Module: kamailio
Branch: master
Commit: 331aa5753beccd3ddb241219cf1988a506fa2de3
URL: https://github.com/kamailio/kamailio/commit/331aa5753beccd3ddb241219cf1988a…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: 2023-01-25T08:26:09+01:00
tls: update docs for init_mode with details about fork prepare option
---
Modified: src/modules/tls/doc/params.xml
---
Diff: https://github.com/kamailio/kamailio/commit/331aa5753beccd3ddb241219cf1988a…
Patch: https://github.com/kamailio/kamailio/commit/331aa5753beccd3ddb241219cf1988a…
---
diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml
index 49f1d1f85f..d90157ca24 100644
--- a/src/modules/tls/doc/params.xml
+++ b/src/modules/tls/doc/params.xml
@@ -1037,13 +1037,20 @@ modparam("tls", "renegotiation", 1)
<para>
Allow setting flags that control how the module is initialized and works
at runtime. Many flags (bits) can be set at the same time (set the
- parameter to the sum of corresponding values).
+ parameter to the sum of corresponding values). The flags are refered
+ with 0-indexing.
</para>
<para>
- If flag (bit) 1 is set (value 1), the memory management operations registered for TLS are
- wapped within a pthread mutex lock. It can be useful with newer versions
- of libssl and libcrypto, which have a more pthread multi-threading oriented
- design.
+ If flag (bit) at index 0 is set (value 1), the memory management operations
+ registered for TLS are wapped within a pthread mutex lock. It can be useful
+ with newer versions of libssl and libcrypto, which have a more pthread
+ multi-threading oriented design.
+ </para>
+ <para>
+ If flag (bit) at index 1 is set (value 2), the module executes openssl fork
+ prepare API functions (see
+ <ulink url="https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_fork_prepare.html">https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_fork_prepare.html</ulink>). It is done only for openssl version greater or equal
+ with 1.1.1.
</para>
<para>
Default value is 0.
### Description
When running kamdbctl for the first time with `DBENGINE=MYSQL` , it will try to create the same user twice which causes a failure. Because the user is already there, the create fails and the install script fails
As a new user this is very confusing as it leads you to believe that you're blocked. However, if you enable prompt and run it twice and then skip adding access the second time, you can continue.
```
root@924dfe238957:/# /usr/sbin/kamdbctl create
Create the database 'kamailio'? (y/n): y
-e \E[37;33mINFO: creating database kamailio ...
Create database users with access privileges? (y/n): y
-e \E[37;33mINFO: granting privileges to database kamailio ...
ERROR 1396 (HY000) at line 1: Operation CREATE USER failed for 'kamailio'@'mariadb'
ERROR 1396 (HY000) at line 1: Operation CREATE USER failed for 'kamailioro'@'mariadb'
```
### Troubleshooting
If you modify `./usr/lib/x86_64-linux-gnu/kamailio/kamctl/kamdbctl.mysql` to echo the command instead, then you get the following debugging info.
```
root@924dfe238957:/# /usr/sbin/kamdbctl create
Create the database 'kamailio'? (y/n): y
-e \E[37;33mINFO: creating database kamailio ...
mysql -h mariadb -P 3306 -uroot -ppasswd -e CREATE DATABASE kamailio CHARACTER SET latin1;
Create database users with access privileges? (y/n): y
-e \E[37;33mINFO: granting privileges to database kamailio ...
mysql -h mariadb -P 3306 -uroot -ppasswd -e CREATE USER 'kamailio'@'mariadb' IDENTIFIED BY 'kamailiorw';
GRANT ALL PRIVILEGES ON kamailio.* TO 'kamailio'@'mariadb';
mysql -h mariadb -P 3306 -uroot -ppasswd -e CREATE USER 'kamailioro'@'mariadb' IDENTIFIED BY 'kamailioro';
GRANT SELECT ON kamailio.* TO 'kamailioro'@'mariadb';
mysql -h mariadb -P 3306 -uroot -ppasswd -e CREATE USER 'kamailio'@'localhost' IDENTIFIED BY 'kamailiorw';
GRANT ALL PRIVILEGES ON kamailio.* TO 'kamailio'@'localhost';
mysql -h mariadb -P 3306 -uroot -ppasswd -e CREATE USER 'kamailioro'@'localhost' IDENTIFIED BY 'kamailioro';
GRANT SELECT ON kamailio.* TO 'kamailioro'@'localhost';
mysql -h mariadb -P 3306 -uroot -ppasswd -e CREATE USER 'kamailio'@'mariadb' IDENTIFIED BY 'kamailiorw';
GRANT ALL PRIVILEGES ON kamailio.* TO 'kamailio'@'mariadb';
mysql -h mariadb -P 3306 -uroot -ppasswd -e CREATE USER 'kamailioro'@'mariadb' IDENTIFIED BY 'kamailioro';
GRANT SELECT ON kamailio.* TO 'kamailioro'@'mariadb';
```
As you can see ` 'kamailioro'@'mariadb'` and ` 'kamailioro'@'mariadb'` are added twice which creates a 1396 error.
#### Reproduction
```
```
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3280
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3280(a)github.com>
### Description
For secure websocket connections (wss), Kamailio seems to forget that the connection is secure, later trying to use a regular TCP `listen` option to send out messags.
I'd be happy to propose a patch, but I'm not sure what the expected behavior of Kamailio would be here.
Setup:
- One Kamailio acting as websocket endpoint with TLS configured, forwarding all packets via udp to another kamailio
- Another Kamailio handling all dialplan logic, including registers/invites
We have traced the issue:
- Client sends a `REGISTER` over secure websockets
- Kamailio1 forwards this to Kamailio 2, with `Path: <sip:kamailio1:port1;lr;received=sip:1.1.1.1:11111%3Btransport%3Dws>`
- Kamailio 2 stores the AOR in database using `registrar.store`
- In the location table, we can see `received = sip:1.1.1.1:11111;transport=ws`
- We try to send a SIP INVITE to the WebRTC client
- Kamailio 2 creates invite, adds header `Route: ` with option `transport=ws`
- INVITE arrives at Kamailio 1, which forwards it to the client using `t_relay`
- Kamailio 1 ends up in `get_send_socket2`, with parameter `proto = ws`
- Following the source code, we end up [here](https://github.com/kamailio/kamailio/blob/master/src/core/forward.c#L…, this will end up picking `sendipv4_tcp` as `send_sock`
- This picks a *TCP* listener, while in fact we need a *TLS* listener
- As a result, the outgoing message contains a wrong endpoint in the `Record-Route` header, causing issues in the SIP dialog later on
### Troubleshooting
#### Reproduction
Reproducing from scratch requires quite some setup, hopefully the above information will be enough to diagnose.
#### Debugging Data
See above.
#### Log Messages
See above.
#### SIP Traffic
See above, can provide exact SIP traces if required.
### Possible Solutions
We have been able to work around the issue like this:
```
if (pcre_match("$(hdr(Route)[0]{nameaddr.uri}{uri.param,received})", "%3Btransport%3Dws")) {
# Kamailio bug?
# in the received parameter of the route header, there is ';transport=ws'
# so kamailio starts looking for a *tcp* connection, while it should be looking for a *tls*
# connection.
xlog("L_NOTICE", "Websocket detected; forcing wss transport");
set_send_socket("tls:WEBSOCKET_IP:WEBSOCKET_PORT");
}
```
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
Tested with 5.4.4, but code doesn't seem to be changed in master.
* **Operating System**:
Ubuntu Focal.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3340
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3340(a)github.com>
Hello Nicolas,
i use tlsf and i have no issues. tlsf "nukes" the memory (sets the
allocated size to NULL) on deallocation, i would check your module (or
other like parts of kamailio) for possible reuse of memory after
deallocation.
i remember to have made some commits around this "memory use after
deallocation"
Cheers
Module: kamailio
Branch: master
Commit: d0cd1905652e1aeb0be92c5a723b5d42f4171a13
URL: https://github.com/kamailio/kamailio/commit/d0cd1905652e1aeb0be92c5a723b5d4…
Author: Kamailio Dev <kamailio.dev(a)kamailio.org>
Committer: Kamailio Dev <kamailio.dev(a)kamailio.org>
Date: 2023-01-24T09:31:26+01:00
modules: readme files regenerated - tls ... [skip ci]
---
Modified: src/modules/tls/README
---
Diff: https://github.com/kamailio/kamailio/commit/d0cd1905652e1aeb0be92c5a723b5d4…
Patch: https://github.com/kamailio/kamailio/commit/d0cd1905652e1aeb0be92c5a723b5d4…
---
diff --git a/src/modules/tls/README b/src/modules/tls/README
index 94c3a72d80..21740840b4 100644
--- a/src/modules/tls/README
+++ b/src/modules/tls/README
@@ -61,7 +61,7 @@ Olle E. Johansson
10.27. session_cache (boolean)
10.28. session_id (str)
10.29. renegotiation (boolean)
- 10.30. lock_mode (int)
+ 10.30. init_mode (int)
10.31. config (string)
10.32. xavp_cfg (string)
10.33. event_callback (str)
@@ -136,7 +136,7 @@ Olle E. Johansson
1.38. Set session_cache parameter
1.39. Set session_id parameter
1.40. Set renegotiation parameter
- 1.41. Set lock_mode parameter
+ 1.41. Set init_mode parameter
1.42. Sample TLS Config File
1.43. Set config parameter
1.44. Change and reload the TLS configuration at runtime
@@ -193,7 +193,7 @@ Chapter 1. Admin Guide
10.27. session_cache (boolean)
10.28. session_id (str)
10.29. renegotiation (boolean)
- 10.30. lock_mode (int)
+ 10.30. init_mode (int)
10.31. config (string)
10.32. xavp_cfg (string)
10.33. event_callback (str)
@@ -624,7 +624,7 @@ Place holder
10.27. session_cache (boolean)
10.28. session_id (str)
10.29. renegotiation (boolean)
- 10.30. lock_mode (int)
+ 10.30. init_mode (int)
10.31. config (string)
10.32. xavp_cfg (string)
10.33. event_callback (str)
@@ -1267,18 +1267,22 @@ modparam("tls", "session_id", "my-session-id-context")
modparam("tls", "renegotiation", 1)
...
-10.30. lock_mode (int)
+10.30. init_mode (int)
- If set to 1, the memory management operations registered for TLS are
- wapped within a pthread mutex lock. It can be useful with newer
- versions of libssl and libcrypto, which have a more pthread
- multi-threading oriented design.
+ Allow setting flags that control how the module is initialized and
+ works at runtime. Many flags (bits) can be set at the same time (set
+ the parameter to the sum of corresponding values).
+
+ If flag (bit) 1 is set (value 1), the memory management operations
+ registered for TLS are wapped within a pthread mutex lock. It can be
+ useful with newer versions of libssl and libcrypto, which have a more
+ pthread multi-threading oriented design.
Default value is 0.
- Example 1.41. Set lock_mode parameter
+ Example 1.41. Set init_mode parameter
...
-modparam("tls", "lock_mode", 1)
+modparam("tls", "init_mode", 1)
...
10.31. config (string)
Module: kamailio
Branch: master
Commit: 220cc9633092f166611432c704796353da46668c
URL: https://github.com/kamailio/kamailio/commit/220cc9633092f166611432c70479635…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: 2023-01-24T09:29:32+01:00
tls: docs updated to rename lock_mode to init_mode
---
Modified: src/modules/tls/doc/params.xml
---
Diff: https://github.com/kamailio/kamailio/commit/220cc9633092f166611432c70479635…
Patch: https://github.com/kamailio/kamailio/commit/220cc9633092f166611432c70479635…
---
diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml
index d491a67cca..49f1d1f85f 100644
--- a/src/modules/tls/doc/params.xml
+++ b/src/modules/tls/doc/params.xml
@@ -1032,10 +1032,15 @@ modparam("tls", "renegotiation", 1)
</example>
</section>
- <section id="tls.p.lock_mode">
- <title><varname>lock_mode</varname> (int)</title>
+ <section id="tls.p.init_mode">
+ <title><varname>init_mode</varname> (int)</title>
<para>
- If set to 1, the memory management operations registered for TLS are
+ Allow setting flags that control how the module is initialized and works
+ at runtime. Many flags (bits) can be set at the same time (set the
+ parameter to the sum of corresponding values).
+ </para>
+ <para>
+ If flag (bit) 1 is set (value 1), the memory management operations registered for TLS are
wapped within a pthread mutex lock. It can be useful with newer versions
of libssl and libcrypto, which have a more pthread multi-threading oriented
design.
@@ -1044,10 +1049,10 @@ modparam("tls", "renegotiation", 1)
Default value is 0.
</para>
<example>
- <title>Set <varname>lock_mode</varname> parameter</title>
+ <title>Set <varname>init_mode</varname> parameter</title>
<programlisting>
...
-modparam("tls", "lock_mode", 1)
+modparam("tls", "init_mode", 1)
...
</programlisting>
</example>