[sr-dev] massive TLS crashes
Andrei Pelinescu-Onciul
andrei at iptel.org
Mon Feb 22 22:21:43 CET 2010
On Feb 22, 2010 at 20:00, Andrei Pelinescu-Onciul <andrei at iptel.org> wrote:
> On Feb 22, 2010 at 19:16, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> > Hi!
> >
> > With kamailio 3.0 I encounter lots of crashes. I am using SNOM 320 and
> > eyebeam clients. I think crashes are mostly correlated with SNOM 320.
> >
> > Server is CentOS5.4. OpenSSL is openssl-0.9.8e-12.el5_4.1.
> >
> > First crashed Kamailio always with the same backtrace:
> >
> > Program terminated with signal 11, Segmentation fault.
> > [New process 1580]
> > #0 0x0017451d in kssl_keytab_is_available () from /lib/libssl.so.6
> > (gdb) bt
> > #0 0x0017451d in kssl_keytab_is_available () from /lib/libssl.so.6
> >
>
> This one looks like some openssl bug. What's strange is that it's in
> some kerberos code, which is supposed to be disabled.
It seems there is a code path inside openssl, for which the old disable
kerberos trick does not work and causes crashes instead. Probably we
haven't seen it before because we didn't tried a client that advertised
KRB5 key exchange and an openssl compiled with kerberos support.
The proper fix is to upgrade to a newer openssl (real 0.9.8e or above).
For people stuck with older openssl versions, I will try to find a way to
disable kerberos in a better way.
Could you try in the same configuration (no RSA workaround on the
phone), but with the following tls module options:
modparam("tls", "cipher_list", "DEFAULT:!KRB5")
If this works, please try also the RSA stuff on the phone and see if it
still crashes in that case (although that case might be unrelated).
If everything is ok I'll add it to the code, so that it will be done
automatically for openssl < 0.9.8e release.
Note that another very strange thing is the version number.
More information about the sr-dev
mailing list