On Mon, Mar 19, 2012 at 05:32, Juha Heinanen jh@tutpro.com wrote:
as i mentioned, with shared memory of 64MB, sip proxy started fine. however, it failed to send a request over tls:
Mar 19 11:21:41 test /usr/sbin/sip-proxy[30293]: INFO: Routing INVITE sip:044234567@192.98.102.10:8001;transport=tls Mar 19 11:21:41 test /usr/sbin/sip-proxy[30293]: WARNING: <core> [forward.c:268]: WARNING: get_send_socket: protocol/port mismatch (forced udp:192.98.101.10:5060, to tls:192.98.102.10:8001) Mar 19 11:21:41 test /usr/sbin/sip-proxy[30293]: ERROR: tls [tls_server.c:150]: tls: ssl bug #1491 workaround: not enough memory for safe operation: 8473952 Mar 19 11:21:41 test /usr/sbin/sip-proxy[30293]: ERROR: tm [../../forward.h:192]: msg_send: ERROR: tcp_send failed Mar 19 11:21:41 test /usr/sbin/sip-proxy[30293]: ERROR: tm [t_fwd.c:1385]: ERROR: t_send_branch: sending request on branch 0 failed
this works ok when there is only a couple of certs in ca_list.
there is 10M of free shared memory available. is that not enough for "safe operation" or is this now pkg memory issue (i have the default 4M configured)?
I think you're seeing this because you don't have enough free shared memory. When you load the whole Debian CA certificate list, it probably does not leave enough memory left for openssl. The tls module fails preemptively if there is not enough free memory left to prevent openssl from crashing or causing memory leaks.
There are two configuration options that you can change: low_mem_threshold1 (default 512 * 1024 * get_max_procs) and low_mem_threshold2 (256 * 1024 * get_max_procs).
So you can either try to change one of the options or give the sip proxy more shared memory.
Note that openssl is really memory hungry. By default it consumes over 65kB of memory per connection for various buffers.
-Jan