[SR-Users] Can't start Kamailio with both db_postgres and tls

Øyvind Kolbu oyvind.kolbu at usit.uio.no
Mon Dec 15 14:03:18 CET 2014


Hi,

I'm trying to add tls to our services, but seem hindered by "something". 
When enabling the tls
module it seems to turn off the SSL setting in postgresql, and since we 
require SSL on our postgres servers
Kamailio can't connect and it fails to start.

If I disable WITH_TLS it will start. If I comment out the sqlops 
modparam it will also start.

Kamailio on RHEL6, from ~4.1.6 git rev 
2f690887b45dbc49a8038b1fa041d47cd9ae39ea.

# kamailio -V
version: kamailio 4.1.6 (x86_64/linux)
flags: STATS: Off, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS, 
DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, 
DBG_QM_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, 
USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, 
MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled on 16:48:10 Sep 26 2014 with gcc 4.4.7

Very simpel config file:

debug=3
log_stderror=no
log_facility=LOG_LOCAL0

fork=yes
children=2

#!define TLSFILE "/kamailio/tls-fooserver1.cfg"

port=5060

#!define WITH_TLS
#!ifdef WITH_TLS
enable_tls=yes
#!endif

include_file "/kamailio/databases.cfg"

loadmodule "tm.so"              # Transaction (stateful) module
loadmodule "tmx.so"             # Extensions from Kamailio TM module
loadmodule "sl.so"              # Stateless replier module
loadmodule "rr.so"              # Record-Route and Route module
loadmodule "pv.so"              # Module holding Pseudo-Variables
loadmodule "sqlops.so"          # SQL operations

loadmodule "db_postgres.so"     # POSTGRES-backend for database API module

#!ifdef WITH_TLS
loadmodule "tls.so"
#!endif

modparam("sqlops","sqlcon",SQLOPS_DATA)

#!ifdef WITH_TLS
modparam("tls", "config", TLSFILE)
#!endif

route{
     exit;
}

SQLOPS_DATA is just a normal "data=>postgres://user:pass@server/db".

TLSFILE contains:
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /ssl/key
certificate = /ssl/cert
ca_list = /ssl/terena_chain2.pem

[client:default]
verify_certificate = no
require_certificate = no

 From messages on startup:

Dec 15 13:50:19 fooserver1 kamailio[12115]: INFO: tls [tls_init.c:385]: 
init_tls_compression(): tls: init_tls: disabling compression...
Dec 15 13:50:19 fooserver1 kamailio[12115]: INFO: <core> 
[tcp_main.c:4836]: init_tcp(): init_tcp: using epoll_lt as the io watch 
method (auto detected)
Dec 15 13:50:19 fooserver1 kamailio[12118]: WARNING: <core> 
[daemonize.c:352]: daemonize(): pid file contains old pid, replacing pid
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: rr 
[../outbound/api.h:54]: ob_load_api(): Failed to import bind_ob
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: rr 
[rr_mod.c:159]: mod_init(): outbound module not available
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_mod.c:346]: mod_init(): With ECDH-Support!
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_mod.c:349]: mod_init(): With Diffie Hellman
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_init.c:549]: init_tls_h(): tls: _init_tls_h:  compiled  with 
openssl  version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), 
kerberos support: on, compression: on
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_init.c:557]: init_tls_h(): tls: init_tls_h: installed openssl 
library version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos 
support: on,  zlib compression: on#012 compiler: gcc -fPIC -DO
PENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe 
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY 
-DOPEN
SSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM 
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: WARNING: tls 
[tls_init.c:611]: init_tls_h(): tls: openssl bug #1491 (crash/mem leaks 
on low memory) workaround enabled (on low memory tls operations will 
fail preemptively) with free memory thresholds 5242880 and
  2621440 bytes
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> 
[cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): 
tls.low_mem_threshold1 has been changed to 5242880
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> 
[cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): 
tls.low_mem_threshold2 has been changed to 2621440
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> 
[udp_server.c:176]: probe_max_receive_buffer(): INFO: udp_init: 
SO_RCVBUF is initially 124928
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> 
[udp_server.c:227]: probe_max_receive_buffer(): INFO: udp_init: 
SO_RCVBUF is finally 249856
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> 
[udp_server.c:176]: probe_max_receive_buffer(): INFO: udp_init: 
SO_RCVBUF is initially 124928
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> 
[udp_server.c:227]: probe_max_receive_buffer(): INFO: udp_init: 
SO_RCVBUF is finally 249856
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:275]: fill_missing(): TLSs<default>: tls_method=9
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:287]: fill_missing(): TLSs<default>: 
certificate='/path/ssl/fooserver1.uio.no.crt'
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:294]: fill_missing(): TLSs<default>: 
ca_list='/voip/packages/mgmt/ssl/terena_chain2.pem'
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:301]: fill_missing(): TLSs<default>: crl='(null)'
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:305]: fill_missing(): TLSs<default>: require_certificate=0
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:312]: fill_missing(): TLSs<default>: cipher_list='(null)'
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:319]: fill_missing(): TLSs<default>: 
private_key='/path/ssl/fooserver1.uio.no.key'
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:323]: fill_missing(): TLSs<default>: verify_certificate=0
Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:326]: fill_missing(): TLSs<default>: verify_depth=9
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:670]: set_verification(): TLSs<default>: No client 
certificate required and no checks performed
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:275]: fill_missing(): TLSc<default>: tls_method=9
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:287]: fill_missing(): TLSc<default>: certificate='(null)'
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:294]: fill_missing(): TLSc<default>: ca_list='(null)'
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:301]: fill_missing(): TLSc<default>: crl='(null)'
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:305]: fill_missing(): TLSc<default>: require_certificate=0
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:312]: fill_missing(): TLSc<default>: cipher_list='(null)'
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:319]: fill_missing(): TLSc<default>: private_key='(null)'
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:323]: fill_missing(): TLSc<default>: verify_certificate=0
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:326]: fill_missing(): TLSc<default>: verify_depth=9
Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls 
[tls_domain.c:673]: set_verification(): TLSc<default>: Server MAY 
present invalid certificate
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: db_postgres 
[km_pg_con.c:82]: db_postgres_new_connection(): SSL SYSCALL error: 
Resource temporarily unavailable#012FATAL:  no pg_hba.conf entry for 
host "129.240.1.1", user "foo_test_user", database "
foo_test", SSL off#012
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: db_postgres 
[km_pg_con.c:95]: db_postgres_new_connection(): cleaning up 
0x7fce98be0c78=pkg_free()
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core> 
[db.c:322]: db_do_init2(): could not add connection to the pool
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: sqlops 
[sql_api.c:166]: sql_connect(): failed to connect to the database [data]
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core> 
[sr_module.c:927]: init_mod_child(): init_mod_child(): Error while 
initializing module sqlops (/usr/lib64/kamailio/modules/sqlops.so)
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core> 
[pt.c:490]: fork_tcp_process(): ERROR: fork_tcp_process(): init_child 
failed for process 7, pid 12125, "tcp receiver (generic) child=0"
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core> 
[tcp_main.c:4962]: tcp_init_children(): ERROR: tcp_main: fork failed: 
Success
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12118]: ALERT: <core> 
[main.c:774]: handle_sigs(): child process 12125 exited normally, status=255
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core> 
[main.c:792]: handle_sigs(): INFO: terminating due to SIGCHLD
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12126]: INFO: <core> 
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12124]: INFO: <core> 
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12123]: INFO: <core> 
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12122]: INFO: <core> 
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12121]: INFO: <core> 
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12120]: INFO: <core> 
[main.c:843]: sig_usr(): INFO: signal 15 received
Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12127]: INFO: <core> 
[main.c:843]: sig_usr(): INFO: signal 15 received

Any ideas?

Best regards,
Øyvind



More information about the sr-users mailing list