[sr-dev] running out of mysql connections when [group] is given

Daniel-Constantin Mierla miconda at gmail.com
Wed Jan 28 14:13:58 CET 2015 

On 22/01/15 16:51, Matthew Jordan wrote:
>
>
> On Thu, Jan 22, 2015 at 2:47 AM, Olle E. Johansson <oej at edvina.net
> <mailto:oej at edvina.net>> wrote:
>
>
>     On 21 Jan 2015, at 21:52, Juha Heinanen <jh at tutpro.com
>     <mailto:jh at tutpro.com>> wrote:
>
>     > Juha Heinanen writes:
>     >
>     >> when [group] thing didn't work, i added
>     >>
>     >> ssl-ca=/etc/mysql/cacert.pem
>     >>
>     >> to [client] section of my.cfg that kamailio according to
>     db_mysql/README
>     >> is reading.
>     >>
>     >> after that, kamailio started ok, but didn't use ssl for mysql
>     queries.
>     >>
>     >> what is it that i'm missing?  has anyone succeeded in making
>     kamailio to
>     >> query mysql server over ssl?
>     >
>     > based on zero responses, i guess the answer is "no".  if so,
>     that pretty
>     > much prevents using kamailio in an environment where mysql
>     service is
>     > provided by a cloud service, such as amazon ec2.
>     >
>     > should i put a note in db_mysql module README telling that we don't
>     > currently know, which [client] params of my.cfg the module supports?
>
>     We've seen reports of issues with Postgresql with TLS too, I don't
>     know
>     what happened, but I think we need to focus on both and fix this.
>
>     There is a known geneal problem with libraries using OpenSSL - I
>     don't know if
>     this has been looked at in Kamailio, but we did a fix in Asterisk
>     a while ago.
>     If you have modules using libraries that use OpenSSL - like we have in
>     Curl, Mysql, Postgres and possibly other modules - as well as our
>     own use in
>     the TLS module - there's a risk that OpenSSL gets initialized too many
>     times and bad things happen.  ("Bad things" need to be defined here).
>
>     I think Kevin did a library trick with the linker so that Asterisk
>     catch these initialization calls first and use just one. Asterisk is
>     multithreaded and Kamailio is multiprocess, so I don't know how this
>     affects Kamailio or if we can get some inspiration by this fix.
>
>     Rambling a bit, but trying to point in some sort of general
>     direction. :-)
>
>     I will put on my list to set up a lab with Mysql TLS connections
>     and try.
>
>
> Just chiming in to point out the magic module Olle is referring to:
>
> http://svn.asterisk.org/svn/asterisk/trunk/main/libasteriskssl.c
>
> For context, the peer review for the patch that fixed this issue is here:
>
> https://reviewboard.asterisk.org/r/1006/
>
> Although due to some issues in review board, part of the patch doesn't
> show up (hence the link to the actual source).
>
Interesting approach by temporarily replacing the libssl functions and
call the original ones later.

In this case it wouldn't have worked because the postgress module is
used to connect to database (e.g., some modules load records from
database during module initialization), so libssl must be properly
initialized to the phase of opening a tls connection.

I broke the initialization process in few phases that allows to get
libssl initialized before any other module and seems to work, based on
the feedback of who reported the issue.

MySQL issue was something different, related more to mysql client config.

Cheers,
Daniel

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20150128/493c14ad/attachment.html>

More information about the sr-dev mailing list