[SR-Users] TLS Certificate Verification Issue
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Nov 7 13:29:14 CET 2012
Hi Kamal!
This looks like an openssl bug.
Which version of openssl do you use?
regards
Klaus
On 29.10.2012 11:18, Kamal Palei wrote:
> Dear Klaus
> In tls_init.c file there is a function
> static void ser_free(void *ptr)
> {
> shm_free(ptr);
> }
> I modified it to
> static void ser_free(void *ptr)
> {
> if(ptr)
> shm_free(ptr);
> }
> Just added a null check.
> During tls connection close it was close it was crashing.
> Incase you need to complete stack trace, please let me know, will revert
> back code chage, reproduce the issue and can get the backtrace.
> Best Regards
> kamal
>
>
> On Mon, Oct 29, 2012 at 3:26 PM, Klaus Darilion
> <klaus.mailinglists at pernau.at <mailto:klaus.mailinglists at pernau.at>> wrote:
>
> Hi Kamal!
>
> If the fix in standard Kamailio code or in code you have written
> yourself (a proprietary module)?
>
> If the problem is in the standard code please send us a diff so we
> can fix Kamailio.
>
> regards
> Klaus
>
>
> On 29.10.2012 10:53, Kamal Palei wrote:
>
> Dear Klaus
> Forgot to write you back otherday. I was able to trace the code
> that was
> crashing. It was trying to free a pointer that was null. I just
> added a
> null check. With this change, I am able to keep Kamailio up for
> longer
> duration, did not see the crash.
> Thanks Klaus for your support.
> kamal
>
>
> On Mon, Oct 29, 2012 at 3:14 PM, Klaus Darilion
> <klaus.mailinglists at pernau.at
> <mailto:klaus.mailinglists at pernau.at>
> <mailto:klaus.mailinglists at __pernau.at
> <mailto:klaus.mailinglists at pernau.at>>> wrote:
>
> See also:
> http://www.kamailio.org/____dokuwiki/doku.php/____troubleshooting:corefiles
> <http://www.kamailio.org/__dokuwiki/doku.php/__troubleshooting:corefiles>
>
>
>
> <http://www.kamailio.org/__dokuwiki/doku.php/__troubleshooting:corefiles
> <http://www.kamailio.org/dokuwiki/doku.php/troubleshooting:corefiles>>
>
>
>
> On 26.10.2012 11:39, Kamal Palei wrote:
>
> Dear Klaus
>
> I am little bit new to linux debugging. Please let me
> know below
> stuff.
>
> 1. Whats the extension of core file.
>
> The core file does not have an extension, it is usally just
> called
> "core.XXXX" with XXX is the process id of the crashed Kamailio
> process. It will reside in the current working directory.
>
>
> 2. Will the core files be generated in /home/user path
> or some other
> default path
>
>
> In the /etc/init.d/kamailio startup file you can configure
> the core
> pattern to be set before Kamailio is started. Then the core
> files
> will use the defined naming.
>
> On Debian also activate core dumps by editing
> /etc/default/kamailio
>
>
> 3. Do I need to recompile Kamailio source with -g
> option , or by
> default
> it is compiled with -g option
>
>
> From your log file:
>
> 0(9548) ALERT: <core> [main.c:745]: core was
> generated
>
> You see, your binaries already generate core files. Thus,
> there is
> no need to rebuild Kamailio.
>
>
> 4. I hope we need to run "ulimit" before we start the
> program or
> it is
> not required.
>
>
> Usually you run "ulimit -c unlimited" before starting the
> Kamailio
> process to be sure that the core will not be truncated.
>
>
> My observation is if I run directly kamailio it is
> crashing, if
> I run
> with gdb it is not crashing, not sure why this happens.
>
>
> Strange. But once you have a core file, you can analyze it and
> generate the backtrace.
>
> Also make sure to not mix openssl libraries - this is often
> a a problem.
>
> regards
> Klaus
>
>
> Best Regards
> kamal
>
>
>
> On Thu, Oct 25, 2012 at 8:01 PM, Klaus Darilion
> <klaus.mailinglists at pernau.at
> <mailto:klaus.mailinglists at pernau.at>
> <mailto:klaus.mailinglists at __pernau.at
> <mailto:klaus.mailinglists at pernau.at>>
> <mailto:klaus.mailinglists@
> <mailto:klaus.mailinglists@>__p__ernau.at <http://pernau.at/>
> <mailto:klaus.mailinglists at __pernau.at
> <mailto:klaus.mailinglists at pernau.at>>>> wrote:
>
> SIGABRT 6 Core Abort signal from
> abort(3)
>
> This means that there was an error condition
> detected in the
> Kamailio code and the abort(3) function was
> called. As you
> see in
> the logs a core file was generated. Find the core
> file and
> load it
> into gdb and execute "backtrace". It will show you
> were the
> problem
> happened and post it here.
>
> regards
> Klaus
>
>
> On 25.10.2012 16:23, Kamal Palei wrote:
>
> Dear Klaus
> The certificate verification I have disabled.
>
> Facing a new problem.
> When there is a connection reset, that time
> Kamailio is
> crashing.
> During crash, I get below logs. Any idea why it is
> crashing and
> how can
> I avoid it.
>
> /oot at B2BUA:/usr/local/src/______scripts#
> 9(9557) : <core>
>
>
>
> [mem/q_malloc.c:431]: BUG: qm_free: bad
> pointer (nil)
> (out of memory
> block!) - aborting
> 0(9548) ALERT: <core> [main.c:742]: child
> process
> 9557 exited
> by a
> signal 6
> 0(9548) ALERT: <core> [main.c:745]: core
> was generated
> 0(9548) INFO: <core> [main.c:757]: INFO:
> terminating
> due to
> SIGCHLD
> 6(9554) INFO: <core> [main.c:808]: INFO:
> signal 15
> received
> 8(9556) INFO: <core> [main.c:808]: INFO:
> signal 15
> received
> 4(9552) INFO: <core> [main.c:808]: INFO:
> signal 15
> received
> 5(9553) INFO: <core> [main.c:808]: INFO:
> signal 15
> received
> 3(9551) INFO: <core> [main.c:808]: INFO:
> signal 15
> received
> 7(9555) INFO: <core> [main.c:808]: INFO:
> signal 15
> received
> 1(9549) INFO: <core> [main.c:808]: INFO:
> signal 15
> received
> 2(9550) INFO: <core> [main.c:808]: INFO:
> signal 15
> received
> 0(9548) : <core> [mem/q_malloc.c:431]: BUG:
> qm_free: bad
> pointer (nil)
> (out of memory block!) - aborting
>
>
> THANKS
> kamal
> /
> On Thu, Oct 25, 2012 at 7:43 PM, Klaus Darilion
> <klaus.mailinglists at pernau.at
> <mailto:klaus.mailinglists at pernau.at>
> <mailto:klaus.mailinglists at __pernau.at
> <mailto:klaus.mailinglists at pernau.at>>
> <mailto:klaus.mailinglists@
> <mailto:klaus.mailinglists@>__p__ernau.at <http://pernau.at/>
> <mailto:klaus.mailinglists at __pernau.at
> <mailto:klaus.mailinglists at pernau.at>>>
> <mailto:klaus.mailinglists@
> <mailto:klaus.mailinglists@>
> <mailto:klaus.mailinglists@
> <mailto:klaus.mailinglists@>>____p__ernau.at
> <http://p__ernau.at/> <http://pernau.at/>
>
>
> <mailto:klaus.mailinglists@
> <mailto:klaus.mailinglists@>__p__ernau.at <http://pernau.at/>
> <mailto:klaus.mailinglists at __pernau.at
> <mailto:klaus.mailinglists at pernau.at>>>>> wrote:
>
> Hi Kamal!
>
> Are you familiar with SSL/TLS and
> certificates?
> With TLS
> the trust
> between TLS server and TLS client is
> usually via a
> trusted
> certification authority (CA). For
> example, if the
> intermediate proxy
> uses a certificate which is issued by CA
> FOOBAR-XYZ, the
> you have to
> configure Kamailio to accept certificates
> singed by
> FOOBAR-XYZ. This
> is done by copying the public root
> certificate of
> FOOBAR-XYZ to the
> Kamailio server and configure Kamailio to
> use the
> FOOBAR-XYZ
> certificate as trusted CA. Of course then you
> automatically
> also
> trust all others certificates issued by
> FOOBAR-XYZ.
>
> To configure the trusted CAs use:
> http://kamailio.org/docs/________modules/3.3.x/modules/tls.________html#ca_list
> <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list>
>
> <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>>
>
>
>
>
> <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>
>
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
> <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>>>
>
>
>
>
>
>
> <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#ca_list
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list>
>
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
> <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>>
>
>
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#ca_list
> <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list>
>
> <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#ca_list
> <http://kamailio.org/docs/modules/3.3.x/modules/tls.html#ca_list>>>>
>
> You could also disable the certificate
> validation
> with:
> http://kamailio.org/docs/________modules/3.3.x/modules/tls.________html#verify_certificate
> <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate>
>
> <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>>
>
>
>
>
> <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>
>
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
> <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>>>
>
>
>
>
>
>
> <http://kamailio.org/docs/______modules/3.3.x/modules/tls.______html#verify_certificate
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate>
>
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
> <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>>
>
>
> <http://kamailio.org/docs/____modules/3.3.x/modules/tls.____html#verify_certificate
> <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate>
>
> <http://kamailio.org/docs/__modules/3.3.x/modules/tls.__html#verify_certificate
> <http://kamailio.org/docs/modules/3.3.x/modules/tls.html#verify_certificate>>>>
>
> But of course this reduces TLS benefits to
> encryption-only.
>
> regards
> Klaus
>
>
> On 22.10.2012 13:53, Kamal Palei wrote:
>
> Dear All
> I have modified kamailio,cfg and
> compiled all the
> modules with TLS
> enabled, and able to bring up the
> kamailio
> proxy properly.
>
> Kamailio proxy will receive the REGISTER
> message from
> endpoints
> in UDP ,
> and want to send this REGISTER
> message to another
> intermediate
> proxy in
> TLS. For this purpose, I have added
> few lines in
> kamailio.cfg
> file as below.
>
> I have created the certificates,
> private keys as
> explained by README
> file in kamailio-3.1.5/modules/tls/ path.
>
> if(is_method("REGISTER"))
> {
>
> t_relay_to("tls:115.114.48.75
> <http://115.114.48.75 <http://115.114.48.75/>
> <http://115.114.48.75/>>:______443
>
> <http://115.114.48.75:443
> <http://115.114.48.75:443/>
> <http://115.114.48.75:443/>>
>
> <http://115.114.48.75:443
> <http://115.114.48.75:443/>
> <http://115.114.48.75:443/>>")__;
>
>
> exit();
> }
>
> Looks like this is taking effect.
> When Kamailio
> receives REGISTER
> message it is trying to do handshake with
> intermediate
> proxy.
> I used wireshark to see the handshake
> messages.
>
> 1. From Kamailio proxy, a TCP SYNC
> message is
> going to
> intermediate proxy.
> 2. intermediate proxy sends SYNC + ACK
> 3. Kamailio sends CLIENT HELLO
> 4. intermediate proxy sends SERVER HELLO,
> CERTIFICATE
> and SERVER
> HELLO DONE
> 5. The Kamailio sends ALERT (Level:
> Fatal,
> Description:
> Unknown CA)
> ---> IS something going wrong
> here..............
> 6. Then Kamailio sends FIN + ACK
>
> Can somebody please let me know why the
> certificate
> verification
> fails
> (I get this log in console).
> How can I put a work around to avoid
> certification
> verification
> failure.
>
> Best Regards
> kamal
>
>
>
>
>
> _______________________________________________________
>
>
>
> SIP Express Router (SER) and Kamailio
> (OpenSER) - sr-users
> mailing list
> sr-users at lists.sip-router.org
> <mailto:sr-users at lists.sip-router.org>
> <mailto:sr-users at lists.sip-__router.org
> <mailto:sr-users at lists.sip-router.org>>
> <mailto:sr-users at lists.sip-____router.org
> <mailto:sr-users at lists.sip-__router.org>
> <mailto:sr-users at lists.sip-__router.org
> <mailto:sr-users at lists.sip-router.org>>>
> <mailto:sr-users at lists.sip-______router.org
> <mailto:sr-users at lists.sip-____router.org>
> <mailto:sr-users at lists.sip-____router.org
> <mailto:sr-users at lists.sip-__router.org>>
> <mailto:sr-users at lists.sip-____router.org
> <mailto:sr-users at lists.sip-__router.org>
> <mailto:sr-users at lists.sip-__router.org
> <mailto:sr-users at lists.sip-router.org>>>>
> http://lists.sip-router.org/________cgi-bin/mailman/listinfo/__sr-______users
> <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/sr-______users>
>
> <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/__sr-____users
> <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>>
>
>
>
>
> <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/__sr-____users
> <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>
>
> <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
> <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>>>
>
>
> <http://lists.sip-router.org/______cgi-bin/mailman/listinfo/__sr-____users
> <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users>
>
> <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
> <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>>
>
>
> <http://lists.sip-router.org/____cgi-bin/mailman/listinfo/sr-____users
> <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users>
>
> <http://lists.sip-router.org/__cgi-bin/mailman/listinfo/sr-__users
> <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>>>>
>
>
>
>
>
More information about the sr-users
mailing list