, Juha Heinanen <jh@tutpro.com> wrote:

> Juha Heinanen writes:
>
>> when [group] thing didn't work, i added
>>
>> ssl-ca=/etc/mysql/cacert.pem
>>
>> to [client] section of my.cfg that kamailio according to db_mysql/README
>> is reading.
>>
>> after that, kamailio started ok, but didn't use ssl for mysql queries.
>>
>> what is it that i'm missing?  has anyone succeeded in making kamailio to
>> query mysql server over ssl?
>
> based on zero responses, i guess the answer is "no".  if so, that pretty
> much prevents using kamailio in an environment where mysql service is
> provided by a cloud service, such as amazon ec2.
>
> should i put a note in db_mysql module README telling that we don't
> currently know, which [client] params of my.cfg the module supports?

We've seen reports of issues with Postgresql with TLS too, I don't know
what happened, but I think we need to focus on both and fix this.

There is a known geneal problem with libraries using OpenSSL - I don't know if
this has been looked at in Kamailio, but we did a fix in Asterisk a while ago.
If you have modules using libraries that use OpenSSL - like we have in
Curl, Mysql, Postgres and possibly other modules - as well as our own use in
the TLS module - there's a risk that OpenSSL gets initialized too many
times and bad things happen.  ("Bad things" need to be defined here).

I think Kevin did a library trick with the linker so that Asterisk
catch these initialization calls first and use just one. Asterisk is
multithreaded and Kamailio is multiprocess, so I don't know how this
affects Kamailio or if we can get some inspiration by this fix.

Rambling a bit, but trying to point in some sort of general direction. :-)

I will put on my list to set up a lab with Mysql TLS connections and try.


Just chiming in to point out the magic module Olle is referring to:

http://svn.asterisk.org/svn/asterisk/trunk/main/libasteriskssl.c

For context, the peer review for the patch that fixed this issue is here:

https://reviewboard.asterisk.org/r/1006/

Although due to some issues in review board, part of the patch doesn't show up (hence the link to the actual source).

Interesting approach by temporarily replacing the libssl functions and call the original ones later.

In this case it wouldn't have worked because the postgress module is used to connect to database (e.g., some modules load records from database during module initialization), so libssl must be properly initialized to the phase of opening a tls connection.

I broke the initialization process in few phases that allows to get libssl initialized before any other module and seems to work, based on the feedback of who reported the issue.

MySQL issue was something different, related more to mysql client config.

Cheers,
Daniel
-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda