<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,<br>
</p>
<p>Sorry for bumping this old up, but some outcome from my research.</p>
<p>1. CentOS 7 provided OpenSSL (1.0.2k-fips 26 Jan 2017) really
leads Kamailio 5.x.x crash on high load (tested with 5.4 - 5.6)
with <a moz-do-not-send="true"
href="https://github.com/Pepelux/sippts">sippts</a> tool.</p>
<p>2. Good results are obtained with Kamailio 5.6.2 with tlsa
flavour statically linked with openssl 1.1.1q (here I have problem
with lacking of TLS connections, but it's something different)</p>
<p>And with this result I have a question, when I'm invoking <br>
</p>
<p>exit;</p>
<p>on Kamailio script it's not "freeing" TCP connection as I got,
I've managed "freeing" (or not occupying) connection with iptables
<br>
</p>
<p>-j REJECT --reject-with tcp-reset</p>
<p>Is there anything same for Kamailio or I need to add smth like
fail2ban on top?</p>
<p>Thanks in advance!<br>
</p>
<p>Le 24/06/2022 à 14:15, Igor Olhovskiy a écrit :<br>
</p>
<blockquote type="cite"
cite="mid:CAJTkRNvzE8O_xKij13pFY+kdVnZjQejhaFafCYq1SxZ7Pt=uaA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Daniel,</div>
<div><br>
</div>
<div>Thanks for clarifying this!</div>
<div>And to ask, is websocket module also uses libssl indirectly
or should not be the cause in this one? (I'm not using http or
so).</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Le ven. 24 juin 2022 à 08:36,
Daniel-Constantin Mierla <<a
href="mailto:miconda@gmail.com" moz-do-not-send="true"
class="moz-txt-link-freetext">miconda@gmail.com</a>> a
écrit :<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello,</p>
<p>to add to this topic: tls module runs smooth when no
other module uses an external library that is linked also
with tls, I didn't have issue with in the past few years.</p>
<p>But if another module that indirectly links also the
libssl, I also got random crashes, usually during events
when kamailio code is not involved at all. For example, a
while ago using the http_client module (which uses libcurl
that linked also libssl) resulted in sporadic crashes
during tls handshake -- that's all in libssl, nothing to
do with sip traffic at that stage. And actually there were
also crashes when opening the connection to the https
server. The behaviour was non-deterministic, months
without any issue, then 1-2 crashes in a week or so, then
all good as well. I somehow related it to minor updates of
the operating system.</p>
<p>After all, I ended up writing ruxc module to have an
alternative http_client() function and from that moment no
libssl related crash on the respective system. Strange
that on another customer having same OS and using
http_client() function, all was and still is fine. So it
could be also related to tls settings in both sides of the
connection (e.g., ciphers, renegotiation, tls version,
...).</p>
<p>If you migrate to kamailio 5.6.x, then you can also try
using tlsa module instead of tls, that should isolate the
global libssl contexts, one inside the tlsa and one in
those modules linking dynamically libssl.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div>On 23.06.22 16:46, Karsten Horsmann wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">
<div>Hi Igor, </div>
<div dir="auto"><br>
</div>
<div dir="auto">I jumped from 5.3 to 5.5.x so I read
carefull the changelog and migrate steps. </div>
<div dir="auto"><br>
</div>
<div dir="auto"><a
href="https://www.kamailio.org/wiki/features/new-in-5.5.x"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://www.kamailio.org/wiki/features/new-in-5.5.x</a></div>
<div dir="auto"><br>
</div>
<div dir="auto">Show a bit about tls. <br>
<br>
<div class="gmail_quote" dir="auto">
<div dir="ltr" class="gmail_attr">Igor Olhovskiy
<<a href="mailto:igorolhovskiy@gmail.com"
rel="noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">igorolhovskiy@gmail.com</a>>
schrieb am Mi., 22. Juni 2022, 21:08:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Karsten,</p>
<p>Thanks for your answer!</p>
<p>Out of your head, were there any significant
changes in TCP/TLS on 5.4 -> 5.5 change?<br>
</p>
<pre cols="72">Regards,
Igor</pre>
<div>Le 22.06.2022 à 18:11, Karsten Horsmann a
écrit :<br>
</div>
<blockquote type="cite">
<div dir="auto">
<div>Hi Igor, </div>
<div dir="auto"><br>
</div>
<div dir="auto">I also use CentOS 7 with the
same openssl version and between 1000 up
to 2000 tls/wss connections. </div>
<div dir="auto"><br>
</div>
<div dir="auto">Works for me. Main
difference I use Kamailio 5.5.x</div>
<div dir="auto"><br>
</div>
<div dir="auto">Kind regards </div>
<div dir="auto">Karsten Horsmann <br>
<br>
<div class="gmail_quote" dir="auto">
<div dir="ltr" class="gmail_attr">Igor
Olhovskiy <<a
href="mailto:igorolhovskiy@gmail.com"
rel="noreferrer noreferrer"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">igorolhovskiy@gmail.com</a>>
schrieb am Mi., 22. Juni 2022, 10:36:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>Hello!</div>
<div><br>
</div>
<div>Due to I still experience
irregular Kamailio 5.4 crashes
(like 1/month) related to SSL
(using websockets and SIPS) I'm
wondering, could openSSL upgrade
change the situation?</div>
<div>As of now in CentOS 7 I have
1.0.2k version. <br>
</div>
<div><br>
</div>
<div>Does anyone have experience to
fix crash-related to TLS problems
with openSSL upgrade?</div>
<div><br>
</div>
<div>Or maye some tuneup of TCP
parameters can help here?My
current setup is quite simple:</div>
<div><br>
</div>
<div>children=4<br>
</div>
<div>enable_tls=yes<br>
tcp_accept_no_cl=yes<br>
tcp_connection_lifetime=600<br>
tcp_max_connections=998976 #
1000000 - 1024, so we're leaving
1k for system reserve<br>
tls_max_connections=998976</div>
<div><br>
</div>
<div>Number of clients ~ 200
constantly connected to websocket.<br>
</div>
<div>-- <br>
<div dir="ltr">
<div dir="ltr">Best regards,
<div>Igor</div>
</div>
</div>
</div>
</div>
__________________________________________________________<br>
Kamailio - Users Mailing List - Non
Commercial Discussions<br>
* <a
href="mailto:sr-users@lists.kamailio.org"
rel="noreferrer noreferrer
noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a><br>
Important: keep the mailing list in
the recipients, do not reply only to
the sender!<br>
Edit mailing list options or
unsubscribe:<br>
* <a
href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
rel="noreferrer noreferrer
noreferrer noreferrer"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* <a href="mailto:sr-users@lists.kamailio.org" rel="noreferrer noreferrer" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
</div>
__________________________________________________________<br>
Kamailio - Users Mailing List - Non Commercial
Discussions<br>
* <a href="mailto:sr-users@lists.kamailio.org"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a><br>
Important: keep the mailing list in the
recipients, do not reply only to the sender!<br>
Edit mailing list options or unsubscribe:<br>
* <a
href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* <a href="mailto:sr-users@lists.kamailio.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online: June 20-23, 2022
* <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</div>
__________________________________________________________<br>
Kamailio - Users Mailing List - Non Commercial Discussions<br>
* <a href="mailto:sr-users@lists.kamailio.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a><br>
Important: keep the mailing list in the recipients, do not
reply only to the sender!<br>
Edit mailing list options or unsubscribe:<br>
* <a
href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote>
</div>
<br clear="all">
<br>
-- <br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">Best regards,
<div>Igor</div>
</div>
</div>
</blockquote>
</body>
</html>