[SR-Users] memory allocation failure while reading ca_list

[Jan Janak]

On Mon, Mar 19, 2012 at 05:32, Juha Heinanen <jh at tutpro.com> wrote:
> as i mentioned, with shared memory of 64MB, sip proxy started fine.
> however, it failed to send a request over tls:
>
> Mar 19 11:21:41 test /usr/sbin/sip-proxy[30293]: INFO: Routing INVITE <sip:044234567 at 192.98.102.10:8001;transport=tls>
> Mar 19 11:21:41 test /usr/sbin/sip-proxy[30293]: WARNING: <core> [forward.c:268]: WARNING: get_send_socket: protocol/port mismatch (forced udp:192.98.101.10:5060, to tls:192.98.102.10:8001)
> Mar 19 11:21:41 test /usr/sbin/sip-proxy[30293]: ERROR: tls [tls_server.c:150]: tls: ssl bug #1491 workaround: not enough memory for safe operation: 8473952
> Mar 19 11:21:41 test /usr/sbin/sip-proxy[30293]: ERROR: tm [../../forward.h:192]: msg_send: ERROR: tcp_send failed
> Mar 19 11:21:41 test /usr/sbin/sip-proxy[30293]: ERROR: tm [t_fwd.c:1385]: ERROR: t_send_branch: sending request on branch 0 failed
>
> this works ok when there is only a couple of certs in ca_list.
>
> there is 10M of free shared memory available.  is that not enough for
> "safe operation" or is this now pkg memory issue (i have the default 4M
> configured)?

I think you're seeing this because you don't have enough free shared
memory. When you load the whole Debian CA certificate list, it
probably does not leave enough memory left for openssl. The tls module
fails preemptively if there is not enough free memory left to prevent
openssl from crashing or causing memory leaks.

There are two configuration options that you can change:
low_mem_threshold1 (default 512 * 1024 * get_max_procs) and
low_mem_threshold2 (256 * 1024 * get_max_procs).

So you can either try to change one of the options or give the sip
proxy more shared memory.

Note that openssl is really memory hungry. By default it consumes over
65kB of memory per connection for various buffers.

-Jan