[sr-dev] running out of mysql connections when [group] is given

Thu Jan 22 16:51:33 CET 2015

On Thu, Jan 22, 2015 at 2:47 AM, Olle E. Johansson <oej at edvina.net> wrote:

>
> On 21 Jan 2015, at 21:52, Juha Heinanen <jh at tutpro.com> wrote:
>
> > Juha Heinanen writes:
> >
> >> when [group] thing didn't work, i added
> >>
> >> ssl-ca=/etc/mysql/cacert.pem
> >>
> >> to [client] section of my.cfg that kamailio according to db_mysql/README
> >> is reading.
> >>
> >> after that, kamailio started ok, but didn't use ssl for mysql queries.
> >>
> >> what is it that i'm missing?  has anyone succeeded in making kamailio to
> >> query mysql server over ssl?
> >
> > based on zero responses, i guess the answer is "no".  if so, that pretty
> > much prevents using kamailio in an environment where mysql service is
> > provided by a cloud service, such as amazon ec2.
> >
> > should i put a note in db_mysql module README telling that we don't
> > currently know, which [client] params of my.cfg the module supports?
>
> We've seen reports of issues with Postgresql with TLS too, I don't know
> what happened, but I think we need to focus on both and fix this.
>
> There is a known geneal problem with libraries using OpenSSL - I don't
> know if
> this has been looked at in Kamailio, but we did a fix in Asterisk a while
> ago.
> If you have modules using libraries that use OpenSSL - like we have in
> Curl, Mysql, Postgres and possibly other modules - as well as our own use
> in
> the TLS module - there's a risk that OpenSSL gets initialized too many
> times and bad things happen.  ("Bad things" need to be defined here).
>
> I think Kevin did a library trick with the linker so that Asterisk
> catch these initialization calls first and use just one. Asterisk is
> multithreaded and Kamailio is multiprocess, so I don't know how this
> affects Kamailio or if we can get some inspiration by this fix.
>
> Rambling a bit, but trying to point in some sort of general direction. :-)
>
> I will put on my list to set up a lab with Mysql TLS connections and try.
>
>
Just chiming in to point out the magic module Olle is referring to:

http://svn.asterisk.org/svn/asterisk/trunk/main/libasteriskssl.c

For context, the peer review for the patch that fixed this issue is here:

https://reviewboard.asterisk.org/r/1006/

Although due to some issues in review board, part of the patch doesn't show
up (hence the link to the actual source).

Matt

-- 
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20150122/9a51e0f7/attachment.html>