sr-dev

sr-dev@lists.kamailio.org

18 participants
45077 discussions

[kamailio/kamailio] rtpengine: make myseqn more random (Issue #4281)
by Christian Berger 18 Jun '25

18 Jun '25

ChristianBergerSipgate created an issue (kamailio/kamailio#4281) ### Description The rtpengine module uses a `cookie` field in the Protocol controlling rtpengines. This field needs to be unique, and is derived from the `server_id` field set in the Kamailio, the `pid` as well as the value of a variable `myseqn`. In many conditions, this is random enough. However particularly when using docker, the `pid` will be identical across servers, reducing the randomness and causing collisions. ### Expected behavior The 34 bytes of the cookie should be as unique as possible. #### Actual observed behavior We get collisions many times per day, as different kamailio instances randomly choose the same value. ### Possible Solutions 1. Set `myseqn` to a random value during module load. 2. Add an additional random value to the `gencookie` function. 3. Use `%x` instead of `%d` to squeeze more entropy into the 33 characters available, and perhaps use fixed length fields. The problem probably also exists in the following other modules: 1. rtpproxy 2. lrkproxy We are not using those modules so we have not yet experienced collisions here. -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/4281 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/issues/4281(a)github.com>

2 5

[kamailio/kamailio] http_client leaks TLS shared memory (Issue #4231)
by Alexander Bakker 18 Jun '25

18 Jun '25

alexbakker created an issue (kamailio/kamailio#4231) ### Description Performing an HTTPS request using the ``http_client`` module results in a shared memory leak, seemingly related to TLS. ### Troubleshooting #### Reproduction Our use case for ``http_client`` is to update an htable with the latest banned IP's from APIBAN as described here: https://github.com/apiban/apiban?tab=readme-ov-file#integration-into-kamail…. Normally, we refresh the list of banned IP's once every 15 minutes, so the shared memory usage grows fairly slowly. The issue can be reproduced using the Kamailio configuration file below. To demonstrate the issue and make the shared memory usage grow faster, we set up a timer that calls ``http_client_query`` in a tight loop. To prevent unnecessary load on the APIBAN infrastructure, we request an example file from my personal server instead. ``` #!KAMAILIO debug=2 log_stderror=yes fork=yes enable_tls=1 loadmodule "tls.so" loadmodule "cfg_rpc.so" loadmodule "pv.so" loadmodule "xlog.so" loadmodule "ctl.so" loadmodule "rtimer.so" loadmodule "http_client.so" modparam("tls", "certificate", "") modparam("tls", "private_key", "") modparam("rtimer", "timer", "name=apiban;interval=100u;mode=1;") modparam("rtimer", "exec", "timer=apiban;route=APIBAN;") route[APIBAN] { xinfo("running apiban refresh\n"); http_client_query("https://alexbakker.me/u/7bvjn9jfas.txt", "$var(banned)"); } ``` Start Kamailio: ``` kamailio -f kamailio.cfg -DD ``` And then watch the shared memory usage grow rapidly: ``` watch -n1 -- kamcmd core.shmmem ``` #### Log Messages Eventually, Kamailio will run out of shared memory and print the following messages to the log: ``` 21(184184) INFO: <script>: running apiban refresh 21(184184) ERROR: http_client [functions.c:471]: curL_request_url(): failed to perform curl (56) (url: https://alexbakker.me/u/7bvjn9jfas.txt) 21(184184) INFO: <script>: running apiban refresh 21(184184) ERROR: http_client [functions.c:471]: curL_request_url(): failed to perform curl (56) (url: https://alexbakker.me/u/7bvjn9jfas.txt) 21(184184) INFO: <script>: running apiban refresh 21(184184) WARNING: http_client [functions.c:453]: curL_request_url(): TLS error in curl connection (url: https://alexbakker.me/u/7bvjn9jfas.txt) 21(184184) INFO: <script>: running apiban refresh 21(184184) WARNING: http_client [functions.c:453]: curL_request_url(): TLS error in curl connection (url: https://alexbakker.me/u/7bvjn9jfas.txt) 21(184184) INFO: <script>: running apiban refresh 21(184184) WARNING: http_client [functions.c:453]: curL_request_url(): TLS error in curl connection (url: https://alexbakker.me/u/7bvjn9jfas.txt) 21(184184) INFO: <script>: running apiban refresh 21(184184) WARNING: http_client [functions.c:453]: curL_request_url(): TLS error in curl connection (url: https://alexbakker.me/u/7bvjn9jfas.txt) 21(184184) INFO: <script>: running apiban refresh 21(184184) ERROR: <core> [core/mem/q_malloc.c:758]: qm_realloc(): qm_realloc(0x7585c73c4000, 1024) called from tls: tls_init.c: ser_realloc(372), module: tls; qm_malloc() failed! 21(184184) INFO: <script>: running apiban refresh 21(184184) INFO: <script>: running apiban refresh 21(184184) ERROR: <core> [core/mem/q_malloc.c:758]: qm_realloc(): qm_realloc(0x7585c73c4000, 1024) called from tls: tls_init.c: ser_realloc(372), module: tls; qm_malloc() failed! 21(184184) WARNING: http_client [functions.c:453]: curL_request_url(): TLS error in curl connection (url: https://alexbakker.me/u/7bvjn9jfas.txt) 21(184184) INFO: <script>: running apiban refresh 21(184184) INFO: <script>: running apiban refresh 21(184184) WARNING: http_client [functions.c:463]: curL_request_url(): TLS CA certificate read error (url: https://alexbakker.me/u/7bvjn9jfas.txt) ``` ``mem_dump_shm`` reports a large list of TLS-related allocations. Just sharing the last few lines here, as they're seemingly all from the same location. ``` 20(204914) ALERT: qm_status: qm_status(): 28500. N address=0x705ab3178710 frag=0x705ab31786d0 size=112 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28501. N address=0x705ab31787f0 frag=0x705ab31787b0 size=48 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28502. N address=0x705ab3178890 frag=0x705ab3178850 size=32 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28503. N address=0x705ab3178920 frag=0x705ab31788e0 size=32 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28504. N address=0x705ab31789b0 frag=0x705ab3178970 size=32 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28505. N address=0x705ab3178a40 frag=0x705ab3178a00 size=48 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28506. N address=0x705ab3178ae0 frag=0x705ab3178aa0 size=48 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28507. N address=0x705ab3178b80 frag=0x705ab3178b40 size=144 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28509. N address=0x705ab3178d00 frag=0x705ab3178cc0 size=32 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28510. N address=0x705ab3178d90 frag=0x705ab3178d50 size=32 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_realloc(372) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28512. N address=0x705ab3178ea0 frag=0x705ab3178e60 size=16 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28513. N address=0x705ab3178f20 frag=0x705ab3178ee0 size=32 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28515. N address=0x705ab317a3c0 frag=0x705ab317a380 size=112 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28516. N address=0x705ab317a4a0 frag=0x705ab317a460 size=512 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28517. N address=0x705ab317a710 frag=0x705ab317a6d0 size=1504 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed 20(204914) ALERT: qm_status: qm_status(): 28518. N address=0x705ab317ad60 frag=0x705ab317ad20 size=1040 used=1 20(204914) ALERT: qm_status: qm_status(): alloc'd from tls: tls_init.c: ser_malloc(364) 20(204914) ALERT: qm_status: qm_status(): start check=f0f0f0f0, end check= c0c0c0c0, abcdefed ``` ### Possible Solutions I'm not aware of a workaround for this issue. For our specific use case, I'll move the APIBAN polling out of Kamailio to a separate process for now. ### Additional Information I've verified that this issue is reproducible on ``5.5.7``, ``5.6.6``, ``5.7.6``, ``5.8.6`` and ``6.0.1``. * **Kamailio Version** - output of `kamailio -v` ``` version: kamailio 6.0.1 (x86_64/linux) fce50d flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: fce50d compiled on 06:42:29 May 6 2025 with gcc 12.2.0 ``` * **Operating System**: ``` $ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 12 (bookworm) Release: 12 Codename: bookworm $ uname -a Linux ip-10-146-128-121 6.1.0-32-cloud-arm64 #1 SMP Debian 6.1.129-1 (2025-03-06) aarch64 GNU/Linux ``` -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/4231 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/issues/4231(a)github.com>

4 5

git:master:4935196e: lrkproxy: improve randomness of cookie by using PNRG and random sequence numbers
by Henning Westerholt 18 Jun '25

18 Jun '25

Module: kamailio Branch: master Commit: 4935196ee8ce1d99e77c614aaa0131a1972580ed URL: https://github.com/kamailio/kamailio/commit/4935196ee8ce1d99e77c614aaa0131a… Author: Henning Westerholt <hw(a)gilawa.com> Committer: Henning Westerholt <hw(a)gilawa.com> Date: 2025-06-18T11:10:02Z lrkproxy: improve randomness of cookie by using PNRG and random sequence numbers --- Modified: src/modules/lrkproxy/lrkproxy.c --- Diff: https://github.com/kamailio/kamailio/commit/4935196ee8ce1d99e77c614aaa0131a… Patch: https://github.com/kamailio/kamailio/commit/4935196ee8ce1d99e77c614aaa0131a… --- diff --git a/src/modules/lrkproxy/lrkproxy.c b/src/modules/lrkproxy/lrkproxy.c index bc0a83f4e23..ef6a347105b 100644 --- a/src/modules/lrkproxy/lrkproxy.c +++ b/src/modules/lrkproxy/lrkproxy.c @@ -77,6 +77,7 @@ #include "../../core/dset.h" #include "../../core/route.h" #include "../../core/kemi.h" +#include "../../core/rand/fastrand.h" #include "../../modules/tm/tm_load.h" #include "lrkproxy.h" #include "lrkproxy_hash.h" @@ -158,7 +159,6 @@ static void mod_destroy(void); static int lrkproxy_disable_tout = 60; static int lrkproxy_retr = 5; static int lrkproxy_tout = 1; -static pid_t mypid; static unsigned int myseqn = 0; //static str nolrkproxy_str = str_init("a=nolrkproxy:yes"); //static str extra_id_pv_param = {NULL, 0}; @@ -668,9 +668,10 @@ static int child_init(int rank) return 0; } - /* Iterate known LRK proxies - create sockets */ - mypid = getpid(); + /* random start value for for cookie sequence number */ + myseqn = fastrand(); + /* Iterate known RTP proxies - create sockets */ lrkp_socks = (int *)pkg_malloc(sizeof(int) * lrkp_no); if(lrkp_socks == NULL) { LM_ERR("no more pkg memory\n"); @@ -791,7 +792,7 @@ static char *gencookie(void) { static char cook[34]; - sprintf(cook, "%d_%u ", (int)mypid, myseqn); + sprintf(cook, "%d_%u ", fastrand(), myseqn); myseqn++; return cook; }

1 0

git:master:04686c40: rtpproxy: improve randomness of cookie by using PNRG and random sequence numbers
by Henning Westerholt 18 Jun '25

18 Jun '25

Module: kamailio Branch: master Commit: 04686c40d380e16e55c359cbc6bfc28f644a4c0b URL: https://github.com/kamailio/kamailio/commit/04686c40d380e16e55c359cbc6bfc28… Author: Henning Westerholt <hw(a)gilawa.com> Committer: Henning Westerholt <hw(a)gilawa.com> Date: 2025-06-18T11:09:38Z rtpproxy: improve randomness of cookie by using PNRG and random sequence numbers --- Modified: src/modules/rtpproxy/rtpproxy.c --- Diff: https://github.com/kamailio/kamailio/commit/04686c40d380e16e55c359cbc6bfc28… Patch: https://github.com/kamailio/kamailio/commit/04686c40d380e16e55c359cbc6bfc28… --- diff --git a/src/modules/rtpproxy/rtpproxy.c b/src/modules/rtpproxy/rtpproxy.c index 2057cdfba5d..02641ce2ce3 100644 --- a/src/modules/rtpproxy/rtpproxy.c +++ b/src/modules/rtpproxy/rtpproxy.c @@ -76,6 +76,7 @@ #include "../../core/dset.h" #include "../../core/route.h" #include "../../core/kemi.h" +#include "../../core/rand/fastrand.h" #include "../../modules/tm/tm_load.h" #include "rtpproxy.h" #include "rtpproxy_funcs.h" @@ -153,7 +154,6 @@ static int pv_get_rtppstat_f(struct sip_msg *, pv_param_t *, pv_value_t *); static int rtpproxy_disable_tout = 60; static int rtpproxy_retr = 5; static int rtpproxy_tout = 1; -static pid_t mypid; static unsigned int myseqn = 0; static str nortpproxy_str = str_init("a=nortpproxy:yes"); static str extra_id_pv_param = {NULL, 0}; @@ -788,9 +788,10 @@ static int child_init(int rank) return 0; } - /* Iterate known RTP proxies - create sockets */ - mypid = getpid(); + /* random start value for for cookie sequence number */ + myseqn = fastrand(); + /* Iterate known RTP proxies - create sockets */ rtpp_socks = (int *)pkg_malloc(sizeof(int) * rtpp_no); if(rtpp_socks == NULL) { LM_ERR("no more pkg memory\n"); @@ -1206,7 +1207,7 @@ static char *gencookie(void) { static char cook[34]; - sprintf(cook, "%d_%u ", (int)mypid, myseqn); + sprintf(cook, "%u_%u ", fastrand(), myseqn); myseqn++; return cook; }

1 0

git:master:33b80fcc: rtpengine: improve randomness of cookie by using PNRG and random sequence numbers
by Henning Westerholt 18 Jun '25

18 Jun '25

Module: kamailio Branch: master Commit: 33b80fcc4d84f955b29bd65bccee9ef2a62e7000 URL: https://github.com/kamailio/kamailio/commit/33b80fcc4d84f955b29bd65bccee9ef… Author: Henning Westerholt <hw(a)gilawa.com> Committer: Henning Westerholt <hw(a)gilawa.com> Date: 2025-06-18T11:08:12Z rtpengine: improve randomness of cookie by using PNRG and random sequence numbers --- Modified: src/modules/rtpengine/rtpengine.c --- Diff: https://github.com/kamailio/kamailio/commit/33b80fcc4d84f955b29bd65bccee9ef… Patch: https://github.com/kamailio/kamailio/commit/33b80fcc4d84f955b29bd65bccee9ef… --- diff --git a/src/modules/rtpengine/rtpengine.c b/src/modules/rtpengine/rtpengine.c index 292843302fe..e7d6cf9d5b9 100644 --- a/src/modules/rtpengine/rtpengine.c +++ b/src/modules/rtpengine/rtpengine.c @@ -83,6 +83,7 @@ #include "../../core/char_msg_val.h" #include "../../core/utils/srjson.h" #include "../../core/cfg/cfg_struct.h" +#include "../../core/rand/fastrand.h" #include "../../modules/tm/tm_load.h" #include "../../modules/crypto/api.h" #include "../../modules/lwsc/api.h" @@ -327,7 +328,7 @@ static void parse_call_stats(bencode_item_t *, struct sip_msg *); static int control_cmd_tos = -1; static int rtpengine_allow_op = 0; static struct rtpp_node **queried_nodes_ptr = NULL; -static pid_t mypid; + static unsigned int myseqn = 0; static str extra_id_pv_param = {NULL, 0}; static char *setid_avp_param = NULL; @@ -3028,6 +3029,8 @@ static int mos_label_stats_parse(struct minmax_mos_label_stats *mmls) static int child_init(int rank) { + pid_t mypid = 0; + if(!rtpp_set_list) return 0; @@ -3038,7 +3041,7 @@ static int child_init(int rank) if(rank == PROC_MAIN) { if(rtpengine_dtmf_event_sock.len > 0) { - LM_DBG("Register RTPENGINE DTMF WORKER %d\n", mypid); + LM_DBG("Register RTPENGINE DTMF WORKER %d\n", getpid()); /* fork worker process */ mypid = fork_process(PROC_RPC, "RTPENGINE DTMF WORKER", 1); if(mypid < 0) { @@ -3060,7 +3063,9 @@ static int child_init(int rank) return 0; } - mypid = getpid(); + /* random start value for for cookie sequence number */ + myseqn = fastrand(); + LM_ERR("myseqn %u\n", myseqn); // vector of pointers to queried nodes queried_nodes_ptr = (struct rtpp_node **)pkg_malloc( @@ -3171,7 +3176,7 @@ static char *gencookie(void) { static char cook[34]; - snprintf(cook, 34, "%d_%d_%u ", server_id, (int)mypid, myseqn); + snprintf(cook, 34, "%d_%u_%u ", server_id, fastrand(), myseqn); myseqn++; return cook; }

1 0

git:master:300da5c5: core: improve random number generator initialization
by Henning Westerholt 18 Jun '25

18 Jun '25

Module: kamailio Branch: master Commit: 300da5c5a166be6724ebe14be29ac97d029c535f URL: https://github.com/kamailio/kamailio/commit/300da5c5a166be6724ebe14be29ac97… Author: Henning Westerholt <hw(a)gilawa.com> Committer: Henning Westerholt <hw(a)gilawa.com> Date: 2025-06-18T10:34:52Z core: improve random number generator initialization - move seeding of cryptographic randomness generator for system randomness to the specific generator - improve seeding of children random number generators by using individual initialized secure generators - don't add predictable values like system time or process pid to the seed values of children generators --- Modified: src/core/pt.c Modified: src/core/rand/cryptorand.c Modified: src/core/rand/cryptorand.h Modified: src/core/rand/fortuna/fortuna.c Modified: src/core/rand/fortuna/fortuna.h Modified: src/core/rand/fortuna/random.c Modified: src/core/rand/fortuna/random.h Modified: src/main.c --- Diff: https://github.com/kamailio/kamailio/commit/300da5c5a166be6724ebe14be29ac97… Patch: https://github.com/kamailio/kamailio/commit/300da5c5a166be6724ebe14be29ac97…

1 0

[kamailio/kamailio] Memory usage increases everytime tls.reload is executed (Issue #3823)
by Sebastian Denz 18 Jun '25

18 Jun '25

### Description We are using Kamailio 5.7.4 on Debian 12 (from http://deb.kamailio.org/kamailio57) with rtpengine as an Edgeproxy for our clients. The instance terminates SIP/TLS (with Cliencertificates) and forwards the SIP Traffic to internal systems. After some days we are getting errors like this `tls_complete_init(): tls: ssl bug #1491 workaround: not enough memory for safe operation: shm=7318616 threshold1=8912896` First we thought Kamailio just doesnt have enough memory, so we doubled it.. But after some days the Logmessage (and Userissues) occured again. So we monitored the shmmem statistics and found that used and max_used are constantly growing til it reaches the limit. As i mentioned we are using client-certificates and so we are also using the CRL feature. We do have a systemd-timer which fetches the CRL every hour and runs 'kamcmd tls.reload' when finished. Our tls.cfg looks like this: ``` [server:default] method = TLSv1.2+ private_key = /etc/letsencrypt/live/hostname.de/privkey.pem certificate = /etc/letsencrypt/live/hostname.de/fullchain.pem ca_list = /etc/kamailio/ca_list.pem ca_path = /etc/kamailio/ca_list.pem crl = /etc/kamailio/combined.crl.pem verify_certificate = yes require_certificate = yes [client:default] verify_certificate = yes require_certificate = yes ``` After testing a bit we found that every time tls.reload is executed Kamailio consumes a bit more memory which eventually leads to all the memory being consumed which leads to issues for our users. See following example: ``` [0][root@edgar-dev:~]# while true ; do /usr/sbin/kamcmd tls.reload ; /usr/sbin/kamcmd core.shmmem ; sleep 1 ; done Ok. TLS configuration reloaded. { total: 268435456 free: 223001520 used: 41352552 real_used: 45433936 max_used: 45445968 fragments: 73 } Ok. TLS configuration reloaded. { total: 268435456 free: 222377960 used: 41975592 real_used: 46057496 max_used: 46069232 fragments: 78 } Ok. TLS configuration reloaded. { total: 268435456 free: 221748664 used: 42604992 real_used: 46686792 max_used: 46698080 fragments: 77 } Ok. TLS configuration reloaded. { total: 268435456 free: 221110832 used: 43242408 real_used: 47324624 max_used: 47335608 fragments: 81 } ^C [130][root@edgar-dev:~]# ``` ### Troubleshooting #### Reproduction Everytime tls.reload is called the memory consumptions grows.. #### Debugging Data  ``` If you let me know what would be interesting for tracking this down, i am happy to provide logs/debugging data! ``` #### Log Messages  ``` If you let me know what would be interesting for tracking this down, i am happy to provide logs/debugging data! ``` #### SIP Traffic SIP doesnt seem to be relevant here ### Possible Solutions Calling tls.reload less often or restart kamailio before memory is consumed ;) ### Additional Information ``` version: kamailio 5.7.4 (x86_64/linux) flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled with gcc 12.2.0 ``` * **Operating System**: ``` * Debian GNU/Linux 12 (bookworm) * Linux edgar-dev 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64 GNU/Linux ``` -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/3823 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/issues/3823(a)github.com>

9 33

[kamailio/kamailio] tm: Emit event only when CANCEL request is locally generated (PR #4286)
by Xenofon Karamanos 18 Jun '25

18 Jun '25

#### Pre-Submission Checklist    - [x] Commit message has the format required by CONTRIBUTING guide - [x] Commits are split per component (core, individual modules, libs, utils, ...) - [x] Each component has a single commit (if not, squash them into one commit) - [x] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated) #### Type Of Change - [ ] Small bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality) #### Checklist:  - [ ] PR should be backported to stable branches - [x] Tested changes locally - [x] Related to issue #3831 and #4249 #### Description  This PR intoduces a flag for the tm cancel logic. The flag denotes that the cancel request is locally generated and an event of `local_request` should be emmited. Updated also the modules and functions that used tm bindings to adopt for this change. You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/4286 -- Commit Summary -- * tm: Generate local_request for CANCEL only if locally initiated * dialog: Update to use new tm FLAG for CANCEL * rtp_media_server: Update to use new tm FLAG for CANCEL * tmx: Update to use new tm FLAG for CANCEL -- File Changes -- M src/modules/dialog/dlg_req_within.c (2) M src/modules/rtp_media_server/rtp_media_server.c (2) M src/modules/tm/t_cancel.c (69) M src/modules/tm/t_cancel.h (2) M src/modules/tmx/tmx_mod.c (4) -- Patch Links -- https://github.com/kamailio/kamailio/pull/4286.patch https://github.com/kamailio/kamailio/pull/4286.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/4286 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/4286(a)github.com>

3 3

[kamailio/kamailio] dlgs: Fix spelling mistake (PR #4288)
by Xenofon Karamanos 18 Jun '25

18 Jun '25

#### Pre-Submission Checklist    - [x] Commit message has the format required by CONTRIBUTING guide - [x] Commits are split per component (core, individual modules, libs, utils, ...) - [x] Each component has a single commit (if not, squash them into one commit) - [x] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated) #### Type Of Change - [x] Small bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality) #### Checklist:  - [x] PR should be backported to stable branches - [x] Tested changes locally - [ ] Related to issue #XXXX (replace XXXX with an open issue number) #### Description  Fix a spelling mistake You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/4288 -- Commit Summary -- * dlgs: Fix spelling mistake -- File Changes -- M src/modules/dlgs/dlgs_records.c (2) -- Patch Links -- https://github.com/kamailio/kamailio/pull/4288.patch https://github.com/kamailio/kamailio/pull/4288.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/4288 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/4288(a)github.com>

3 5

[kamailio/kamailio] Setting OpenSSL TLS1.3 cipher lists (PR #4256)
by Nicolas Chapleau 18 Jun '25

18 Jun '25

#### Pre-Submission Checklist    - [x] Commit message has the format required by CONTRIBUTING guide - [x] Commits are split per component (core, individual modules, libs, utils, ...) - [x] Each component has a single commit (if not, squash them into one commit) - [x] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated) #### Type Of Change - [ ] Small bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality) #### Checklist:  - [ ] PR should be backported to stable branches - [ ] Tested changes locally - [ ] Related to issue #XXXX (replace XXXX with an open issue number) #### Description  You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/4256 -- Commit Summary -- * Using SSL_CTX_set_ciphersuites for TLS 1.3 and above when setting cipher list * tls: Update TLS1.3 ciphers to use SSL_CTX_ciphhersuites on openSSL lib >= 1.1.1 in set_cipher_list() -- File Changes -- M src/modules/tls/tls_domain.c (26) -- Patch Links -- https://github.com/kamailio/kamailio/pull/4256.patch https://github.com/kamailio/kamailio/pull/4256.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/4256 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/4256(a)github.com>

2 7

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev