On Thu, Jan 22, 2015 at 2:47 AM, Olle E. Johansson oej@edvina.net wrote:
On 21 Jan 2015, at 21:52, Juha Heinanen jh@tutpro.com wrote:
Juha Heinanen writes:
when [group] thing didn't work, i added
ssl-ca=/etc/mysql/cacert.pem
to [client] section of my.cfg that kamailio according to db_mysql/README is reading.
after that, kamailio started ok, but didn't use ssl for mysql queries.
what is it that i'm missing? has anyone succeeded in making kamailio to query mysql server over ssl?
based on zero responses, i guess the answer is "no". if so, that pretty much prevents using kamailio in an environment where mysql service is provided by a cloud service, such as amazon ec2.
should i put a note in db_mysql module README telling that we don't currently know, which [client] params of my.cfg the module supports?
We've seen reports of issues with Postgresql with TLS too, I don't know what happened, but I think we need to focus on both and fix this.
There is a known geneal problem with libraries using OpenSSL - I don't know if this has been looked at in Kamailio, but we did a fix in Asterisk a while ago. If you have modules using libraries that use OpenSSL - like we have in Curl, Mysql, Postgres and possibly other modules - as well as our own use in the TLS module - there's a risk that OpenSSL gets initialized too many times and bad things happen. ("Bad things" need to be defined here).
I think Kevin did a library trick with the linker so that Asterisk catch these initialization calls first and use just one. Asterisk is multithreaded and Kamailio is multiprocess, so I don't know how this affects Kamailio or if we can get some inspiration by this fix.
Rambling a bit, but trying to point in some sort of general direction. :-)
I will put on my list to set up a lab with Mysql TLS connections and try.
Just chiming in to point out the magic module Olle is referring to:
http://svn.asterisk.org/svn/asterisk/trunk/main/libasteriskssl.c
For context, the peer review for the patch that fixed this issue is here:
https://reviewboard.asterisk.org/r/1006/
Although due to some issues in review board, part of the patch doesn't show up (hence the link to the actual source).
Matt