Re: [sr-dev] massive TLS crashes

On Feb 22, 2010 at 20:00, Andrei Pelinescu-Onciul &lt;andrei(a)iptel.org&gt; wrote: It seems there is a code path inside openssl, for which the old disable kerberos trick does not work and causes crashes instead. Probably we haven't seen it before because we didn't tried a client that advertised KRB5 key exchange and an openssl compiled with kerberos support. The proper fix is to upgrade to a newer openssl (real 0.9.8e or above). For people stuck with older openssl versions, I will try to find a way to disable kerberos in a better way. Could you try in the same configuration (no RSA workaround on the phone), but with the following tls module options: modparam("tls", "cipher_list", "DEFAULT:!KRB5") If this works, please try also the RSA stuff on the phone and see if it still crashes in that case (although that case might be unrelated). If everything is ok I'll add it to the code, so that it will be done automatically for openssl < 0.9.8e release. Note that another very strange thing is the version number. INFO: tls [tls_init.c:486]: tls: _init_tls_h: compiled with openssl version "OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008" (0x0090802f), kerberos ^^^^^^^ ^^^^^^^^^^ 0x0090802f means openssl 0.9.8b (release) and not 0.9.8e. It looks like OPENSSL_VERSION_NUMBER is different from OPENSSL_VERSION_TEXT in you include/openssl/opensslv.h. Out o curiosity could you verify that that's the case? Andrei