On Fri, 9 Nov 2007, Klaus Darilion wrote:
Chris Heiser schrieb:
Information on TLS and OpenSER with this specific issues seems to be scarce.
I have 2 different setups. One with about 130 registrations, one with about 250. Both with SSLv23 turned on, and TLS is enabled in the phones. What's odd is after some unknown amount of time, phones start dropping like files and fail to re-register. (Our registration timer is set at 60 seconds to aid in failover).
Do all the phones register via TLS or only some phones register via DNS? Do only the phones fail to REGISTER which use TLS or all of them?
Phones are configured to use TLS. These are the only ones that drop. Anything registering over UDP keeps working fine.
Why do you use SSLv23? Using TLS would be the standard.
The same happens with just TLS. I believe SSLv23 was enabled for some device that didn't do TLS properly.
What's interesting is it appears that the SSL handshake completely fails when this starts to happen. The requests from the phones are smaller in size (733 bytes about 970 for a good one). Suspicion would normally lie with the phones. They're obviously not doing something right!
What's about debugging the handshake? Use ssldump to debug the handshake. There should also be some logs in openser's logfile.
That's just it. ssldump shows an initial packet of 733 and it never handshakes. It just stays angry.
regards klaus
Here's the kicker. If I fail over to another OpenSER proxy (we move the IP over, use the same certs, etc...) everyone comes back up, and everything is happy for hours, maybe a day, maybe a week, and then it all starts going downhill again.
I've increased the number of OpenSER children, I've played with the tcp_persistent_flag. None of these things have stopped the madness.
Anyone have any ideas or thoughts?
--Chris
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users