[SR-Users] memory allocation failure while reading ca_list
Daniel-Constantin Mierla
miconda at gmail.com
Mon Mar 19 11:07:51 CET 2012
On 3/19/12 10:47 AM, Juha Heinanen wrote:
> Daniel-Constantin Mierla writes:
>
>> Is this by one ca_list only, or do you have many tls domains, each with
>> own profile?
> just a single ca_list and tls domain. my tls.cfg looks like this:
>
> [client:default]
> verify_certificate = yes
> require_certificate = yes
> tls_method = TLSv1
> private_key = /etc/sip-proxy/certs/sip-proxy/key.pem
> certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem
> #ca_list = /etc/sip-proxy/certs/demoCA/cert.pem
> ca_list = /etc/ssl/certs/ca-certificates.crt
>
> [server:default]
> verify_certificate = no
> require_certificate = no
> tls_method = SSLv23
> private_key = /etc/sip-proxy/certs/sip-proxy/key.pem
> certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem
> #ca_list = /etc/sip-proxy/certs/demoCA/cert.pem
> ca_list = /etc/ssl/certs/ca-certificates.crt
>
> sending over tls works fine if i use line
>
> ca_list = /etc/sip-proxy/certs/demoCA/cert.pem
>
> where cert.pem contains just three ca certs one of them being cacert.org
> ca cert that i use in this test.
I guess it is loaded two time, for the server and client profiles. Try
to set it via dedicated module parameter and see if you get better
memory usage:
http://kamailio.org/docs/modules/stable/modules/tls.html#ca_list
Overall, libssl and tls in general are known to be very greedy with
memory. Maybe Andrei or Jan are available to write more details about
it, as they implemented specific parts (also workarounds for libssl
bugs) of tls module.
For a heavy loaded tls sip server, lot memory is important.
Cheers,
Daniel
--
Daniel-Constantin Mierla
Kamailio Advanced Training, April 23-26, 2012, Berlin, Germany
http://www.asipto.com/index.php/kamailio-advanced-training/
More information about the sr-users
mailing list