[SR-Users] Can't start Kamailio with both db_postgres and tls

Hi,

I'm trying to add tls to our services, but seem hindered by "something". When enabling the tls module it seems to turn off the SSL setting in postgresql, and since we require SSL on our postgres servers Kamailio can't connect and it fails to start.

If I disable WITH_TLS it will start. If I comment out the sqlops modparam it will also start.

Kamailio on RHEL6, from ~4.1.6 git rev 2f690887b45dbc49a8038b1fa041d47cd9ae39ea.

# kamailio -V version: kamailio 4.1.6 (x86_64/linux) flags: STATS: Off, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled on 16:48:10 Sep 26 2014 with gcc 4.4.7

Very simpel config file:

debug=3 log_stderror=no log_facility=LOG_LOCAL0

fork=yes children=2

#!define TLSFILE "/kamailio/tls-fooserver1.cfg"

port=5060

#!define WITH_TLS #!ifdef WITH_TLS enable_tls=yes #!endif

include_file "/kamailio/databases.cfg"

loadmodule "tm.so" # Transaction (stateful) module loadmodule "tmx.so" # Extensions from Kamailio TM module loadmodule "sl.so" # Stateless replier module loadmodule "rr.so" # Record-Route and Route module loadmodule "pv.so" # Module holding Pseudo-Variables loadmodule "sqlops.so" # SQL operations

loadmodule "db_postgres.so" # POSTGRES-backend for database API module

#!ifdef WITH_TLS loadmodule "tls.so" #!endif

modparam("sqlops","sqlcon",SQLOPS_DATA)

#!ifdef WITH_TLS modparam("tls", "config", TLSFILE) #!endif

route{ exit; }

SQLOPS_DATA is just a normal "data=>postgres://user:pass@server/db".

TLSFILE contains: [server:default] method = TLSv1 verify_certificate = no require_certificate = no private_key = /ssl/key certificate = /ssl/cert ca_list = /ssl/terena_chain2.pem

[client:default] verify_certificate = no require_certificate = no

From messages on startup:

Dec 15 13:50:19 fooserver1 kamailio[12115]: INFO: tls [tls_init.c:385]: init_tls_compression(): tls: init_tls: disabling compression... Dec 15 13:50:19 fooserver1 kamailio[12115]: INFO: <core> [tcp_main.c:4836]: init_tcp(): init_tcp: using epoll_lt as the io watch method (auto detected) Dec 15 13:50:19 fooserver1 kamailio[12118]: WARNING: <core> [daemonize.c:352]: daemonize(): pid file contains old pid, replacing pid Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: rr [../outbound/api.h:54]: ob_load_api(): Failed to import bind_ob Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: rr [rr_mod.c:159]: mod_init(): outbound module not available Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_mod.c:346]: mod_init(): With ECDH-Support! Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_mod.c:349]: mod_init(): With Diffie Hellman Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_init.c:549]: init_tls_h(): tls: _init_tls_h: compiled with openssl version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos support: on, compression: on Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_init.c:557]: init_tls_h(): tls: init_tls_h: installed openssl library version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos support: on, zlib compression: on#012 compiler: gcc -fPIC -DO PENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPEN SSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: WARNING: tls [tls_init.c:611]: init_tls_h(): tls: openssl bug #1491 (crash/mem leaks on low memory) workaround enabled (on low memory tls operations will fail preemptively) with free memory thresholds 5242880 and 2621440 bytes Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): tls.low_mem_threshold1 has been changed to 5242880 Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): tls.low_mem_threshold2 has been changed to 2621440 Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> [udp_server.c:176]: probe_max_receive_buffer(): INFO: udp_init: SO_RCVBUF is initially 124928 Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> [udp_server.c:227]: probe_max_receive_buffer(): INFO: udp_init: SO_RCVBUF is finally 249856 Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> [udp_server.c:176]: probe_max_receive_buffer(): INFO: udp_init: SO_RCVBUF is initially 124928 Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> [udp_server.c:227]: probe_max_receive_buffer(): INFO: udp_init: SO_RCVBUF is finally 249856 Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:275]: fill_missing(): TLSs<default>: tls_method=9 Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:287]: fill_missing(): TLSs<default>: certificate='/path/ssl/fooserver1.uio.no.crt' Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:294]: fill_missing(): TLSs<default>: ca_list='/voip/packages/mgmt/ssl/terena_chain2.pem' Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:301]: fill_missing(): TLSs<default>: crl='(null)' Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:305]: fill_missing(): TLSs<default>: require_certificate=0 Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:312]: fill_missing(): TLSs<default>: cipher_list='(null)' Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:319]: fill_missing(): TLSs<default>: private_key='/path/ssl/fooserver1.uio.no.key' Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:323]: fill_missing(): TLSs<default>: verify_certificate=0 Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:326]: fill_missing(): TLSs<default>: verify_depth=9 Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:670]: set_verification(): TLSs<default>: No client certificate required and no checks performed Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:275]: fill_missing(): TLSc<default>: tls_method=9 Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:287]: fill_missing(): TLSc<default>: certificate='(null)' Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:294]: fill_missing(): TLSc<default>: ca_list='(null)' Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:301]: fill_missing(): TLSc<default>: crl='(null)' Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:305]: fill_missing(): TLSc<default>: require_certificate=0 Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:312]: fill_missing(): TLSc<default>: cipher_list='(null)' Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:319]: fill_missing(): TLSc<default>: private_key='(null)' Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:323]: fill_missing(): TLSc<default>: verify_certificate=0 Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:326]: fill_missing(): TLSc<default>: verify_depth=9 Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls [tls_domain.c:673]: set_verification(): TLSc<default>: Server MAY present invalid certificate Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: db_postgres [km_pg_con.c:82]: db_postgres_new_connection(): SSL SYSCALL error: Resource temporarily unavailable#012FATAL: no pg_hba.conf entry for host "129.240.1.1", user "foo_test_user", database " foo_test", SSL off#012 Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: db_postgres [km_pg_con.c:95]: db_postgres_new_connection(): cleaning up 0x7fce98be0c78=pkg_free() Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core> [db.c:322]: db_do_init2(): could not add connection to the pool Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: sqlops [sql_api.c:166]: sql_connect(): failed to connect to the database [data] Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core> [sr_module.c:927]: init_mod_child(): init_mod_child(): Error while initializing module sqlops (/usr/lib64/kamailio/modules/sqlops.so) Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core> [pt.c:490]: fork_tcp_process(): ERROR: fork_tcp_process(): init_child failed for process 7, pid 12125, "tcp receiver (generic) child=0" Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core> [tcp_main.c:4962]: tcp_init_children(): ERROR: tcp_main: fork failed: Success Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12118]: ALERT: <core> [main.c:774]: handle_sigs(): child process 12125 exited normally, status=255 Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> [main.c:792]: handle_sigs(): INFO: terminating due to SIGCHLD Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12126]: INFO: <core> [main.c:843]: sig_usr(): INFO: signal 15 received Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12124]: INFO: <core> [main.c:843]: sig_usr(): INFO: signal 15 received Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12123]: INFO: <core> [main.c:843]: sig_usr(): INFO: signal 15 received Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12122]: INFO: <core> [main.c:843]: sig_usr(): INFO: signal 15 received Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12121]: INFO: <core> [main.c:843]: sig_usr(): INFO: signal 15 received Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12120]: INFO: <core> [main.c:843]: sig_usr(): INFO: signal 15 received Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12127]: INFO: <core> [main.c:843]: sig_usr(): INFO: signal 15 received

Any ideas?

Best regards, Øyvind