<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p>to add to this topic: tls module runs smooth when no other module
uses an external library that is linked also with tls, I didn't
have issue with in the past few years.</p>
<p>But if another module that indirectly links also the libssl, I
also got random crashes, usually during events when kamailio code
is not involved at all. For example, a while ago using the
http_client module (which uses libcurl that linked also libssl)
resulted in sporadic crashes during tls handshake -- that's all in
libssl, nothing to do with sip traffic at that stage. And actually
there were also crashes when opening the connection to the https
server. The behaviour was non-deterministic, months without any
issue, then 1-2 crashes in a week or so, then all good as well. I
somehow related it to minor updates of the operating system.</p>
<p>After all, I ended up writing ruxc module to have an alternative
http_client() function and from that moment no libssl related
crash on the respective system. Strange that on another customer
having same OS and using http_client() function, all was and still
is fine. So it could be also related to tls settings in both sides
of the connection (e.g., ciphers, renegotiation, tls version,
...).</p>
<p>If you migrate to kamailio 5.6.x, then you can also try using
tlsa module instead of tls, that should isolate the global libssl
contexts, one inside the tlsa and one in those modules linking
dynamically libssl.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 23.06.22 16:46, Karsten Horsmann
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFArqsY5AOxVcCQH+KJLObT=23yr6YMn4vuY7Ac7uOCFQUHYEQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">
<div>Hi Igor, </div>
<div dir="auto"><br>
</div>
<div dir="auto">I jumped from 5.3 to 5.5.x so I read carefull
the changelog and migrate steps. </div>
<div dir="auto"><br>
</div>
<div dir="auto"><a
href="https://www.kamailio.org/wiki/features/new-in-5.5.x"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.kamailio.org/wiki/features/new-in-5.5.x</a></div>
<div dir="auto"><br>
</div>
<div dir="auto">Show a bit about tls. <br>
<br>
<div class="gmail_quote" dir="auto">
<div dir="ltr" class="gmail_attr">Igor Olhovskiy <<a
href="mailto:igorolhovskiy@gmail.com" target="_blank"
rel="noreferrer" moz-do-not-send="true"
class="moz-txt-link-freetext">igorolhovskiy@gmail.com</a>>
schrieb am Mi., 22. Juni 2022, 21:08:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p>Karsten,</p>
<p>Thanks for your answer!</p>
<p>Out of your head, were there any significant changes
in TCP/TLS on 5.4 -> 5.5 change?<br>
</p>
<pre cols="72">Regards,
Igor</pre>
<div>Le 22.06.2022 à 18:11, Karsten Horsmann a écrit :<br>
</div>
<blockquote type="cite">
<div dir="auto">
<div>Hi Igor, </div>
<div dir="auto"><br>
</div>
<div dir="auto">I also use CentOS 7 with the same
openssl version and between 1000 up to 2000
tls/wss connections. </div>
<div dir="auto"><br>
</div>
<div dir="auto">Works for me. Main difference I use
Kamailio 5.5.x</div>
<div dir="auto"><br>
</div>
<div dir="auto">Kind regards </div>
<div dir="auto">Karsten Horsmann <br>
<br>
<div class="gmail_quote" dir="auto">
<div dir="ltr" class="gmail_attr">Igor Olhovskiy
<<a href="mailto:igorolhovskiy@gmail.com"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">igorolhovskiy@gmail.com</a>>
schrieb am Mi., 22. Juni 2022, 10:36:<br>
</div>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>Hello!</div>
<div><br>
</div>
<div>Due to I still experience irregular
Kamailio 5.4 crashes (like 1/month)
related to SSL (using websockets and SIPS)
I'm wondering, could openSSL upgrade
change the situation?</div>
<div>As of now in CentOS 7 I have 1.0.2k
version. <br>
</div>
<div><br>
</div>
<div>Does anyone have experience to fix
crash-related to TLS problems with openSSL
upgrade?</div>
<div><br>
</div>
<div>Or maye some tuneup of TCP parameters
can help here?My current setup is quite
simple:</div>
<div><br>
</div>
<div>children=4<br>
</div>
<div>enable_tls=yes<br>
tcp_accept_no_cl=yes<br>
tcp_connection_lifetime=600<br>
tcp_max_connections=998976 # 1000000 -
1024, so we're leaving 1k for system
reserve<br>
tls_max_connections=998976</div>
<div><br>
</div>
<div>Number of clients ~ 200 constantly
connected to websocket.<br>
</div>
<div>-- <br>
<div dir="ltr"
data-smartmail="gmail_signature">
<div dir="ltr">Best regards,
<div>Igor</div>
</div>
</div>
</div>
</div>
__________________________________________________________<br>
Kamailio - Users Mailing List - Non Commercial
Discussions<br>
* <a
href="mailto:sr-users@lists.kamailio.org"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a><br>
Important: keep the mailing list in the
recipients, do not reply only to the sender!<br>
Edit mailing list options or unsubscribe:<br>
* <a
href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
rel="noreferrer noreferrer noreferrer
noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* <a href="mailto:sr-users@lists.kamailio.org" rel="noreferrer noreferrer" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
</div>
__________________________________________________________<br>
Kamailio - Users Mailing List - Non Commercial Discussions<br>
* <a href="mailto:sr-users@lists.kamailio.org"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a><br>
Important: keep the mailing list in the recipients, do not
reply only to the sender!<br>
Edit mailing list options or unsubscribe:<br>
* <a
href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
rel="noreferrer noreferrer noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* <a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* <a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online: June 20-23, 2022
* <a class="moz-txt-link-freetext" href="https://www.asipto.com/sw/kamailio-advanced-training-online/">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</body>
</html>