[SR-Users] Can't start Kamailio with both db_postgres and tls

Daniel-Constantin Mierla miconda at gmail.com
Mon Dec 15 16:07:34 CET 2014


Hello,

I see the error is:

Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: db_postgres
[km_pg_con.c:82]: db_postgres_new_connection(): SSL SYSCALL error:
Resource temporarily unavailable#012FATAL:  no pg_hba.conf entry for
host "129.240.1.1", user "foo_test_user", database "
foo_test", SSL off#012

TLS module is initializing the libssl instance, because it needs to set
the shared memory manager for handling tls connections. It was working
fine so far.

Can you get more from the above log message related to postgres? TLS
module initializes ok.

Cheers,
Daniel

On 15/12/14 14:03, Øyvind Kolbu wrote:
> Hi,
>
> I'm trying to add tls to our services, but seem hindered by
> "something". When enabling the tls
> module it seems to turn off the SSL setting in postgresql, and since
> we require SSL on our postgres servers
> Kamailio can't connect and it fails to start.
>
> If I disable WITH_TLS it will start. If I comment out the sqlops
> modparam it will also start.
>
> Kamailio on RHEL6, from ~4.1.6 git rev
> 2f690887b45dbc49a8038b1fa041d47cd9ae39ea.
>
> # kamailio -V
> version: kamailio 4.1.6 (x86_64/linux)
> flags: STATS: Off, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS,
> DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
> DBG_QM_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
> USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
> MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB
> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
> id: unknown
> compiled on 16:48:10 Sep 26 2014 with gcc 4.4.7
>
> Very simpel config file:
>
> debug=3
> log_stderror=no
> log_facility=LOG_LOCAL0
>
> fork=yes
> children=2
>
> #!define TLSFILE "/kamailio/tls-fooserver1.cfg"
>
> port=5060
>
> #!define WITH_TLS
> #!ifdef WITH_TLS
> enable_tls=yes
> #!endif
>
> include_file "/kamailio/databases.cfg"
>
> loadmodule "tm.so"              # Transaction (stateful) module
> loadmodule "tmx.so"             # Extensions from Kamailio TM module
> loadmodule "sl.so"              # Stateless replier module
> loadmodule "rr.so"              # Record-Route and Route module
> loadmodule "pv.so"              # Module holding Pseudo-Variables
> loadmodule "sqlops.so"          # SQL operations
>
> loadmodule "db_postgres.so"     # POSTGRES-backend for database API
> module
>
> #!ifdef WITH_TLS
> loadmodule "tls.so"
> #!endif
>
> modparam("sqlops","sqlcon",SQLOPS_DATA)
>
> #!ifdef WITH_TLS
> modparam("tls", "config", TLSFILE)
> #!endif
>
> route{
>     exit;
> }
>
> SQLOPS_DATA is just a normal "data=>postgres://user:pass@server/db".
>
> TLSFILE contains:
> [server:default]
> method = TLSv1
> verify_certificate = no
> require_certificate = no
> private_key = /ssl/key
> certificate = /ssl/cert
> ca_list = /ssl/terena_chain2.pem
>
> [client:default]
> verify_certificate = no
> require_certificate = no
>
> From messages on startup:
>
> Dec 15 13:50:19 fooserver1 kamailio[12115]: INFO: tls
> [tls_init.c:385]: init_tls_compression(): tls: init_tls: disabling
> compression...
> Dec 15 13:50:19 fooserver1 kamailio[12115]: INFO: <core>
> [tcp_main.c:4836]: init_tcp(): init_tcp: using epoll_lt as the io
> watch method (auto detected)
> Dec 15 13:50:19 fooserver1 kamailio[12118]: WARNING: <core>
> [daemonize.c:352]: daemonize(): pid file contains old pid, replacing pid
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: rr
> [../outbound/api.h:54]: ob_load_api(): Failed to import bind_ob
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: rr
> [rr_mod.c:159]: mod_init(): outbound module not available
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_mod.c:346]: mod_init(): With ECDH-Support!
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_mod.c:349]: mod_init(): With Diffie Hellman
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_init.c:549]: init_tls_h(): tls: _init_tls_h:  compiled  with
> openssl  version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f),
> kerberos support: on, compression: on
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_init.c:557]: init_tls_h(): tls: init_tls_h: installed openssl
> library version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f),
> kerberos support: on,  zlib compression: on#012 compiler: gcc -fPIC -DO
> PENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
> -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe
> -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
> --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack
> -DPURIFY -DOPEN
> SSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: WARNING: tls
> [tls_init.c:611]: init_tls_h(): tls: openssl bug #1491 (crash/mem
> leaks on low memory) workaround enabled (on low memory tls operations
> will fail preemptively) with free memory thresholds 5242880 and
>  2621440 bytes
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
> [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now():
> tls.low_mem_threshold1 has been changed to 5242880
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
> [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now():
> tls.low_mem_threshold2 has been changed to 2621440
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
> [udp_server.c:176]: probe_max_receive_buffer(): INFO: udp_init:
> SO_RCVBUF is initially 124928
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
> [udp_server.c:227]: probe_max_receive_buffer(): INFO: udp_init:
> SO_RCVBUF is finally 249856
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
> [udp_server.c:176]: probe_max_receive_buffer(): INFO: udp_init:
> SO_RCVBUF is initially 124928
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
> [udp_server.c:227]: probe_max_receive_buffer(): INFO: udp_init:
> SO_RCVBUF is finally 249856
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:275]: fill_missing(): TLSs<default>: tls_method=9
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:287]: fill_missing(): TLSs<default>:
> certificate='/path/ssl/fooserver1.uio.no.crt'
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:294]: fill_missing(): TLSs<default>:
> ca_list='/voip/packages/mgmt/ssl/terena_chain2.pem'
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:301]: fill_missing(): TLSs<default>: crl='(null)'
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:305]: fill_missing(): TLSs<default>: require_certificate=0
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:312]: fill_missing(): TLSs<default>: cipher_list='(null)'
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:319]: fill_missing(): TLSs<default>:
> private_key='/path/ssl/fooserver1.uio.no.key'
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:323]: fill_missing(): TLSs<default>: verify_certificate=0
> Dec 15 13:50:19 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:326]: fill_missing(): TLSs<default>: verify_depth=9
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:670]: set_verification(): TLSs<default>: No client
> certificate required and no checks performed
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:275]: fill_missing(): TLSc<default>: tls_method=9
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:287]: fill_missing(): TLSc<default>: certificate='(null)'
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:294]: fill_missing(): TLSc<default>: ca_list='(null)'
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:301]: fill_missing(): TLSc<default>: crl='(null)'
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:305]: fill_missing(): TLSc<default>: require_certificate=0
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:312]: fill_missing(): TLSc<default>: cipher_list='(null)'
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:319]: fill_missing(): TLSc<default>: private_key='(null)'
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:323]: fill_missing(): TLSc<default>: verify_certificate=0
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:326]: fill_missing(): TLSc<default>: verify_depth=9
> Dec 15 13:50:23 fooserver1 /usr/sbin/kamailio[12118]: INFO: tls
> [tls_domain.c:673]: set_verification(): TLSc<default>: Server MAY
> present invalid certificate
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR:
> db_postgres [km_pg_con.c:82]: db_postgres_new_connection(): SSL
> SYSCALL error: Resource temporarily unavailable#012FATAL:  no
> pg_hba.conf entry for host "129.240.1.1", user "foo_test_user",
> database "
> foo_test", SSL off#012
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR:
> db_postgres [km_pg_con.c:95]: db_postgres_new_connection(): cleaning
> up 0x7fce98be0c78=pkg_free()
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core>
> [db.c:322]: db_do_init2(): could not add connection to the pool
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: sqlops
> [sql_api.c:166]: sql_connect(): failed to connect to the database [data]
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core>
> [sr_module.c:927]: init_mod_child(): init_mod_child(): Error while
> initializing module sqlops (/usr/lib64/kamailio/modules/sqlops.so)
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core>
> [pt.c:490]: fork_tcp_process(): ERROR: fork_tcp_process(): init_child
> failed for process 7, pid 12125, "tcp receiver (generic) child=0"
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12125]: ERROR: <core>
> [tcp_main.c:4962]: tcp_init_children(): ERROR: tcp_main: fork failed:
> Success
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12118]: ALERT: <core>
> [main.c:774]: handle_sigs(): child process 12125 exited normally,
> status=255
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12118]: INFO: <core>
> [main.c:792]: handle_sigs(): INFO: terminating due to SIGCHLD
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12126]: INFO: <core>
> [main.c:843]: sig_usr(): INFO: signal 15 received
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12124]: INFO: <core>
> [main.c:843]: sig_usr(): INFO: signal 15 received
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12123]: INFO: <core>
> [main.c:843]: sig_usr(): INFO: signal 15 received
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12122]: INFO: <core>
> [main.c:843]: sig_usr(): INFO: signal 15 received
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12121]: INFO: <core>
> [main.c:843]: sig_usr(): INFO: signal 15 received
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12120]: INFO: <core>
> [main.c:843]: sig_usr(): INFO: signal 15 received
> Dec 15 13:50:26 fooserver1 /usr/sbin/kamailio[12127]: INFO: <core>
> [main.c:843]: sig_usr(): INFO: signal 15 received
>
> Any ideas?
>
> Best regards,
> Øyvind
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda




More information about the sr-users mailing list