On Feb 22, 2010 at 20:00, Andrei Pelinescu-Onciul andrei@iptel.org wrote:
On Feb 22, 2010 at 19:16, Klaus Darilion klaus.mailinglists@pernau.at wrote:
Hi!
With kamailio 3.0 I encounter lots of crashes. I am using SNOM 320 and eyebeam clients. I think crashes are mostly correlated with SNOM 320.
Server is CentOS5.4. OpenSSL is openssl-0.9.8e-12.el5_4.1.
First crashed Kamailio always with the same backtrace:
Program terminated with signal 11, Segmentation fault. [New process 1580] #0 0x0017451d in kssl_keytab_is_available () from /lib/libssl.so.6 (gdb) bt #0 0x0017451d in kssl_keytab_is_available () from /lib/libssl.so.6
This one looks like some openssl bug. What's strange is that it's in some kerberos code, which is supposed to be disabled.
It seems there is a code path inside openssl, for which the old disable kerberos trick does not work and causes crashes instead. Probably we haven't seen it before because we didn't tried a client that advertised KRB5 key exchange and an openssl compiled with kerberos support. The proper fix is to upgrade to a newer openssl (real 0.9.8e or above). For people stuck with older openssl versions, I will try to find a way to disable kerberos in a better way.
Could you try in the same configuration (no RSA workaround on the phone), but with the following tls module options:
modparam("tls", "cipher_list", "DEFAULT:!KRB5")
If this works, please try also the RSA stuff on the phone and see if it still crashes in that case (although that case might be unrelated). If everything is ok I'll add it to the code, so that it will be done automatically for openssl < 0.9.8e release.
Note that another very strange thing is the version number.
From your log:
INFO: tls [tls_init.c:486]: tls: _init_tls_h: compiled with openssl version "OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008" (0x0090802f), kerberos ^^^^^^^ ^^^^^^^^^^
0x0090802f means openssl 0.9.8b (release) and not 0.9.8e. It looks like OPENSSL_VERSION_NUMBER is different from OPENSSL_VERSION_TEXT in you include/openssl/opensslv.h. Out o curiosity could you verify that that's the case?
Andrei