18 Oct
2022
18 Oct
'22
3:16 p.m.
Hello,
Sorry for bumping this old up, but some outcome from my research.
1. CentOS 7 provided OpenSSL (1.0.2k-fips 26 Jan 2017) really leads
Kamailio 5.x.x crash on high load (tested with 5.4 - 5.6) with sippts
<https://github.com/Pepelux/sippts> tool.
2. Good results are obtained with Kamailio 5.6.2 with tlsa flavour
statically linked with openssl 1.1.1q (here I have problem with lacking
of TLS connections, but it's something different)
And with this result I have a question, when I'm invoking
exit;
on Kamailio script it's not "freeing" TCP connection as I got, I've
managed "freeing" (or not occupying) connection with iptables
-j REJECT --reject-with tcp-reset
Is there anything same for Kamailio or I need to add smth like fail2ban
on top?
Thanks in advance!
Le 24/06/2022 à 14:15, Igor Olhovskiy a écrit :
Daniel,
Thanks for clarifying this!
And to ask, is websocket module also uses libssl indirectly or should
not be the cause in this one? (I'm not using http or so).
Le ven. 24 juin 2022 à 08:36, Daniel-Constantin Mierla
<miconda(a)gmail.com> a écrit :
Hello,
to add to this topic: tls module runs smooth when no other module
uses an external library that is linked also with tls, I didn't
have issue with in the past few years.
But if another module that indirectly links also the libssl, I
also got random crashes, usually during events when kamailio code
is not involved at all. For example, a while ago using the
http_client module (which uses libcurl that linked also libssl)
resulted in sporadic crashes during tls handshake -- that's all in
libssl, nothing to do with sip traffic at that stage. And actually
there were also crashes when opening the connection to the https
server. The behaviour was non-deterministic, months without any
issue, then 1-2 crashes in a week or so, then all good as well. I
somehow related it to minor updates of the operating system.
After all, I ended up writing ruxc module to have an alternative
http_client() function and from that moment no libssl related
crash on the respective system. Strange that on another customer
having same OS and using http_client() function, all was and still
is fine. So it could be also related to tls settings in both sides
of the connection (e.g., ciphers, renegotiation, tls version, ...).
If you migrate to kamailio 5.6.x, then you can also try using tlsa
module instead of tls, that should isolate the global libssl
contexts, one inside the tlsa and one in those modules linking
dynamically libssl.
Cheers,
Daniel
On 23.06.22 16:46, Karsten Horsmann wrote:
Hi Igor,
I jumped from 5.3 to 5.5.x so I read carefull the changelog and
migrate steps.
https://www.kamailio.org/wiki/features/new-in-5.5.x
Show a bit about tls.
Igor Olhovskiy <igorolhovskiy(a)gmail.com> schrieb am Mi., 22. Juni
2022, 21:08:
Karsten,
Thanks for your answer!
Out of your head, were there any significant changes in
TCP/TLS on 5.4 -> 5.5 change?
Regards,
Igor
Le 22.06.2022 à 18:11, Karsten Horsmann a écrit :
--
Daniel-Constantin Mierla --www.asipto.com <http://www.asipto.com>
www.twitter.com/miconda <http://www.twitter.com/miconda>
--www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
Kamailio Advanced Training - Online: June 20-23, 2022
*https://www.asipto.com/sw/kamailio-advanced-training-online/
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply
only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Best regards,
Igor Hi Igor,
I also use CentOS 7 with the same openssl version and
between 1000 up to 2000 tls/wss connections.
Works for me. Main difference I use Kamailio 5.5.x
Kind regards
Karsten Horsmann
Igor Olhovskiy <igorolhovskiy(a)gmail.com> schrieb am Mi., 22.
Juni 2022, 10:36:
Hello!
Due to I still experience irregular Kamailio 5.4 crashes
(like 1/month) related to SSL (using websockets and
SIPS) I'm wondering, could openSSL upgrade change the
situation?
As of now in CentOS 7 I have 1.0.2k version.
Does anyone have experience to fix crash-related to TLS
problems with openSSL upgrade?
Or maye some tuneup of TCP parameters can help here?My
current setup is quite simple:
children=4
enable_tls=yes
tcp_accept_no_cl=yes
tcp_connection_lifetime=600
tcp_max_connections=998976 # 1000000 - 1024, so we're
leaving 1k for system reserve
tls_max_connections=998976
Number of clients ~ 200 constantly connected to websocket.
--
Best regards,
Igor
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do
not reply only to the sender!
Edit mailing list options or unsubscribe:
*
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
*sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the
sender!
Edit mailing list options or unsubscribe:
*https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not
reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
*sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
*https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users