<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Hello,<br>
    </p>
    <p>Sorry for bumping this old up, but some outcome from my research.</p>
    <p>1. CentOS 7 provided OpenSSL (1.0.2k-fips  26 Jan 2017) really
      leads Kamailio 5.x.x crash on high load (tested with 5.4 - 5.6)
      with <a moz-do-not-send="true"
        href="https://github.com/Pepelux/sippts">sippts</a> tool.</p>
    <p>2. Good results are obtained with Kamailio 5.6.2 with tlsa
      flavour statically linked with openssl 1.1.1q (here I have problem
      with lacking of TLS connections, but it's something different)</p>
    <p>And with this result I have a question, when I'm invoking <br>
    </p>
    <p>exit;</p>
    <p>on Kamailio script it's not "freeing" TCP connection as I got,
      I've managed "freeing" (or not occupying) connection with iptables
      <br>
    </p>
    <p>-j REJECT --reject-with tcp-reset</p>
    <p>Is there anything same for Kamailio or I need to add smth like
      fail2ban on top?</p>
    <p>Thanks in advance!<br>
    </p>
    <p>Le 24/06/2022 à 14:15, Igor Olhovskiy a écrit :<br>
    </p>
    <blockquote type="cite"
cite="mid:CAJTkRNvzE8O_xKij13pFY+kdVnZjQejhaFafCYq1SxZ7Pt=uaA@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div>Daniel,</div>
        <div><br>
        </div>
        <div>Thanks for clarifying this!</div>
        <div>And to ask, is websocket module also uses libssl indirectly
          or should not be the cause in this one? (I'm not using http or
          so).</div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">Le ven. 24 juin 2022 à 08:36,
          Daniel-Constantin Mierla <<a
            href="mailto:miconda@gmail.com" moz-do-not-send="true"
            class="moz-txt-link-freetext">miconda@gmail.com</a>> a
          écrit :<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div>
            <p>Hello,</p>
            <p>to add to this topic: tls module runs smooth when no
              other module uses an external library that is linked also
              with tls, I didn't have issue with in the past few years.</p>
            <p>But if another module that indirectly links also the
              libssl, I also got random crashes, usually during events
              when kamailio code is not involved at all. For example, a
              while ago using the http_client module (which uses libcurl
              that linked also libssl) resulted in sporadic crashes
              during tls handshake -- that's all in libssl, nothing to
              do with sip traffic at that stage. And actually there were
              also crashes when opening the connection to the https
              server. The behaviour was non-deterministic, months
              without any issue, then 1-2 crashes in a week or so, then
              all good as well. I somehow related it to minor updates of
              the operating system.</p>
            <p>After all, I ended up writing ruxc module to have an
              alternative http_client() function and from that moment no
              libssl related crash on the respective system. Strange
              that on another customer having same OS and using
              http_client() function, all was and still is fine. So it
              could be also related to tls settings in both sides of the
              connection (e.g., ciphers, renegotiation, tls version,
              ...).</p>
            <p>If you migrate to kamailio 5.6.x, then you can also try
              using tlsa module instead of tls, that should isolate the
              global libssl contexts, one inside the tlsa and one in
              those modules linking dynamically libssl.</p>
            <p>Cheers,<br>
              Daniel<br>
            </p>
            <div>On 23.06.22 16:46, Karsten Horsmann wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="auto">
                <div>Hi Igor, </div>
                <div dir="auto"><br>
                </div>
                <div dir="auto">I jumped from 5.3 to 5.5.x so I read
                  carefull the changelog and migrate steps. </div>
                <div dir="auto"><br>
                </div>
                <div dir="auto"><a
                    href="https://www.kamailio.org/wiki/features/new-in-5.5.x"
                    target="_blank" moz-do-not-send="true"
                    class="moz-txt-link-freetext">https://www.kamailio.org/wiki/features/new-in-5.5.x</a></div>
                <div dir="auto"><br>
                </div>
                <div dir="auto">Show a bit about tls. <br>
                  <br>
                  <div class="gmail_quote" dir="auto">
                    <div dir="ltr" class="gmail_attr">Igor Olhovskiy
                      <<a href="mailto:igorolhovskiy@gmail.com"
                        rel="noreferrer" target="_blank"
                        moz-do-not-send="true"
                        class="moz-txt-link-freetext">igorolhovskiy@gmail.com</a>>
                      schrieb am Mi., 22. Juni 2022, 21:08:<br>
                    </div>
                    <blockquote class="gmail_quote" style="margin:0px
                      0px 0px 0.8ex;border-left:1px solid
                      rgb(204,204,204);padding-left:1ex">
                      <div>
                        <p>Karsten,</p>
                        <p>Thanks for your answer!</p>
                        <p>Out of your head, were there any significant
                          changes in TCP/TLS on 5.4 -> 5.5 change?<br>
                        </p>
                        <pre cols="72">Regards,
Igor</pre>
                        <div>Le 22.06.2022 à 18:11, Karsten Horsmann a
                          écrit :<br>
                        </div>
                        <blockquote type="cite">
                          <div dir="auto">
                            <div>Hi Igor, </div>
                            <div dir="auto"><br>
                            </div>
                            <div dir="auto">I also use CentOS 7 with the
                              same openssl version and between 1000 up
                              to 2000 tls/wss connections. </div>
                            <div dir="auto"><br>
                            </div>
                            <div dir="auto">Works for me. Main
                              difference I use Kamailio 5.5.x</div>
                            <div dir="auto"><br>
                            </div>
                            <div dir="auto">Kind regards </div>
                            <div dir="auto">Karsten Horsmann <br>
                              <br>
                              <div class="gmail_quote" dir="auto">
                                <div dir="ltr" class="gmail_attr">Igor
                                  Olhovskiy <<a
                                    href="mailto:igorolhovskiy@gmail.com"
                                    rel="noreferrer noreferrer"
                                    target="_blank"
                                    moz-do-not-send="true"
                                    class="moz-txt-link-freetext">igorolhovskiy@gmail.com</a>>
                                  schrieb am Mi., 22. Juni 2022, 10:36:<br>
                                </div>
                                <blockquote class="gmail_quote"
                                  style="margin:0px 0px 0px
                                  0.8ex;border-left:1px solid
                                  rgb(204,204,204);padding-left:1ex">
                                  <div dir="ltr">
                                    <div>Hello!</div>
                                    <div><br>
                                    </div>
                                    <div>Due to I still experience
                                      irregular Kamailio 5.4 crashes
                                      (like 1/month) related to SSL
                                      (using websockets and SIPS) I'm
                                      wondering, could openSSL upgrade
                                      change the situation?</div>
                                    <div>As of now in CentOS 7 I have
                                      1.0.2k version. <br>
                                    </div>
                                    <div><br>
                                    </div>
                                    <div>Does anyone have experience to
                                      fix crash-related to TLS problems
                                      with openSSL upgrade?</div>
                                    <div><br>
                                    </div>
                                    <div>Or maye some tuneup of TCP
                                      parameters can help here?My
                                      current setup is quite simple:</div>
                                    <div><br>
                                    </div>
                                    <div>children=4<br>
                                    </div>
                                    <div>enable_tls=yes<br>
                                      tcp_accept_no_cl=yes<br>
                                      tcp_connection_lifetime=600<br>
                                      tcp_max_connections=998976 #
                                      1000000 - 1024, so we're leaving
                                      1k for system reserve<br>
                                      tls_max_connections=998976</div>
                                    <div><br>
                                    </div>
                                    <div>Number of clients ~ 200
                                      constantly connected to websocket.<br>
                                    </div>
                                    <div>-- <br>
                                      <div dir="ltr">
                                        <div dir="ltr">Best regards,
                                          <div>Igor</div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
__________________________________________________________<br>
                                  Kamailio - Users Mailing List - Non
                                  Commercial Discussions<br>
                                    * <a
                                    href="mailto:sr-users@lists.kamailio.org"
                                    rel="noreferrer noreferrer
                                    noreferrer" target="_blank"
                                    moz-do-not-send="true"
                                    class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a><br>
                                  Important: keep the mailing list in
                                  the recipients, do not reply only to
                                  the sender!<br>
                                  Edit mailing list options or
                                  unsubscribe:<br>
                                    * <a
                                    href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
                                    rel="noreferrer noreferrer
                                    noreferrer noreferrer"
                                    target="_blank"
                                    moz-do-not-send="true"
                                    class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
                                </blockquote>
                              </div>
                            </div>
                          </div>
                          <br>
                          <fieldset></fieldset>
                          <pre>__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * <a href="mailto:sr-users@lists.kamailio.org" rel="noreferrer noreferrer" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
                        </blockquote>
                      </div>
__________________________________________________________<br>
                      Kamailio - Users Mailing List - Non Commercial
                      Discussions<br>
                        * <a href="mailto:sr-users@lists.kamailio.org"
                        rel="noreferrer noreferrer" target="_blank"
                        moz-do-not-send="true"
                        class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a><br>
                      Important: keep the mailing list in the
                      recipients, do not reply only to the sender!<br>
                      Edit mailing list options or unsubscribe:<br>
                        * <a
                        href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
                        rel="noreferrer noreferrer noreferrer"
                        target="_blank" moz-do-not-send="true"
                        class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
                    </blockquote>
                  </div>
                </div>
              </div>
              <br>
              <fieldset></fieldset>
              <pre>__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * <a href="mailto:sr-users@lists.kamailio.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
            </blockquote>
            <pre cols="72">-- 
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online: June 20-23, 2022
  * <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
          </div>
          __________________________________________________________<br>
          Kamailio - Users Mailing List - Non Commercial Discussions<br>
            * <a href="mailto:sr-users@lists.kamailio.org"
            target="_blank" moz-do-not-send="true"
            class="moz-txt-link-freetext">sr-users@lists.kamailio.org</a><br>
          Important: keep the mailing list in the recipients, do not
          reply only to the sender!<br>
          Edit mailing list options or unsubscribe:<br>
            * <a
            href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
            rel="noreferrer" target="_blank" moz-do-not-send="true"
            class="moz-txt-link-freetext">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
        </blockquote>
      </div>
      <br clear="all">
      <br>
      -- <br>
      <div dir="ltr" class="gmail_signature">
        <div dir="ltr">Best regards,
          <div>Igor</div>
        </div>
      </div>
    </blockquote>
  </body>
</html>