Hi,
I'm trying to add tls to our services, but seem hindered by "something".
When enabling the tls
module it seems to turn off the SSL setting in postgresql, and since we
require SSL on our postgres servers
Kamailio can't connect and it fails to start.
If I disable WITH_TLS it will start. If I comment out the sqlops
modparam it will also start.
Kamailio on RHEL6, from ~4.1.6 git rev
2f690887b45dbc49a8038b1fa041d47cd9ae39ea.
# kamailio -V
version: kamailio 4.1.6 (x86_64/linux)
flags: STATS: Off, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS,
DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
DBG_QM_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled on 16:48:10 Sep 26 2014 with gcc 4.4.7
Very simpel config file:
debug=3
log_stderror=no
log_facility=LOG_LOCAL0
fork=yes
children=2
#!define TLSFILE "/kamailio/tls-fooserver1.cfg"
port=5060
#!define WITH_TLS
#!ifdef WITH_TLS
enable_tls=yes
#!endif
include_file "/kamailio/databases.cfg"
loadmodule "tm.so" # Transaction (stateful) module
loadmodule "tmx.so" # Extensions from Kamailio TM module
loadmodule "sl.so" # Stateless replier module
loadmodule "rr.so" # Record-Route and Route module
loadmodule "pv.so" # Module holding Pseudo-Variables
loadmodule "sqlops.so" # SQL operations
loadmodule "db_postgres.so" # POSTGRES-backend for database API module
#!ifdef WITH_TLS
loadmodule "tls.so"
#!endif
modparam("sqlops","sqlcon",SQLOPS_DATA)
#!ifdef WITH_TLS
modparam("tls", "config", TLSFILE)
#!endif
route{
exit;
}
SQLOPS_DATA is just a normal "data=>postgres://user:pass@server/db".
TLSFILE contains:
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /ssl/key
certificate = /ssl/cert
ca_list = /ssl/terena_chain2.pem
[client:default]
verify_certificate = no
require_certificate = no
From messages on startup:
Dec 15 13:50:19 fooserver1 kamailio[12115]: INFO: tls [tls_init.c:385]:
init_tls_compression(): tls: init_tls: disabling compression...
Dec 15 13:50:19 fooserver1 kamailio[12115]: INFO: <core>
[tcp_main.c:4836]: init_tcp(): init_tcp: using epoll_lt as the io watch
method (auto detected)
Dec 15 13:50:19 fooserver1 kamailio[12118]: WARNING: <core>
[daemonize.c:352]: daemonize(): pid file contains old pid, replacing pid
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: rr
[../outbound/api.h:54]: ob_load_api(): Failed to import bind_ob
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: rr
[rr_mod.c:159]: mod_init(): outbound module not available
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_mod.c:346]: mod_init(): With ECDH-Support!
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_mod.c:349]: mod_init(): With Diffie Hellman
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_init.c:549]: init_tls_h(): tls: _init_tls_h: compiled with
openssl version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f),
kerberos support: on, compression: on
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_init.c:557]: init_tls_h(): tls: init_tls_h: installed openssl
library version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos
support: on, zlib compression: on#012 compiler: gcc -fPIC -DO
PENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY
-DOPEN
SSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: WARNING: tls
[tls_init.c:611]: init_tls_h(): tls: openssl bug #1491 (crash/mem leaks
on low memory) workaround enabled (on low memory tls operations will
fail preemptively) with free memory thresholds 5242880 and
2621440 bytes
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
[cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now():
tls.low_mem_threshold1 has been changed to 5242880
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
[cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now():
tls.low_mem_threshold2 has been changed to 2621440
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
[udp_server.c:176]: probe_max_receive_buffer(): INFO: udp_init:
SO_RCVBUF is initially 124928
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
[udp_server.c:227]: probe_max_receive_buffer(): INFO: udp_init:
SO_RCVBUF is finally 249856
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
[udp_server.c:176]: probe_max_receive_buffer(): INFO: udp_init:
SO_RCVBUF is initially 124928
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
[udp_server.c:227]: probe_max_receive_buffer(): INFO: udp_init:
SO_RCVBUF is finally 249856
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:275]: fill_missing(): TLSs<default>: tls_method=9
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:287]: fill_missing(): TLSs<default>:
certificate='/path/ssl/fooserver1.uio.no.crt'
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:294]: fill_missing(): TLSs<default>:
ca_list='/voip/packages/mgmt/ssl/terena_chain2.pem'
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:301]: fill_missing(): TLSs<default>: crl='(null)'
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:305]: fill_missing(): TLSs<default>: require_certificate=0
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:312]: fill_missing(): TLSs<default>: cipher_list='(null)'
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:319]: fill_missing(): TLSs<default>:
private_key='/path/ssl/fooserver1.uio.no.key'
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:323]: fill_missing(): TLSs<default>: verify_certificate=0
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:326]: fill_missing(): TLSs<default>: verify_depth=9
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:670]: set_verification(): TLSs<default>: No client
certificate required and no checks performed
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:275]: fill_missing(): TLSc<default>: tls_method=9
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:287]: fill_missing(): TLSc<default>: certificate='(null)'
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:294]: fill_missing(): TLSc<default>: ca_list='(null)'
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:301]: fill_missing(): TLSc<default>: crl='(null)'
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:305]: fill_missing(): TLSc<default>: require_certificate=0
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:312]: fill_missing(): TLSc<default>: cipher_list='(null)'
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:319]: fill_missing(): TLSc<default>: private_key='(null)'
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:323]: fill_missing(): TLSc<default>: verify_certificate=0
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:326]: fill_missing(): TLSc<default>: verify_depth=9
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
[tls_domain.c:673]: set_verification(): TLSc<default>: Server MAY
present invalid certificate
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: db_postgres
[km_pg_con.c:82]: db_postgres_new_connection(): SSL SYSCALL error:
Resource temporarily unavailable#012FATAL: no pg_hba.conf entry for
host "129.240.1.1", user "foo_test_user", database "
foo_test", SSL off#012
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: db_postgres
[km_pg_con.c:95]: db_postgres_new_connection(): cleaning up
0x7fce98be0c78=pkg_free()
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core>
[db.c:322]: db_do_init2(): could not add connection to the pool
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: sqlops
[sql_api.c:166]: sql_connect(): failed to connect to the database [data]
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core>
[sr_module.c:927]: init_mod_child(): init_mod_child(): Error while
initializing module sqlops (/usr/lib64/kamailio/modules/sqlops.so)
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core>
[pt.c:490]: fork_tcp_process(): ERROR: fork_tcp_process(): init_child
failed for process 7, pid 12125, "tcp receiver (generic) child=0"
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core>
[tcp_main.c:4962]: tcp_init_children(): ERROR: tcp_main: fork failed:
Success
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12118]: ALERT: <core>
[main.c:774]: handle_sigs(): child process 12125 exited normally, status=255
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
[main.c:792]: handle_sigs(): INFO: terminating due to SIGCHLD
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12126]: INFO: <core>
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12124]: INFO: <core>
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12123]: INFO: <core>
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12122]: INFO: <core>
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12121]: INFO: <core>
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12120]: INFO: <core>
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12127]: INFO: <core>
[main.c:843]: sig_usr(): INFO: signal 15 received
Any ideas?
Best regards,
Øyvind