TLS Certificate Verification Issue

List overview All Threads
Download

newer

older

Kamailio not responding

Kamal Palei

22 Oct 2012 22 Oct '12

11:53 a.m.

Dear All I have modified kamailio,cfg and compiled all the modules with TLS enabled, and able to bring up the kamailio proxy properly.

Kamailio proxy will receive the REGISTER message from endpoints in UDP , and want to send this REGISTER message to another intermediate proxy in TLS. For this purpose, I have added few lines in kamailio.cfg file as below.

I have created the certificates, private keys as explained by README file in kamailio-3.1.5/modules/tls/ path.

if(is_method("REGISTER")) { t_relay_to("tls:115.114.48.75:443"); exit(); }

Looks like this is taking effect. When Kamailio receives REGISTER message it is trying to do handshake with intermediate proxy. I used wireshark to see the handshake messages.

1. From Kamailio proxy, a TCP SYNC message is going to intermediate proxy. 2. intermediate proxy sends SYNC + ACK 3. Kamailio sends CLIENT HELLO 4. intermediate proxy sends SERVER HELLO, CERTIFICATE and SERVER HELLO DONE 5. The Kamailio sends ALERT (Level: Fatal, Description: Unknown CA) ---> IS something going wrong here.............. 6. Then Kamailio sends FIN + ACK

Can somebody please let me know why the certificate verification fails (I get this log in console). How can I put a work around to avoid certification verification failure.

Best Regards kamal

Attachments:

attachment.html (text/html — 1.5 KB)

Show replies by date

Klaus Darilion

25 Oct 25 Oct

2:13 p.m.

Hi Kamal!

Are you familiar with SSL/TLS and certificates? With TLS the trust between TLS server and TLS client is usually via a trusted certification authority (CA). For example, if the intermediate proxy uses a certificate which is issued by CA FOOBAR-XYZ, the you have to configure Kamailio to accept certificates singed by FOOBAR-XYZ. This is done by copying the public root certificate of FOOBAR-XYZ to the Kamailio server and configure Kamailio to use the FOOBAR-XYZ certificate as trusted CA. Of course then you automatically also trust all others certificates issued by FOOBAR-XYZ.

To configure the trusted CAs use: http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list

You could also disable the certificate validation with: http://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate

But of course this reduces TLS benefits to encryption-only.

regards Klaus

On 22.10.2012 13:53, Kamal Palei wrote:

...

Dear All I have modified kamailio,cfg and compiled all the modules with TLS enabled, and able to bring up the kamailio proxy properly.

Kamailio proxy will receive the REGISTER message from endpoints in UDP , and want to send this REGISTER message to another intermediate proxy in TLS. For this purpose, I have added few lines in kamailio.cfg file as below.

I have created the certificates, private keys as explained by README file in kamailio-3.1.5/modules/tls/ path.
     if(is_method("REGISTER"))
     {
             t_relay_to("tls:115.114.48.75:443
http://115.114.48.75:443"); exit(); }

Looks like this is taking effect. When Kamailio receives REGISTER message it is trying to do handshake with intermediate proxy. I used wireshark to see the handshake messages.

From Kamailio proxy, a TCP SYNC message is going to intermediate proxy.

intermediate proxy sends SYNC + ACK

Kamailio sends CLIENT HELLO

intermediate proxy sends SERVER HELLO, CERTIFICATE and SERVER HELLO DONE

The Kamailio sends ALERT (Level: Fatal, Description: Unknown CA)

---> IS something going wrong here.............. 6. Then Kamailio sends FIN + ACK

Can somebody please let me know why the certificate verification fails (I get this log in console). How can I put a work around to avoid certification verification failure.

Best Regards kamal

SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Kamal Palei

2:23 p.m.

Dear Klaus The certificate verification I have disabled.

Facing a new problem. When there is a connection reset, that time Kamailio is crashing. During crash, I get below logs. Any idea why it is crashing and how can I avoid it.

*oot@B2BUA:/usr/local/src/scripts# 9(9557) : <core> [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil) (out of memory block!) - aborting 0(9548) ALERT: <core> [main.c:742]: child process 9557 exited by a signal 6 0(9548) ALERT: <core> [main.c:745]: core was generated 0(9548) INFO: <core> [main.c:757]: INFO: terminating due to SIGCHLD 6(9554) INFO: <core> [main.c:808]: INFO: signal 15 received 8(9556) INFO: <core> [main.c:808]: INFO: signal 15 received 4(9552) INFO: <core> [main.c:808]: INFO: signal 15 received 5(9553) INFO: <core> [main.c:808]: INFO: signal 15 received 3(9551) INFO: <core> [main.c:808]: INFO: signal 15 received 7(9555) INFO: <core> [main.c:808]: INFO: signal 15 received 1(9549) INFO: <core> [main.c:808]: INFO: signal 15 received 2(9550) INFO: <core> [main.c:808]: INFO: signal 15 received 0(9548) : <core> [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil) (out of memory block!) - aborting

THANKS kamal * On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion < klaus.mailinglists@pernau.at> wrote:

...

Hi Kamal!

Are you familiar with SSL/TLS and certificates? With TLS the trust between TLS server and TLS client is usually via a trusted certification authority (CA). For example, if the intermediate proxy uses a certificate which is issued by CA FOOBAR-XYZ, the you have to configure Kamailio to accept certificates singed by FOOBAR-XYZ. This is done by copying the public root certificate of FOOBAR-XYZ to the Kamailio server and configure Kamailio to use the FOOBAR-XYZ certificate as trusted CA. Of course then you automatically also trust all others certificates issued by FOOBAR-XYZ.

To configure the trusted CAs use: http://kamailio.org/docs/**modules/3.3.x/modules/tls.**html#ca_list http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list

You could also disable the certificate validation with: http://kamailio.org/docs/**modules/3.3.x/modules/tls.** html#verify_certificatehttp://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate

But of course this reduces TLS benefits to encryption-only.

regards Klaus

On 22.10.2012 13:53, Kamal Palei wrote:

...
Dear All I have modified kamailio,cfg and compiled all the modules with TLS enabled, and able to bring up the kamailio proxy properly.

Kamailio proxy will receive the REGISTER message from endpoints in UDP , and want to send this REGISTER message to another intermediate proxy in TLS. For this purpose, I have added few lines in kamailio.cfg file as below.

I have created the certificates, private keys as explained by README file in kamailio-3.1.5/modules/tls/ path.
     if(is_method("REGISTER"))
     {
             t_relay_to("tls:115.114.48.75:**443<http://115.114.48.75:443>
http://115.114.48.75:443");
             exit();
     }
Looks like this is taking effect. When Kamailio receives REGISTER message it is trying to do handshake with intermediate proxy. I used wireshark to see the handshake messages.

From Kamailio proxy, a TCP SYNC message is going to intermediate proxy.

intermediate proxy sends SYNC + ACK

Kamailio sends CLIENT HELLO

intermediate proxy sends SERVER HELLO, CERTIFICATE and SERVER HELLO

DONE 5. The Kamailio sends ALERT (Level: Fatal, Description: Unknown CA) ---> IS something going wrong here.............. 6. Then Kamailio sends FIN + ACK

Can somebody please let me know why the certificate verification fails (I get this log in console). How can I put a work around to avoid certification verification failure.

Best Regards kamal

______________________________**_________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/**cgi-bin/mailman/listinfo/sr-**users http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Klaus Darilion

2:31 p.m.

SIGABRT 6 Core Abort signal from abort(3)

This means that there was an error condition detected in the Kamailio code and the abort(3) function was called. As you see in the logs a core file was generated. Find the core file and load it into gdb and execute "backtrace". It will show you were the problem happened and post it here.

regards Klaus

On 25.10.2012 16:23, Kamal Palei wrote:

...

Dear Klaus The certificate verification I have disabled.

Facing a new problem. When there is a connection reset, that time Kamailio is crashing. During crash, I get below logs. Any idea why it is crashing and how can I avoid it.

/oot@B2BUA:/usr/local/src/scripts# 9(9557) : <core> [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil) (out of memory block!) - aborting 0(9548) ALERT: <core> [main.c:742]: child process 9557 exited by a signal 6 0(9548) ALERT: <core> [main.c:745]: core was generated 0(9548) INFO: <core> [main.c:757]: INFO: terminating due to SIGCHLD 6(9554) INFO: <core> [main.c:808]: INFO: signal 15 received 8(9556) INFO: <core> [main.c:808]: INFO: signal 15 received 4(9552) INFO: <core> [main.c:808]: INFO: signal 15 received 5(9553) INFO: <core> [main.c:808]: INFO: signal 15 received 3(9551) INFO: <core> [main.c:808]: INFO: signal 15 received 7(9555) INFO: <core> [main.c:808]: INFO: signal 15 received 1(9549) INFO: <core> [main.c:808]: INFO: signal 15 received 2(9550) INFO: <core> [main.c:808]: INFO: signal 15 received 0(9548) : <core> [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil) (out of memory block!) - aborting

THANKS kamal / On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion <klaus.mailinglists@pernau.at mailto:klaus.mailinglists@pernau.at> wrote:
Hi Kamal!

Are you familiar with SSL/TLS and certificates? With TLS the trust
between TLS server and TLS client is usually via a trusted
certification authority (CA). For example, if the intermediate proxy
uses a certificate which is issued by CA FOOBAR-XYZ, the you have to
configure Kamailio to accept certificates singed by FOOBAR-XYZ. This
is done by copying the public root certificate of FOOBAR-XYZ to the
Kamailio server and configure Kamailio to use the FOOBAR-XYZ
certificate as trusted CA. Of course then you automatically also
trust all others certificates issued by FOOBAR-XYZ.

To configure the trusted CAs use:
http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list
<http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list>

You could also disable the certificate validation with:
http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate
<http://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate>

But of course this reduces TLS benefits to encryption-only.

regards
Klaus


On 22.10.2012 13:53, Kamal Palei wrote:

    Dear All
    I have modified kamailio,cfg and compiled all the modules with TLS
    enabled, and able to bring up the kamailio proxy properly.

    Kamailio proxy will receive the REGISTER message from endpoints
    in UDP ,
    and want to send this REGISTER message to another intermediate
    proxy in
    TLS. For this purpose, I have added few lines in kamailio.cfg
    file as below.

    I have created the certificates, private keys as explained by README
    file in kamailio-3.1.5/modules/tls/ path.

              if(is_method("REGISTER"))
              {
                      t_relay_to("tls:115.114.48.75:__443
    <http://115.114.48.75:443>
    <http://115.114.48.75:443>");

                      exit();
              }

    Looks like this is taking effect. When Kamailio receives REGISTER
    message it is trying to do handshake with intermediate proxy.
    I used wireshark to see the handshake messages.

    1. From Kamailio proxy, a TCP SYNC message is going to
    intermediate proxy.
    2. intermediate proxy sends SYNC + ACK
    3. Kamailio sends CLIENT HELLO
    4. intermediate proxy sends SERVER HELLO, CERTIFICATE and SERVER
    HELLO DONE
    5. The Kamailio sends ALERT (Level: Fatal, Description: Unknown CA)
    --->  IS something going wrong here..............
    6. Then Kamailio sends FIN + ACK

    Can somebody please let me know why the certificate verification
    fails
    (I get this log in console).
    How can I put a work around to avoid certification verification
    failure.

    Best Regards
    kamal




    _________________________________________________
    SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
    mailing list
    sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
    http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>

Kamal Palei

26 Oct 26 Oct

9:39 a.m.

Dear Klaus I am little bit new to linux debugging. Please let me know below stuff.

1. Whats the extension of core file. 2. Will the core files be generated in /home/user path or some other default path 3. Do I need to recompile Kamailio source with -g option , or by default it is compiled with -g option 4. I hope we need to run "ulimit" before we start the program or it is not required.

My observation is if I run directly kamailio it is crashing, if I run with gdb it is not crashing, not sure why this happens.

Best Regards kamal

On Thu, Oct 25, 2012 at 8:01 PM, Klaus Darilion < klaus.mailinglists@pernau.at> wrote:

...

SIGABRT 6 Core Abort signal from abort(3)

This means that there was an error condition detected in the Kamailio code and the abort(3) function was called. As you see in the logs a core file was generated. Find the core file and load it into gdb and execute "backtrace". It will show you were the problem happened and post it here.

regards Klaus

On 25.10.2012 16:23, Kamal Palei wrote:

...
Dear Klaus The certificate verification I have disabled.

Facing a new problem. When there is a connection reset, that time Kamailio is crashing. During crash, I get below logs. Any idea why it is crashing and how can I avoid it.

/oot@B2BUA:/usr/local/src/**scripts# 9(9557) : <core>

[mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil) (out of memory block!) - aborting 0(9548) ALERT: <core> [main.c:742]: child process 9557 exited by a signal 6 0(9548) ALERT: <core> [main.c:745]: core was generated 0(9548) INFO: <core> [main.c:757]: INFO: terminating due to SIGCHLD 6(9554) INFO: <core> [main.c:808]: INFO: signal 15 received 8(9556) INFO: <core> [main.c:808]: INFO: signal 15 received 4(9552) INFO: <core> [main.c:808]: INFO: signal 15 received 5(9553) INFO: <core> [main.c:808]: INFO: signal 15 received 3(9551) INFO: <core> [main.c:808]: INFO: signal 15 received 7(9555) INFO: <core> [main.c:808]: INFO: signal 15 received 1(9549) INFO: <core> [main.c:808]: INFO: signal 15 received 2(9550) INFO: <core> [main.c:808]: INFO: signal 15 received 0(9548) : <core> [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil) (out of memory block!) - aborting

THANKS kamal / On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion <klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@**pernau.atklaus.mailinglists@pernau.at>> wrote:
Hi Kamal!

Are you familiar with SSL/TLS and certificates? With TLS the trust
between TLS server and TLS client is usually via a trusted
certification authority (CA). For example, if the intermediate proxy
uses a certificate which is issued by CA FOOBAR-XYZ, the you have to
configure Kamailio to accept certificates singed by FOOBAR-XYZ. This
is done by copying the public root certificate of FOOBAR-XYZ to the
Kamailio server and configure Kamailio to use the FOOBAR-XYZ
certificate as trusted CA. Of course then you automatically also
trust all others certificates issued by FOOBAR-XYZ.

To configure the trusted CAs use:
http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__**
html#ca_listhttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list
<http://kamailio.org/docs/**modules/3.3.x/modules/tls.**html#ca_list<http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list>
...
You could also disable the certificate validation with:
http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__**
html#verify_certificatehttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate
<http://kamailio.org/docs/**modules/3.3.x/modules/tls.**
html#verify_certificatehttp://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate

...
But of course this reduces TLS benefits to encryption-only.

regards
Klaus


On 22.10.2012 13:53, Kamal Palei wrote:

    Dear All
    I have modified kamailio,cfg and compiled all the modules with TLS
    enabled, and able to bring up the kamailio proxy properly.

    Kamailio proxy will receive the REGISTER message from endpoints
    in UDP ,
    and want to send this REGISTER message to another intermediate
    proxy in
    TLS. For this purpose, I have added few lines in kamailio.cfg
    file as below.

    I have created the certificates, private keys as explained by
README file in kamailio-3.1.5/modules/tls/ path.
              if(is_method("REGISTER"))
              {
                      t_relay_to("tls:115.114.48.75:**__443
    <http://115.114.48.75:443>

    <http://115.114.48.75:443>");

                      exit();
              }

    Looks like this is taking effect. When Kamailio receives REGISTER
    message it is trying to do handshake with intermediate proxy.
    I used wireshark to see the handshake messages.

    1. From Kamailio proxy, a TCP SYNC message is going to
    intermediate proxy.
    2. intermediate proxy sends SYNC + ACK
    3. Kamailio sends CLIENT HELLO
    4. intermediate proxy sends SERVER HELLO, CERTIFICATE and SERVER
    HELLO DONE
    5. The Kamailio sends ALERT (Level: Fatal, Description: Unknown
CA) ---> IS something going wrong here.............. 6. Then Kamailio sends FIN + ACK
    Can somebody please let me know why the certificate verification
    fails
    (I get this log in console).
    How can I put a work around to avoid certification verification
    failure.

    Best Regards
    kamal




    ______________________________**___________________

    SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
    mailing list
    sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-**
router.org sr-users@lists.sip-router.org> http://lists.sip-router.org/__**cgi-bin/mailman/listinfo/sr-__** users http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users< http://lists.sip-router.org/**cgi-bin/mailman/listinfo/sr-**users http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

...

Klaus Darilion

29 Oct 29 Oct

9:44 a.m.

On 26.10.2012 11:39, Kamal Palei wrote:

...

Dear Klaus I am little bit new to linux debugging. Please let me know below stuff.

Whats the extension of core file.

The core file does not have an extension, it is usally just called "core.XXXX" with XXX is the process id of the crashed Kamailio process. It will reside in the current working directory.

...

Will the core files be generated in /home/user path or some other

default path

In the /etc/init.d/kamailio startup file you can configure the core pattern to be set before Kamailio is started. Then the core files will use the defined naming.

On Debian also activate core dumps by editing /etc/default/kamailio

...

Do I need to recompile Kamailio source with -g option , or by default

it is compiled with -g option

From your log file: 0(9548) ALERT: <core> [main.c:745]: core was generated

You see, your binaries already generate core files. Thus, there is no need to rebuild Kamailio.

...

I hope we need to run "ulimit" before we start the program or it is

not required.

Usually you run "ulimit -c unlimited" before starting the Kamailio process to be sure that the core will not be truncated.

...

My observation is if I run directly kamailio it is crashing, if I run with gdb it is not crashing, not sure why this happens.

Strange. But once you have a core file, you can analyze it and generate the backtrace.

Also make sure to not mix openssl libraries - this is often a a problem.

regards Klaus

...

Best Regards kamal

On Thu, Oct 25, 2012 at 8:01 PM, Klaus Darilion <klaus.mailinglists@pernau.at mailto:klaus.mailinglists@pernau.at> wrote:

SIGABRT      6       Core    Abort signal from abort(3)

This means that there was an error condition detected in the
Kamailio code and the abort(3) function was called. As you see in
the logs a core file was generated. Find the core file and load it
into gdb and execute "backtrace". It will show you were the problem
happened and post it here.

regards
Klaus


On 25.10.2012 16:23, Kamal Palei wrote:

    Dear Klaus
    The certificate verification I have disabled.

    Facing a new problem.
    When there is a connection reset, that time Kamailio is crashing.
    During crash, I get below logs. Any idea why it is crashing and
    how can
    I avoid it.

    /oot@B2BUA:/usr/local/src/__scripts#  9(9557) : <core>

    [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil) (out of memory
    block!) - aborting
       0(9548) ALERT: <core> [main.c:742]: child process 9557 exited
    by a
    signal 6
       0(9548) ALERT: <core> [main.c:745]: core was generated
       0(9548) INFO: <core> [main.c:757]: INFO: terminating due to
    SIGCHLD
       6(9554) INFO: <core> [main.c:808]: INFO: signal 15 received
       8(9556) INFO: <core> [main.c:808]: INFO: signal 15 received
       4(9552) INFO: <core> [main.c:808]: INFO: signal 15 received
       5(9553) INFO: <core> [main.c:808]: INFO: signal 15 received
       3(9551) INFO: <core> [main.c:808]: INFO: signal 15 received
       7(9555) INFO: <core> [main.c:808]: INFO: signal 15 received
       1(9549) INFO: <core> [main.c:808]: INFO: signal 15 received
       2(9550) INFO: <core> [main.c:808]: INFO: signal 15 received
       0(9548) : <core> [mem/q_malloc.c:431]: BUG: qm_free: bad
    pointer (nil)
    (out of memory block!) - aborting


    THANKS
    kamal
    /
    On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion
    <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@pernau.at>
    <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>> wrote:

         Hi Kamal!

         Are you familiar with SSL/TLS and certificates? With TLS
    the trust
         between TLS server and TLS client is usually via a trusted
         certification authority (CA). For example, if the
    intermediate proxy
         uses a certificate which is issued by CA FOOBAR-XYZ, the
    you have to
         configure Kamailio to accept certificates singed by
    FOOBAR-XYZ. This
         is done by copying the public root certificate of
    FOOBAR-XYZ to the
         Kamailio server and configure Kamailio to use the FOOBAR-XYZ
         certificate as trusted CA. Of course then you automatically
    also
         trust all others certificates issued by FOOBAR-XYZ.

         To configure the trusted CAs use:
    http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>


    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list
    <http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list>>

         You could also disable the certificate validation with:
    http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>


    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate
    <http://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate>>

         But of course this reduces TLS benefits to encryption-only.

         regards
         Klaus


         On 22.10.2012 13:53, Kamal Palei wrote:

             Dear All
             I have modified kamailio,cfg and compiled all the
    modules with TLS
             enabled, and able to bring up the kamailio proxy properly.

             Kamailio proxy will receive the REGISTER message from
    endpoints
             in UDP ,
             and want to send this REGISTER message to another
    intermediate
             proxy in
             TLS. For this purpose, I have added few lines in
    kamailio.cfg
             file as below.

             I have created the certificates, private keys as
    explained by README
             file in kamailio-3.1.5/modules/tls/ path.

                       if(is_method("REGISTER"))
                       {
                               t_relay_to("tls:115.114.48.75
    <http://115.114.48.75>:____443
             <http://115.114.48.75:443>

             <http://115.114.48.75:443>");

                               exit();
                       }

             Looks like this is taking effect. When Kamailio
    receives REGISTER
             message it is trying to do handshake with intermediate
    proxy.
             I used wireshark to see the handshake messages.

             1. From Kamailio proxy, a TCP SYNC message is going to
             intermediate proxy.
             2. intermediate proxy sends SYNC + ACK
             3. Kamailio sends CLIENT HELLO
             4. intermediate proxy sends SERVER HELLO, CERTIFICATE
    and SERVER
             HELLO DONE
             5. The Kamailio sends ALERT (Level: Fatal, Description:
    Unknown CA)
             --->  IS something going wrong here..............
             6. Then Kamailio sends FIN + ACK

             Can somebody please let me know why the certificate
    verification
             fails
             (I get this log in console).
             How can I put a work around to avoid certification
    verification
             failure.

             Best Regards
             kamal




             ___________________________________________________

             SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
             mailing list
    sr-users@lists.sip-router.org
    <mailto:sr-users@lists.sip-router.org>
    <mailto:sr-users@lists.sip-__router.org
    <mailto:sr-users@lists.sip-router.org>>
    http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>
    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users
    <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>>

Kamal Palei

9:53 a.m.

Dear Klaus Forgot to write you back otherday. I was able to trace the code that was crashing. It was trying to free a pointer that was null. I just added a null check. With this change, I am able to keep Kamailio up for longer duration, did not see the crash.

Thanks Klaus for your support. kamal

On Mon, Oct 29, 2012 at 3:14 PM, Klaus Darilion < klaus.mailinglists@pernau.at> wrote:

...

See also: http://www.kamailio.org/**dokuwiki/doku.php/** troubleshooting:corefileshttp://www.kamailio.org/dokuwiki/doku.php/troubleshooting:corefiles

On 26.10.2012 11:39, Kamal Palei wrote:

...
Dear Klaus

I am little bit new to linux debugging. Please let me know below stuff.

Whats the extension of core file.

The core file does not have an extension, it is usally just called "core.XXXX" with XXX is the process id of the crashed Kamailio process. It will reside in the current working directory.

Will the core files be generated in /home/user path or some other

...
default path

In the /etc/init.d/kamailio startup file you can configure the core pattern to be set before Kamailio is started. Then the core files will use the defined naming.

On Debian also activate core dumps by editing /etc/default/kamailio

Do I need to recompile Kamailio source with -g option , or by default

...
it is compiled with -g option

From your log file:
     0(9548) ALERT: <core> [main.c:745]: core was generated
You see, your binaries already generate core files. Thus, there is no need to rebuild Kamailio.

I hope we need to run "ulimit" before we start the program or it is

...
not required.

Usually you run "ulimit -c unlimited" before starting the Kamailio process to be sure that the core will not be truncated.

My observation is if I run directly kamailio it is crashing, if I run

...
with gdb it is not crashing, not sure why this happens.

Strange. But once you have a core file, you can analyze it and generate the backtrace.

Also make sure to not mix openssl libraries - this is often a a problem.

regards Klaus

...
Best Regards kamal

On Thu, Oct 25, 2012 at 8:01 PM, Klaus Darilion <klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@**pernau.atklaus.mailinglists@pernau.at>> wrote:
SIGABRT      6       Core    Abort signal from abort(3)

This means that there was an error condition detected in the
Kamailio code and the abort(3) function was called. As you see in
the logs a core file was generated. Find the core file and load it
into gdb and execute "backtrace". It will show you were the problem
happened and post it here.

regards
Klaus


On 25.10.2012 16:23, Kamal Palei wrote:

    Dear Klaus
    The certificate verification I have disabled.

    Facing a new problem.
    When there is a connection reset, that time Kamailio is crashing.
    During crash, I get below logs. Any idea why it is crashing and
    how can
    I avoid it.

    /oot@B2BUA:/usr/local/src/__**scripts#  9(9557) : <core>


    [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil) (out of
memory block!) - aborting 0(9548) ALERT: <core> [main.c:742]: child process 9557 exited by a signal 6 0(9548) ALERT: <core> [main.c:745]: core was generated 0(9548) INFO: <core> [main.c:757]: INFO: terminating due to SIGCHLD 6(9554) INFO: <core> [main.c:808]: INFO: signal 15 received 8(9556) INFO: <core> [main.c:808]: INFO: signal 15 received 4(9552) INFO: <core> [main.c:808]: INFO: signal 15 received 5(9553) INFO: <core> [main.c:808]: INFO: signal 15 received 3(9551) INFO: <core> [main.c:808]: INFO: signal 15 received 7(9555) INFO: <core> [main.c:808]: INFO: signal 15 received 1(9549) INFO: <core> [main.c:808]: INFO: signal 15 received 2(9550) INFO: <core> [main.c:808]: INFO: signal 15 received 0(9548) : <core> [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil) (out of memory block!) - aborting
    THANKS
    kamal
    /
    On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion
    <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@**pernau.at<klaus.mailinglists@pernau.at>
...
    <mailto:klaus.mailinglists@__p**ernau.at <http://pernau.at/>

    <mailto:klaus.mailinglists@**pernau.at<klaus.mailinglists@pernau.at>>>>
wrote:
         Hi Kamal!

         Are you familiar with SSL/TLS and certificates? With TLS
    the trust
         between TLS server and TLS client is usually via a trusted
         certification authority (CA). For example, if the
    intermediate proxy
         uses a certificate which is issued by CA FOOBAR-XYZ, the
    you have to
         configure Kamailio to accept certificates singed by
    FOOBAR-XYZ. This
         is done by copying the public root certificate of
    FOOBAR-XYZ to the
         Kamailio server and configure Kamailio to use the FOOBAR-XYZ
         certificate as trusted CA. Of course then you automatically
    also
         trust all others certificates issued by FOOBAR-XYZ.

         To configure the trusted CAs use:
    http://kamailio.org/docs/____**modules/3.3.x/modules/tls.____**
html#ca_listhttp://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list <http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__** html#ca_listhttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>
    <http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__**
html#ca_listhttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list <http://kamailio.org/docs/**modules/3.3.x/modules/tls.** html#ca_listhttp://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list

...
...
         You could also disable the certificate validation with:
    http://kamailio.org/docs/____**modules/3.3.x/modules/tls.____**
html#verify_certificatehttp://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate <http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__** html#verify_certificatehttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>
    <http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__**
html#verify_certificatehttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate <http://kamailio.org/docs/**modules/3.3.x/modules/tls.** html#verify_certificatehttp://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate

...
...
         But of course this reduces TLS benefits to encryption-only.

         regards
         Klaus


         On 22.10.2012 13:53, Kamal Palei wrote:

             Dear All
             I have modified kamailio,cfg and compiled all the
    modules with TLS
             enabled, and able to bring up the kamailio proxy
properly.
             Kamailio proxy will receive the REGISTER message from
    endpoints
             in UDP ,
             and want to send this REGISTER message to another
    intermediate
             proxy in
             TLS. For this purpose, I have added few lines in
    kamailio.cfg
             file as below.

             I have created the certificates, private keys as
    explained by README
             file in kamailio-3.1.5/modules/tls/ path.

                       if(is_method("REGISTER"))
                       {
                               t_relay_to("tls:115.114.48.75
    <http://115.114.48.75>:____443

             <http://115.114.48.75:443>

             <http://115.114.48.75:443>");

                               exit();
                       }

             Looks like this is taking effect. When Kamailio
    receives REGISTER
             message it is trying to do handshake with intermediate
    proxy.
             I used wireshark to see the handshake messages.

             1. From Kamailio proxy, a TCP SYNC message is going to
             intermediate proxy.
             2. intermediate proxy sends SYNC + ACK
             3. Kamailio sends CLIENT HELLO
             4. intermediate proxy sends SERVER HELLO, CERTIFICATE
    and SERVER
             HELLO DONE
             5. The Kamailio sends ALERT (Level: Fatal, Description:
    Unknown CA)
             --->  IS something going wrong here..............
             6. Then Kamailio sends FIN + ACK

             Can somebody please let me know why the certificate
    verification
             fails
             (I get this log in console).
             How can I put a work around to avoid certification
    verification
             failure.

             Best Regards
             kamal




             ______________________________**_____________________


             SIP Express Router (SER) and Kamailio (OpenSER) -
sr-users mailing list sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-**router.orgsr-users@lists.sip-router.org

...
    <mailto:sr-users@lists.sip-__**router.org<sr-users@lists.sip-__router.org>
    <mailto:sr-users@lists.sip-**router.org<sr-users@lists.sip-router.org>
...
...
    http://lists.sip-router.org/__**__cgi-bin/mailman/listinfo/sr-**
____usershttp://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users <http://lists.sip-router.org/_**_cgi-bin/mailman/listinfo/sr-_** _usershttp://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users

...
    <http://lists.sip-router.org/_**_cgi-bin/mailman/listinfo/sr-_**
_usershttp://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users <http://lists.sip-router.org/**cgi-bin/mailman/listinfo/sr-** users http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>>

Klaus Darilion

9:56 a.m.

Hi Kamal!

If the fix in standard Kamailio code or in code you have written yourself (a proprietary module)?

If the problem is in the standard code please send us a diff so we can fix Kamailio.

regards Klaus

On 29.10.2012 10:53, Kamal Palei wrote:

...

On Mon, Oct 29, 2012 at 3:14 PM, Klaus Darilion <klaus.mailinglists@pernau.at mailto:klaus.mailinglists@pernau.at> wrote:

See also:
http://www.kamailio.org/__dokuwiki/doku.php/__troubleshooting:corefiles
<http://www.kamailio.org/dokuwiki/doku.php/troubleshooting:corefiles>



On 26.10.2012 11:39, Kamal Palei wrote:

    Dear Klaus

    I am little bit new to linux debugging. Please let me know below
    stuff.

    1. Whats the extension of core file.

The core file does not have an extension, it is usally just called
"core.XXXX" with XXX is the process id of the crashed Kamailio
process. It will reside in the current working directory.


    2. Will the core files be generated in /home/user path or some other
    default path


In the /etc/init.d/kamailio startup file you can configure the core
pattern to be set before Kamailio is started. Then the core files
will use the defined naming.

On Debian also activate core dumps by editing /etc/default/kamailio


    3. Do I need to recompile Kamailio source with -g option , or by
    default
    it is compiled with -g option


 From your log file:

          0(9548) ALERT: <core> [main.c:745]: core was generated

You see, your binaries already generate core files. Thus, there is
no need to rebuild Kamailio.


    4. I hope we need to run "ulimit" before we start the program or
    it is
    not required.


Usually you run "ulimit -c unlimited" before starting the Kamailio
process to be sure that the core will not be truncated.


    My observation is if I run directly kamailio it is crashing, if
    I run
    with gdb it is not crashing, not sure why this happens.


Strange. But once you have a core file, you can analyze it and
generate the backtrace.

Also make sure to not mix openssl libraries - this is often a a problem.

regards
Klaus


    Best Regards
    kamal



    On Thu, Oct 25, 2012 at 8:01 PM, Klaus Darilion
    <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@pernau.at>
    <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>> wrote:

         SIGABRT      6       Core    Abort signal from abort(3)

         This means that there was an error condition detected in the
         Kamailio code and the abort(3) function was called. As you
    see in
         the logs a core file was generated. Find the core file and
    load it
         into gdb and execute "backtrace". It will show you were the
    problem
         happened and post it here.

         regards
         Klaus


         On 25.10.2012 16:23, Kamal Palei wrote:

             Dear Klaus
             The certificate verification I have disabled.

             Facing a new problem.
             When there is a connection reset, that time Kamailio is
    crashing.
             During crash, I get below logs. Any idea why it is
    crashing and
             how can
             I avoid it.

             /oot@B2BUA:/usr/local/src/____scripts#  9(9557) : <core>


             [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil)
    (out of memory
             block!) - aborting
                0(9548) ALERT: <core> [main.c:742]: child process
    9557 exited
             by a
             signal 6
                0(9548) ALERT: <core> [main.c:745]: core was generated
                0(9548) INFO: <core> [main.c:757]: INFO: terminating
    due to
             SIGCHLD
                6(9554) INFO: <core> [main.c:808]: INFO: signal 15
    received
                8(9556) INFO: <core> [main.c:808]: INFO: signal 15
    received
                4(9552) INFO: <core> [main.c:808]: INFO: signal 15
    received
                5(9553) INFO: <core> [main.c:808]: INFO: signal 15
    received
                3(9551) INFO: <core> [main.c:808]: INFO: signal 15
    received
                7(9555) INFO: <core> [main.c:808]: INFO: signal 15
    received
                1(9549) INFO: <core> [main.c:808]: INFO: signal 15
    received
                2(9550) INFO: <core> [main.c:808]: INFO: signal 15
    received
                0(9548) : <core> [mem/q_malloc.c:431]: BUG: qm_free: bad
             pointer (nil)
             (out of memory block!) - aborting


             THANKS
             kamal
             /
             On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion
             <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@pernau.at>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>
             <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>__p__ernau.at <http://pernau.at/>

             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>>> wrote:

                  Hi Kamal!

                  Are you familiar with SSL/TLS and certificates?
    With TLS
             the trust
                  between TLS server and TLS client is usually via a
    trusted
                  certification authority (CA). For example, if the
             intermediate proxy
                  uses a certificate which is issued by CA
    FOOBAR-XYZ, the
             you have to
                  configure Kamailio to accept certificates singed by
             FOOBAR-XYZ. This
                  is done by copying the public root certificate of
             FOOBAR-XYZ to the
                  Kamailio server and configure Kamailio to use the
    FOOBAR-XYZ
                  certificate as trusted CA. Of course then you
    automatically
             also
                  trust all others certificates issued by FOOBAR-XYZ.

                  To configure the trusted CAs use:
    http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>

    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>>





    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>

    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list
    <http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list>>>

                  You could also disable the certificate validation
    with:
    http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>

    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>>





    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>

    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate
    <http://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate>>>

                  But of course this reduces TLS benefits to
    encryption-only.

                  regards
                  Klaus


                  On 22.10.2012 13:53, Kamal Palei wrote:

                      Dear All
                      I have modified kamailio,cfg and compiled all the
             modules with TLS
                      enabled, and able to bring up the kamailio
    proxy properly.

                      Kamailio proxy will receive the REGISTER
    message from
             endpoints
                      in UDP ,
                      and want to send this REGISTER message to another
             intermediate
                      proxy in
                      TLS. For this purpose, I have added few lines in
             kamailio.cfg
                      file as below.

                      I have created the certificates, private keys as
             explained by README
                      file in kamailio-3.1.5/modules/tls/ path.

                                if(is_method("REGISTER"))
                                {
                                        t_relay_to("tls:115.114.48.75
             <http://115.114.48.75 <http://115.114.48.75/>>:____443

                      <http://115.114.48.75:443
    <http://115.114.48.75:443/>>

                      <http://115.114.48.75:443
    <http://115.114.48.75:443/>>");

                                        exit();
                                }

                      Looks like this is taking effect. When Kamailio
             receives REGISTER
                      message it is trying to do handshake with
    intermediate
             proxy.
                      I used wireshark to see the handshake messages.

                      1. From Kamailio proxy, a TCP SYNC message is
    going to
                      intermediate proxy.
                      2. intermediate proxy sends SYNC + ACK
                      3. Kamailio sends CLIENT HELLO
                      4. intermediate proxy sends SERVER HELLO,
    CERTIFICATE
             and SERVER
                      HELLO DONE
                      5. The Kamailio sends ALERT (Level: Fatal,
    Description:
             Unknown CA)
                      --->  IS something going wrong here..............
                      6. Then Kamailio sends FIN + ACK

                      Can somebody please let me know why the
    certificate
             verification
                      fails
                      (I get this log in console).
                      How can I put a work around to avoid certification
             verification
                      failure.

                      Best Regards
                      kamal





      _____________________________________________________


                      SIP Express Router (SER) and Kamailio
    (OpenSER) - sr-users
                      mailing list
    sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
             <mailto:sr-users@lists.sip-__router.org
    <mailto:sr-users@lists.sip-router.org>>
             <mailto:sr-users@lists.sip-____router.org
    <mailto:sr-users@lists.sip-__router.org>
             <mailto:sr-users@lists.sip-__router.org
    <mailto:sr-users@lists.sip-router.org>>>
    http://lists.sip-router.org/______cgi-bin/mailman/listinfo/sr-______users
    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>

    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>>

    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>

    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users
    <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>>>

Kamal Palei

10:18 a.m.

Dear Klaus In tls_init.c file there is a function

static void ser_free(void *ptr) { shm_free(ptr); }

I modified it to

static void ser_free(void *ptr) { if(ptr) shm_free(ptr); }

Just added a null check.

During tls connection close it was close it was crashing. Incase you need to complete stack trace, please let me know, will revert back code chage, reproduce the issue and can get the backtrace.

Best Regards kamal

On Mon, Oct 29, 2012 at 3:26 PM, Klaus Darilion < klaus.mailinglists@pernau.at> wrote:

...

Hi Kamal!

If the fix in standard Kamailio code or in code you have written yourself (a proprietary module)?

If the problem is in the standard code please send us a diff so we can fix Kamailio.

regards Klaus

On 29.10.2012 10:53, Kamal Palei wrote:

...
Dear Klaus Forgot to write you back otherday. I was able to trace the code that was crashing. It was trying to free a pointer that was null. I just added a null check. With this change, I am able to keep Kamailio up for longer duration, did not see the crash. Thanks Klaus for your support. kamal

On Mon, Oct 29, 2012 at 3:14 PM, Klaus Darilion <klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@**pernau.atklaus.mailinglists@pernau.at>> wrote:
See also:
http://www.kamailio.org/__**dokuwiki/doku.php/__**
troubleshooting:corefileshttp://www.kamailio.org/__dokuwiki/doku.php/__troubleshooting:corefiles
<http://www.kamailio.org/**dokuwiki/doku.php/**
troubleshooting:corefileshttp://www.kamailio.org/dokuwiki/doku.php/troubleshooting:corefiles

...
On 26.10.2012 11:39, Kamal Palei wrote:

    Dear Klaus

    I am little bit new to linux debugging. Please let me know below
    stuff.

    1. Whats the extension of core file.

The core file does not have an extension, it is usally just called
"core.XXXX" with XXX is the process id of the crashed Kamailio
process. It will reside in the current working directory.


    2. Will the core files be generated in /home/user path or some
other default path
In the /etc/init.d/kamailio startup file you can configure the core
pattern to be set before Kamailio is started. Then the core files
will use the defined naming.

On Debian also activate core dumps by editing /etc/default/kamailio


    3. Do I need to recompile Kamailio source with -g option , or by
    default
    it is compiled with -g option


 From your log file:

          0(9548) ALERT: <core> [main.c:745]: core was generated

You see, your binaries already generate core files. Thus, there is
no need to rebuild Kamailio.


    4. I hope we need to run "ulimit" before we start the program or
    it is
    not required.


Usually you run "ulimit -c unlimited" before starting the Kamailio
process to be sure that the core will not be truncated.


    My observation is if I run directly kamailio it is crashing, if
    I run
    with gdb it is not crashing, not sure why this happens.


Strange. But once you have a core file, you can analyze it and
generate the backtrace.

Also make sure to not mix openssl libraries - this is often a a
problem.
regards
Klaus


    Best Regards
    kamal



    On Thu, Oct 25, 2012 at 8:01 PM, Klaus Darilion
    <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@**pernau.at<klaus.mailinglists@pernau.at>
...
    <mailto:klaus.mailinglists@__p**ernau.at <http://pernau.at/>
    <mailto:klaus.mailinglists@**pernau.at<klaus.mailinglists@pernau.at>>>>
wrote:
         SIGABRT      6       Core    Abort signal from abort(3)

         This means that there was an error condition detected in the
         Kamailio code and the abort(3) function was called. As you
    see in
         the logs a core file was generated. Find the core file and
    load it
         into gdb and execute "backtrace". It will show you were the
    problem
         happened and post it here.

         regards
         Klaus


         On 25.10.2012 16:23, Kamal Palei wrote:

             Dear Klaus
             The certificate verification I have disabled.

             Facing a new problem.
             When there is a connection reset, that time Kamailio is
    crashing.
             During crash, I get below logs. Any idea why it is
    crashing and
             how can
             I avoid it.

             /oot@B2BUA:/usr/local/src/____**scripts#  9(9557) :
<core>
             [mem/q_malloc.c:431]: BUG: qm_free: bad pointer (nil)
    (out of memory
             block!) - aborting
                0(9548) ALERT: <core> [main.c:742]: child process
    9557 exited
             by a
             signal 6
                0(9548) ALERT: <core> [main.c:745]: core was generated
                0(9548) INFO: <core> [main.c:757]: INFO: terminating
    due to
             SIGCHLD
                6(9554) INFO: <core> [main.c:808]: INFO: signal 15
    received
                8(9556) INFO: <core> [main.c:808]: INFO: signal 15
    received
                4(9552) INFO: <core> [main.c:808]: INFO: signal 15
    received
                5(9553) INFO: <core> [main.c:808]: INFO: signal 15
    received
                3(9551) INFO: <core> [main.c:808]: INFO: signal 15
    received
                7(9555) INFO: <core> [main.c:808]: INFO: signal 15
    received
                1(9549) INFO: <core> [main.c:808]: INFO: signal 15
    received
                2(9550) INFO: <core> [main.c:808]: INFO: signal 15
    received
                0(9548) : <core> [mem/q_malloc.c:431]: BUG: qm_free:
bad pointer (nil) (out of memory block!) - aborting
             THANKS
             kamal
             /
             On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion
             <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@**pernau.at<klaus.mailinglists@pernau.at>
...
             <mailto:klaus.mailinglists@__p**ernau.at<http://pernau.at/>
    <mailto:klaus.mailinglists@**pernau.at<klaus.mailinglists@pernau.at>
...
...
             <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>__**p__ernau.at <http://p__ernau.at/><
http://pernau.at/%3E
             <mailto:klaus.mailinglists@__p**ernau.at<http://pernau.at/>
    <mailto:klaus.mailinglists@**pernau.at<klaus.mailinglists@pernau.at>>>>>
wrote:
                  Hi Kamal!

                  Are you familiar with SSL/TLS and certificates?
    With TLS
             the trust
                  between TLS server and TLS client is usually via a
    trusted
                  certification authority (CA). For example, if the
             intermediate proxy
                  uses a certificate which is issued by CA
    FOOBAR-XYZ, the
             you have to
                  configure Kamailio to accept certificates singed by
             FOOBAR-XYZ. This
                  is done by copying the public root certificate of
             FOOBAR-XYZ to the
                  Kamailio server and configure Kamailio to use the
    FOOBAR-XYZ
                  certificate as trusted CA. Of course then you
    automatically
             also
                  trust all others certificates issued by FOOBAR-XYZ.

                  To configure the trusted CAs use:
    http://kamailio.org/docs/_____**_modules/3.3.x/modules/tls.___**
___html#ca_listhttp://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list <http://kamailio.org/docs/____**modules/3.3.x/modules/tls.____** html#ca_listhttp://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>
    <http://kamailio.org/docs/____**modules/3.3.x/modules/tls.____**
html#ca_listhttp://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list <http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__** html#ca_listhttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list

...
...
    <http://kamailio.org/docs/____**modules/3.3.x/modules/tls.____**
html#ca_listhttp://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list <http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__** html#ca_listhttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list

...
    <http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__**
html#ca_listhttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list <http://kamailio.org/docs/**modules/3.3.x/modules/tls.** html#ca_listhttp://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list

...
...
...
                  You could also disable the certificate validation
    with:
    http://kamailio.org/docs/_____**_modules/3.3.x/modules/tls.___**
___html#verify_certificatehttp://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate <http://kamailio.org/docs/____**modules/3.3.x/modules/tls.____** html#verify_certificatehttp://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>
    <http://kamailio.org/docs/____**modules/3.3.x/modules/tls.____**
html#verify_certificatehttp://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate <http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__** html#verify_certificatehttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate

...
...
    <http://kamailio.org/docs/____**modules/3.3.x/modules/tls.____**
html#verify_certificatehttp://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate <http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__** html#verify_certificatehttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate

...
    <http://kamailio.org/docs/__**modules/3.3.x/modules/tls.__**
html#verify_certificatehttp://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate <http://kamailio.org/docs/**modules/3.3.x/modules/tls.** html#verify_certificatehttp://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate

...
...
...
                  But of course this reduces TLS benefits to
    encryption-only.

                  regards
                  Klaus


                  On 22.10.2012 13:53, Kamal Palei wrote:

                      Dear All
                      I have modified kamailio,cfg and compiled all
the modules with TLS enabled, and able to bring up the kamailio proxy properly.
                      Kamailio proxy will receive the REGISTER
    message from
             endpoints
                      in UDP ,
                      and want to send this REGISTER message to
another intermediate proxy in TLS. For this purpose, I have added few lines in kamailio.cfg file as below.
                      I have created the certificates, private keys as
             explained by README
                      file in kamailio-3.1.5/modules/tls/ path.

                                if(is_method("REGISTER"))
                                {
                                        t_relay_to("tls:115.114.48.75
             <http://115.114.48.75 <http://115.114.48.75/>>:____**443

                      <http://115.114.48.75:443
    <http://115.114.48.75:443/>>

                      <http://115.114.48.75:443
    <http://115.114.48.75:443/>>")**;


                                        exit();
                                }

                      Looks like this is taking effect. When Kamailio
             receives REGISTER
                      message it is trying to do handshake with
    intermediate
             proxy.
                      I used wireshark to see the handshake messages.

                      1. From Kamailio proxy, a TCP SYNC message is
    going to
                      intermediate proxy.
                      2. intermediate proxy sends SYNC + ACK
                      3. Kamailio sends CLIENT HELLO
                      4. intermediate proxy sends SERVER HELLO,
    CERTIFICATE
             and SERVER
                      HELLO DONE
                      5. The Kamailio sends ALERT (Level: Fatal,
    Description:
             Unknown CA)
                      --->  IS something going wrong
here.............. 6. Then Kamailio sends FIN + ACK
                      Can somebody please let me know why the
    certificate
             verification
                      fails
                      (I get this log in console).
                      How can I put a work around to avoid
certification verification failure.
                      Best Regards
                      kamal





      ______________________________**_______________________



                      SIP Express Router (SER) and Kamailio
    (OpenSER) - sr-users
                      mailing list
    sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-**
router.org sr-users@lists.sip-router.org> <mailto:sr-users@lists.sip-__**router.org<sr-users@lists.sip-__router.org> <mailto:sr-users@lists.sip-**router.orgsr-users@lists.sip-router.org

...
...
             <mailto:sr-users@lists.sip-___**_router.org<sr-users@lists.sip-____router.org>
    <mailto:sr-users@lists.sip-__**router.org<sr-users@lists.sip-__router.org>
...
             <mailto:sr-users@lists.sip-__**router.org<sr-users@lists.sip-__router.org>
    <mailto:sr-users@lists.sip-**router.org<sr-users@lists.sip-router.org>
...
...
...
    http://lists.sip-router.org/__**____cgi-bin/mailman/listinfo/**
sr-______usershttp://lists.sip-router.org/______cgi-bin/mailman/listinfo/sr-______users <http://lists.sip-router.org/_**___cgi-bin/mailman/listinfo/** sr-____usershttp://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>
    <http://lists.sip-router.org/_**___cgi-bin/mailman/listinfo/**
sr-____usershttp://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users <http://lists.sip-router.org/_**_cgi-bin/mailman/listinfo/sr-_** _usershttp://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users

...
...
    <http://lists.sip-router.org/_**___cgi-bin/mailman/listinfo/**
sr-____usershttp://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users <http://lists.sip-router.org/_**_cgi-bin/mailman/listinfo/sr-_** _usershttp://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users

...
    <http://lists.sip-router.org/_**_cgi-bin/mailman/listinfo/sr-_**
_usershttp://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users <http://lists.sip-router.org/**cgi-bin/mailman/listinfo/sr-** users http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>>>

Klaus Darilion

7 Nov 7 Nov

12:29 p.m.

Hi Kamal!

This looks like an openssl bug.

Which version of openssl do you use?

regards Klaus

On 29.10.2012 11:18, Kamal Palei wrote:

...

Dear Klaus In tls_init.c file there is a function static void ser_free(void *ptr) { shm_free(ptr); } I modified it to static void ser_free(void *ptr) { if(ptr) shm_free(ptr); } Just added a null check. During tls connection close it was close it was crashing. Incase you need to complete stack trace, please let me know, will revert back code chage, reproduce the issue and can get the backtrace. Best Regards kamal

On Mon, Oct 29, 2012 at 3:26 PM, Klaus Darilion <klaus.mailinglists@pernau.at mailto:klaus.mailinglists@pernau.at> wrote:

Hi Kamal!

If the fix in standard Kamailio code or in code you have written
yourself (a proprietary module)?

If the problem is in the standard code please send us a diff so we
can fix Kamailio.

regards
Klaus


On 29.10.2012 10:53, Kamal Palei wrote:

    Dear Klaus
    Forgot to write you back otherday. I was able to trace the code
    that was
    crashing. It was trying to free a pointer that was null. I just
    added a
    null check. With this change, I am able to keep Kamailio up for
    longer
    duration, did not see the crash.
    Thanks Klaus for your support.
    kamal


    On Mon, Oct 29, 2012 at 3:14 PM, Klaus Darilion
    <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@pernau.at>
    <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>> wrote:

         See also:
    http://www.kamailio.org/____dokuwiki/doku.php/____troubleshooting:corefiles
    <http://www.kamailio.org/__dokuwiki/doku.php/__troubleshooting:corefiles>



    <http://www.kamailio.org/__dokuwiki/doku.php/__troubleshooting:corefiles
    <http://www.kamailio.org/dokuwiki/doku.php/troubleshooting:corefiles>>



         On 26.10.2012 11:39, Kamal Palei wrote:

             Dear Klaus

             I am little bit new to linux debugging. Please let me
    know below
             stuff.

             1. Whats the extension of core file.

         The core file does not have an extension, it is usally just
    called
         "core.XXXX" with XXX is the process id of the crashed Kamailio
         process. It will reside in the current working directory.


             2. Will the core files be generated in /home/user path
    or some other
             default path


         In the /etc/init.d/kamailio startup file you can configure
    the core
         pattern to be set before Kamailio is started. Then the core
    files
         will use the defined naming.

         On Debian also activate core dumps by editing
    /etc/default/kamailio


             3. Do I need to recompile Kamailio source with -g
    option , or by
             default
             it is compiled with -g option


          From your log file:

                   0(9548) ALERT: <core> [main.c:745]: core was
    generated

         You see, your binaries already generate core files. Thus,
    there is
         no need to rebuild Kamailio.


             4. I hope we need to run "ulimit" before we start the
    program or
             it is
             not required.


         Usually you run "ulimit -c unlimited" before starting the
    Kamailio
         process to be sure that the core will not be truncated.


             My observation is if I run directly kamailio it is
    crashing, if
             I run
             with gdb it is not crashing, not sure why this happens.


         Strange. But once you have a core file, you can analyze it and
         generate the backtrace.

         Also make sure to not mix openssl libraries - this is often
    a a problem.

         regards
         Klaus


             Best Regards
             kamal



             On Thu, Oct 25, 2012 at 8:01 PM, Klaus Darilion
             <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@pernau.at>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>
             <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>__p__ernau.at <http://pernau.at/>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>>> wrote:

                  SIGABRT      6       Core    Abort signal from
    abort(3)

                  This means that there was an error condition
    detected in the
                  Kamailio code and the abort(3) function was
    called. As you
             see in
                  the logs a core file was generated. Find the core
    file and
             load it
                  into gdb and execute "backtrace". It will show you
    were the
             problem
                  happened and post it here.

                  regards
                  Klaus


                  On 25.10.2012 16:23, Kamal Palei wrote:

                      Dear Klaus
                      The certificate verification I have disabled.

                      Facing a new problem.
                      When there is a connection reset, that time
    Kamailio is
             crashing.
                      During crash, I get below logs. Any idea why it is
             crashing and
                      how can
                      I avoid it.

                      /oot@B2BUA:/usr/local/src/______scripts#
      9(9557) : <core>



                      [mem/q_malloc.c:431]: BUG: qm_free: bad
    pointer (nil)
             (out of memory
                      block!) - aborting
                         0(9548) ALERT: <core> [main.c:742]: child
    process
             9557 exited
                      by a
                      signal 6
                         0(9548) ALERT: <core> [main.c:745]: core
    was generated
                         0(9548) INFO: <core> [main.c:757]: INFO:
    terminating
             due to
                      SIGCHLD
                         6(9554) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         8(9556) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         4(9552) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         5(9553) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         3(9551) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         7(9555) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         1(9549) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         2(9550) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         0(9548) : <core> [mem/q_malloc.c:431]: BUG:
    qm_free: bad
                      pointer (nil)
                      (out of memory block!) - aborting


                      THANKS
                      kamal
                      /
                      On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion
                      <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@pernau.at>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>
                      <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>__p__ernau.at <http://pernau.at/>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>>
                      <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>
             <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>>____p__ernau.at
    <http://p__ernau.at/> <http://pernau.at/>


                      <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>__p__ernau.at <http://pernau.at/>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>>>> wrote:

                           Hi Kamal!

                           Are you familiar with SSL/TLS and
    certificates?
             With TLS
                      the trust
                           between TLS server and TLS client is
    usually via a
             trusted
                           certification authority (CA). For
    example, if the
                      intermediate proxy
                           uses a certificate which is issued by CA
             FOOBAR-XYZ, the
                      you have to
                           configure Kamailio to accept certificates
    singed by
                      FOOBAR-XYZ. This
                           is done by copying the public root
    certificate of
                      FOOBAR-XYZ to the
                           Kamailio server and configure Kamailio to
    use the
             FOOBAR-XYZ
                           certificate as trusted CA. Of course then you
             automatically
                      also
                           trust all others certificates issued by
    FOOBAR-XYZ.

                           To configure the trusted CAs use:
    http://kamailio.org/docs/________modules/3.3.x/modules/tls.________html#ca_list
    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list>

    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>>




    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>

    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>>>






    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>

    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>>


    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>

    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list
    <http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list>>>>

                           You could also disable the certificate
    validation
             with:
    http://kamailio.org/docs/________modules/3.3.x/modules/tls.________html#verify_certificate
    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate>

    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>>




    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>

    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>>>






    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>

    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>>


    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>

    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate
    <http://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate>>>>

                           But of course this reduces TLS benefits to
             encryption-only.

                           regards
                           Klaus


                           On 22.10.2012 13:53, Kamal Palei wrote:

                               Dear All
                               I have modified kamailio,cfg and
    compiled all the
                      modules with TLS
                               enabled, and able to bring up the
    kamailio
             proxy properly.

                               Kamailio proxy will receive the REGISTER
             message from
                      endpoints
                               in UDP ,
                               and want to send this REGISTER
    message to another
                      intermediate
                               proxy in
                               TLS. For this purpose, I have added
    few lines in
                      kamailio.cfg
                               file as below.

                               I have created the certificates,
    private keys as
                      explained by README
                               file in kamailio-3.1.5/modules/tls/ path.

                                         if(is_method("REGISTER"))
                                         {

    t_relay_to("tls:115.114.48.75
                      <http://115.114.48.75 <http://115.114.48.75/>
    <http://115.114.48.75/>>:______443

                               <http://115.114.48.75:443
    <http://115.114.48.75:443/>
             <http://115.114.48.75:443/>>

                               <http://115.114.48.75:443
    <http://115.114.48.75:443/>
             <http://115.114.48.75:443/>>")__;


                                                 exit();
                                         }

                               Looks like this is taking effect.
    When Kamailio
                      receives REGISTER
                               message it is trying to do handshake with
             intermediate
                      proxy.
                               I used wireshark to see the handshake
    messages.

                               1. From Kamailio proxy, a TCP SYNC
    message is
             going to
                               intermediate proxy.
                               2. intermediate proxy sends SYNC + ACK
                               3. Kamailio sends CLIENT HELLO
                               4. intermediate proxy sends SERVER HELLO,
             CERTIFICATE
                      and SERVER
                               HELLO DONE
                               5. The Kamailio sends ALERT (Level:
    Fatal,
             Description:
                      Unknown CA)
                               --->  IS something going wrong
    here..............
                               6. Then Kamailio sends FIN + ACK

                               Can somebody please let me know why the
             certificate
                      verification
                               fails
                               (I get this log in console).
                               How can I put a work around to avoid
    certification
                      verification
                               failure.

                               Best Regards
                               kamal





               _______________________________________________________



                               SIP Express Router (SER) and Kamailio
             (OpenSER) - sr-users
                               mailing list
    sr-users@lists.sip-router.org
    <mailto:sr-users@lists.sip-router.org>
    <mailto:sr-users@lists.sip-__router.org
    <mailto:sr-users@lists.sip-router.org>>
                      <mailto:sr-users@lists.sip-____router.org
    <mailto:sr-users@lists.sip-__router.org>
             <mailto:sr-users@lists.sip-__router.org
    <mailto:sr-users@lists.sip-router.org>>>
                      <mailto:sr-users@lists.sip-______router.org
    <mailto:sr-users@lists.sip-____router.org>
             <mailto:sr-users@lists.sip-____router.org
    <mailto:sr-users@lists.sip-__router.org>>
                      <mailto:sr-users@lists.sip-____router.org
    <mailto:sr-users@lists.sip-__router.org>
             <mailto:sr-users@lists.sip-__router.org
    <mailto:sr-users@lists.sip-router.org>>>>
    http://lists.sip-router.org/________cgi-bin/mailman/listinfo/__sr-______users
    <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/sr-______users>

    <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/__sr-____users
    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>>




    <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/__sr-____users
    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>

    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>>>


    <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/__sr-____users
    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>

    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>>


    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>

    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users
    <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>>>>

Klaus Darilion

3:07 p.m.

Fixed in head and 3.3 branch.

regards Klaus

On 29.10.2012 11:18, Kamal Palei wrote:

...

On Mon, Oct 29, 2012 at 3:26 PM, Klaus Darilion <klaus.mailinglists@pernau.at mailto:klaus.mailinglists@pernau.at> wrote:

Hi Kamal!

If the fix in standard Kamailio code or in code you have written
yourself (a proprietary module)?

If the problem is in the standard code please send us a diff so we
can fix Kamailio.

regards
Klaus


On 29.10.2012 10:53, Kamal Palei wrote:

    Dear Klaus
    Forgot to write you back otherday. I was able to trace the code
    that was
    crashing. It was trying to free a pointer that was null. I just
    added a
    null check. With this change, I am able to keep Kamailio up for
    longer
    duration, did not see the crash.
    Thanks Klaus for your support.
    kamal


    On Mon, Oct 29, 2012 at 3:14 PM, Klaus Darilion
    <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@pernau.at>
    <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>> wrote:

         See also:
    http://www.kamailio.org/____dokuwiki/doku.php/____troubleshooting:corefiles
    <http://www.kamailio.org/__dokuwiki/doku.php/__troubleshooting:corefiles>



    <http://www.kamailio.org/__dokuwiki/doku.php/__troubleshooting:corefiles
    <http://www.kamailio.org/dokuwiki/doku.php/troubleshooting:corefiles>>



         On 26.10.2012 11:39, Kamal Palei wrote:

             Dear Klaus

             I am little bit new to linux debugging. Please let me
    know below
             stuff.

             1. Whats the extension of core file.

         The core file does not have an extension, it is usally just
    called
         "core.XXXX" with XXX is the process id of the crashed Kamailio
         process. It will reside in the current working directory.


             2. Will the core files be generated in /home/user path
    or some other
             default path


         In the /etc/init.d/kamailio startup file you can configure
    the core
         pattern to be set before Kamailio is started. Then the core
    files
         will use the defined naming.

         On Debian also activate core dumps by editing
    /etc/default/kamailio


             3. Do I need to recompile Kamailio source with -g
    option , or by
             default
             it is compiled with -g option


          From your log file:

                   0(9548) ALERT: <core> [main.c:745]: core was
    generated

         You see, your binaries already generate core files. Thus,
    there is
         no need to rebuild Kamailio.


             4. I hope we need to run "ulimit" before we start the
    program or
             it is
             not required.


         Usually you run "ulimit -c unlimited" before starting the
    Kamailio
         process to be sure that the core will not be truncated.


             My observation is if I run directly kamailio it is
    crashing, if
             I run
             with gdb it is not crashing, not sure why this happens.


         Strange. But once you have a core file, you can analyze it and
         generate the backtrace.

         Also make sure to not mix openssl libraries - this is often
    a a problem.

         regards
         Klaus


             Best Regards
             kamal



             On Thu, Oct 25, 2012 at 8:01 PM, Klaus Darilion
             <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@pernau.at>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>
             <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>__p__ernau.at <http://pernau.at/>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>>> wrote:

                  SIGABRT      6       Core    Abort signal from
    abort(3)

                  This means that there was an error condition
    detected in the
                  Kamailio code and the abort(3) function was
    called. As you
             see in
                  the logs a core file was generated. Find the core
    file and
             load it
                  into gdb and execute "backtrace". It will show you
    were the
             problem
                  happened and post it here.

                  regards
                  Klaus


                  On 25.10.2012 16:23, Kamal Palei wrote:

                      Dear Klaus
                      The certificate verification I have disabled.

                      Facing a new problem.
                      When there is a connection reset, that time
    Kamailio is
             crashing.
                      During crash, I get below logs. Any idea why it is
             crashing and
                      how can
                      I avoid it.

                      /oot@B2BUA:/usr/local/src/______scripts#
      9(9557) : <core>



                      [mem/q_malloc.c:431]: BUG: qm_free: bad
    pointer (nil)
             (out of memory
                      block!) - aborting
                         0(9548) ALERT: <core> [main.c:742]: child
    process
             9557 exited
                      by a
                      signal 6
                         0(9548) ALERT: <core> [main.c:745]: core
    was generated
                         0(9548) INFO: <core> [main.c:757]: INFO:
    terminating
             due to
                      SIGCHLD
                         6(9554) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         8(9556) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         4(9552) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         5(9553) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         3(9551) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         7(9555) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         1(9549) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         2(9550) INFO: <core> [main.c:808]: INFO:
    signal 15
             received
                         0(9548) : <core> [mem/q_malloc.c:431]: BUG:
    qm_free: bad
                      pointer (nil)
                      (out of memory block!) - aborting


                      THANKS
                      kamal
                      /
                      On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion
                      <klaus.mailinglists@pernau.at
    <mailto:klaus.mailinglists@pernau.at>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>
                      <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>__p__ernau.at <http://pernau.at/>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>>
                      <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>
             <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>>____p__ernau.at
    <http://p__ernau.at/> <http://pernau.at/>


                      <mailto:klaus.mailinglists@
    <mailto:klaus.mailinglists@>__p__ernau.at <http://pernau.at/>
             <mailto:klaus.mailinglists@__pernau.at
    <mailto:klaus.mailinglists@pernau.at>>>>> wrote:

                           Hi Kamal!

                           Are you familiar with SSL/TLS and
    certificates?
             With TLS
                      the trust
                           between TLS server and TLS client is
    usually via a
             trusted
                           certification authority (CA). For
    example, if the
                      intermediate proxy
                           uses a certificate which is issued by CA
             FOOBAR-XYZ, the
                      you have to
                           configure Kamailio to accept certificates
    singed by
                      FOOBAR-XYZ. This
                           is done by copying the public root
    certificate of
                      FOOBAR-XYZ to the
                           Kamailio server and configure Kamailio to
    use the
             FOOBAR-XYZ
                           certificate as trusted CA. Of course then you
             automatically
                      also
                           trust all others certificates issued by
    FOOBAR-XYZ.

                           To configure the trusted CAs use:
    http://kamailio.org/docs/________modules/3.3.x/modules/tls.________html#ca_list
    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list>

    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>>




    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>

    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>>>






    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>

    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>>


    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>

    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list
    <http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list>>>>

                           You could also disable the certificate
    validation
             with:
    http://kamailio.org/docs/________modules/3.3.x/modules/tls.________html#verify_certificate
    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate>

    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>>




    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>

    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>>>






    <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate
    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>

    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>>


    <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>

    <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate
    <http://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate>>>>

                           But of course this reduces TLS benefits to
             encryption-only.

                           regards
                           Klaus


                           On 22.10.2012 13:53, Kamal Palei wrote:

                               Dear All
                               I have modified kamailio,cfg and
    compiled all the
                      modules with TLS
                               enabled, and able to bring up the
    kamailio
             proxy properly.

                               Kamailio proxy will receive the REGISTER
             message from
                      endpoints
                               in UDP ,
                               and want to send this REGISTER
    message to another
                      intermediate
                               proxy in
                               TLS. For this purpose, I have added
    few lines in
                      kamailio.cfg
                               file as below.

                               I have created the certificates,
    private keys as
                      explained by README
                               file in kamailio-3.1.5/modules/tls/ path.

                                         if(is_method("REGISTER"))
                                         {

    t_relay_to("tls:115.114.48.75
                      <http://115.114.48.75 <http://115.114.48.75/>
    <http://115.114.48.75/>>:______443

                               <http://115.114.48.75:443
    <http://115.114.48.75:443/>
             <http://115.114.48.75:443/>>

                               <http://115.114.48.75:443
    <http://115.114.48.75:443/>
             <http://115.114.48.75:443/>>")__;


                                                 exit();
                                         }

                               Looks like this is taking effect.
    When Kamailio
                      receives REGISTER
                               message it is trying to do handshake with
             intermediate
                      proxy.
                               I used wireshark to see the handshake
    messages.

                               1. From Kamailio proxy, a TCP SYNC
    message is
             going to
                               intermediate proxy.
                               2. intermediate proxy sends SYNC + ACK
                               3. Kamailio sends CLIENT HELLO
                               4. intermediate proxy sends SERVER HELLO,
             CERTIFICATE
                      and SERVER
                               HELLO DONE
                               5. The Kamailio sends ALERT (Level:
    Fatal,
             Description:
                      Unknown CA)
                               --->  IS something going wrong
    here..............
                               6. Then Kamailio sends FIN + ACK

                               Can somebody please let me know why the
             certificate
                      verification
                               fails
                               (I get this log in console).
                               How can I put a work around to avoid
    certification
                      verification
                               failure.

                               Best Regards
                               kamal





               _______________________________________________________



                               SIP Express Router (SER) and Kamailio
             (OpenSER) - sr-users
                               mailing list
    sr-users@lists.sip-router.org
    <mailto:sr-users@lists.sip-router.org>
    <mailto:sr-users@lists.sip-__router.org
    <mailto:sr-users@lists.sip-router.org>>
                      <mailto:sr-users@lists.sip-____router.org
    <mailto:sr-users@lists.sip-__router.org>
             <mailto:sr-users@lists.sip-__router.org
    <mailto:sr-users@lists.sip-router.org>>>
                      <mailto:sr-users@lists.sip-______router.org
    <mailto:sr-users@lists.sip-____router.org>
             <mailto:sr-users@lists.sip-____router.org
    <mailto:sr-users@lists.sip-__router.org>>
                      <mailto:sr-users@lists.sip-____router.org
    <mailto:sr-users@lists.sip-__router.org>
             <mailto:sr-users@lists.sip-__router.org
    <mailto:sr-users@lists.sip-router.org>>>>
    http://lists.sip-router.org/________cgi-bin/mailman/listinfo/__sr-______users
    <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/sr-______users>

    <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/__sr-____users
    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>>




    <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/__sr-____users
    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>

    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>>>


    <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/__sr-____users
    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>

    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>>


    <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>

    <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users
    <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>>>>

4548

Age (days ago)

4564

Last active (days ago)

sr-users@lists.kamailio.org

10 comments

2 participants

tags (0)

participants (2)

Kamal Palei
Klaus Darilion