[OpenSER-Users] TLS Registrations start dropping?

Chris Heiser cheiser at config.name
Fri Nov 9 09:09:12 CET 2007 


On Fri, 9 Nov 2007, Klaus Darilion wrote:

>
>
> Chris Heiser schrieb:
>> 
>> 
>> On Fri, 9 Nov 2007, Klaus Darilion wrote:
>> 
>>> 
>>> 
>>> Chris Heiser schrieb:
>>>> Information on TLS and OpenSER with this specific issues seems to be 
>>>> scarce.
>>>> 
>>>> I have 2 different setups.  One with about 130 registrations, one with 
>>>> about 250.  Both with SSLv23 turned on, and TLS is enabled in the phones. 
>>>> What's odd is after some unknown amount of time, phones start dropping 
>>>> like files and fail to re-register.  (Our registration timer is set at 60 
>>>> seconds to aid in failover).
>>> 
>>> Do all the phones register via TLS or only some phones register via DNS? 
>>> Do only the phones fail to REGISTER which use TLS or all of them?
>> 
>> Phones are configured to use TLS.  These are the only ones that drop. 
>> Anything registering over UDP keeps working fine.
>> 
>>> 
>>> Why do you use SSLv23? Using TLS would be the standard.
>> 
>> The same happens with just TLS.  I believe SSLv23 was enabled for some 
>> device that didn't do TLS properly.
>> 
>>> 
>>>> What's interesting is it appears that the SSL handshake completely fails 
>>>> when this starts to happen.  The requests from the phones are smaller in 
>>>> size (733 bytes about 970 for a good one).  Suspicion would normally lie 
>>>> with the phones.  They're obviously not doing something right!
>>> 
>>> What's about debugging the handshake? Use ssldump to debug the handshake. 
>>> There should also be some logs in openser's logfile.
>> 
>> That's just it.  ssldump shows an initial packet of 733 and it never 
>> handshakes.  It just stays angry.
>
> Can ssldump decode the initial packet (is the bug in this special initial 
> packet or is the bug in openser decoding this special initial packet)?
>
> When switching to the backup openser, does it accept the intial packets with 
> 773 bytes or does the phone change back to "good" initial packets?

I'll have to look into that.  What's your suspicion?


>
> klaus
>
>> 
>>> 
>>> regards
>>> klaus
>>> 
>>> 
>>>> 
>>>> Here's the kicker.  If I fail over to another OpenSER proxy (we move the 
>>>> IP over, use the same certs, etc...) everyone comes back up, and 
>>>> everything is happy for hours, maybe a day, maybe a week, and then it all 
>>>> starts going downhill again.
>>>> 
>>>> I've increased the number of OpenSER children, I've played with the 
>>>> tcp_persistent_flag.  None of these things have stopped the madness.
>>>> 
>>>> Anyone have any ideas or thoughts?
>>>> 
>>>> --Chris
>>>> 
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.openser.org
>>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>> 
>

More information about the sr-users mailing list