[SR-Users] TLS not enough memory issue with git master

Daniel-Constantin Mierla miconda at gmail.com
Tue Nov 17 09:03:24 CET 2015


As you are using the master branch (development), do you run latest version?

Can you look at available shared memory?

kamctl stats shmem

Check it over time and see if the free memory is decreasing.

Cheers,
Daniel

On 17/11/15 00:44, Anthony Messina wrote:
> I have noticed the following issue which began with builds somewhere between 
> git master commits bff0a08 and 6173ef7. I did not see this issue with my 
> previous builds and haven't been able to pin down the problem, which is why I 
> haven't formally filed a bug.
>
> Any help or guidance is appreciated, because this has crippled my use of 
> Kamailio.  Only a restart enables it to work again until the issue recurs.
>
> ERROR: tls [tls_server.c:189]: tls_complete_init(): tls: ssl bug #1491 
> workaround: not enough memory for safe operation: 8870536
> ERROR: <core> [tcp_read.c:1303]: tcp_read_req(): ERROR: tcp_read_req: error 
> reading
>
> I currently build against and run openssl-1.0.1k-12.fc22.x86_64.
>
> I have a very small operation and the only change on the operational side is 
> that all 5 of my mobile UACs (yes, that's all) have switched from 
> CSipSimple/Android to Zoiper/Android, which doesn't yet have support for 
> client-side certificates so verify_certificate and require_certificate are off 
> for both the server and client config.
>
> The server is started with:
> /usr/sbin/kamailio -P /run/kamailio/kamailio.pid -m 64 -M 8
>
> I have tried modifying the shared mem to 128 but the issue still occurs.
>
> Even right now, I am seeing the error when only one UAC has established a TLS 
> connection:
>
> # kamcmd tls.list
> {
>         id: 572
>         timeout: 3475
>         src_ip: 10.77.79.156
>         src_port: 58688
>         dst_ip: 10.77.79.3
>         dst_port: 5061
>         cipher: ECDHE-RSA-RC4-SHA  SSLv3 Kx=ECDH Au=RSA  Enc=RC4(128) Mac=SHA1
>         ct_wq_size: 0
>         enc_rd_buf: 0
>         flags: 2
>         state: established
> }
>
> # kamailio.cfg
> enable_tls=yes
> loadmodule "tls.so"
> modparam("tls", "connection_timeout", 60)
> #modparam("tls", "tls_log", 1)
> #modparam("tls", "tls_debug", 1)
> #modparam("tls", "low_mem_threshold1", -1)
> #modparam("tls", "low_mem_threshold2", 0)
> modparam("tls", "session_cache", 1)
>
> # tls.cfg
> [server:default]
> method = TLSv1+
> verify_certificate = no
> require_certificate = no
> private_key = /etc/kamailio/example.org.key.pem
> certificate = /etc/kamailio/example.org.crt.pem
> server_name = example.org
> cipher_list = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
> AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-
> SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-
> SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-
> SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-
> SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-
> SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
>
> [client:default]
> method = TLSv1+
> verify_certificate = no
> require_certificate = no
> private_key = /etc/kamailio/example.org.key.pem
> certificate = /etc/kamailio/example.org.crt.pem
> cipher_list = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
> AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-
> SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-
> SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-
> SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-
> SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-
> SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
>
>
> Thanks.  -Anthony
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com
Kamailio Advanced Training, Nov 30-Dec 2, Berlin - http://asipto.com/kat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20151117/a73650b0/attachment.html>


More information about the sr-users mailing list