[SR-Users] TLS not enough memory issue with git master

Daniel-Constantin Mierla miconda at gmail.com
Tue Nov 17 14:50:21 CET 2015 

Can you run the following commands:

kamcmd cfg.set_now_int core memlog 1
kamcmd corex.shm_summary

Then grab the log messages from syslog related to shared memory summary
and send them over here.

Cheers,
Daniel

On 17/11/15 14:31, Anthony Messina wrote:
> After I reported last night, I restarted Kamailio and even though the 5 UACs 
> did nothing but ensure they had a registration overnight, this morning the 
> issue has recurred.  The following is the output you requested.  Not sure how 
> the memory is being used up by Kamailio.
>
> # kamctl stats shmem
> shmem:fragments = 181
> shmem:free_size = 8922584
> shmem:max_used_size = 58243792
> shmem:real_used_size = 58186280
> shmem:total_size = 67108864
> shmem:used_size = 54346088
>
>
> On Tuesday, November 17, 2015 09:03:24 AM Daniel-Constantin Mierla wrote:
>> As you are using the master branch (development), do you run latest version?
>>
>> Can you look at available shared memory?
>>
>> kamctl stats shmem
>>
>> Check it over time and see if the free memory is decreasing.
>>
>> Cheers,
>> Daniel
>>
>> On 17/11/15 00:44, Anthony Messina wrote:
>>> I have noticed the following issue which began with builds somewhere
>>> between git master commits bff0a08 and 6173ef7. I did not see this issue
>>> with my previous builds and haven't been able to pin down the problem,
>>> which is why I haven't formally filed a bug.
>>>
>>> Any help or guidance is appreciated, because this has crippled my use of
>>> Kamailio.  Only a restart enables it to work again until the issue recurs.
>>>
>>> ERROR: tls [tls_server.c:189]: tls_complete_init(): tls: ssl bug #1491
>>> workaround: not enough memory for safe operation: 8870536
>>> ERROR: <core> [tcp_read.c:1303]: tcp_read_req(): ERROR: tcp_read_req:
>>> error
>>> reading
>>>
>>> I currently build against and run openssl-1.0.1k-12.fc22.x86_64.
>>>
>>> I have a very small operation and the only change on the operational side
>>> is that all 5 of my mobile UACs (yes, that's all) have switched from
>>> CSipSimple/Android to Zoiper/Android, which doesn't yet have support for
>>> client-side certificates so verify_certificate and require_certificate are
>>> off for both the server and client config.
>>>
>>> The server is started with:
>>> /usr/sbin/kamailio -P /run/kamailio/kamailio.pid -m 64 -M 8
>>>
>>> I have tried modifying the shared mem to 128 but the issue still occurs.
>>>
>>> Even right now, I am seeing the error when only one UAC has established a
>>> TLS connection:
>>>
>>> # kamcmd tls.list
>>> {
>>>
>>>         id: 572
>>>         timeout: 3475
>>>         src_ip: 10.77.79.156
>>>         src_port: 58688
>>>         dst_ip: 10.77.79.3
>>>         dst_port: 5061
>>>         cipher: ECDHE-RSA-RC4-SHA  SSLv3 Kx=ECDH Au=RSA  Enc=RC4(128)
>>>         Mac=SHA1
>>>         ct_wq_size: 0
>>>         enc_rd_buf: 0
>>>         flags: 2
>>>         state: established
>>>
>>> }
>>>
>>> # kamailio.cfg
>>> enable_tls=yes
>>> loadmodule "tls.so"
>>> modparam("tls", "connection_timeout", 60)
>>> #modparam("tls", "tls_log", 1)
>>> #modparam("tls", "tls_debug", 1)
>>> #modparam("tls", "low_mem_threshold1", -1)
>>> #modparam("tls", "low_mem_threshold2", 0)
>>> modparam("tls", "session_cache", 1)
>>>
>>> # tls.cfg
>>> [server:default]
>>> method = TLSv1+
>>> verify_certificate = no
>>> require_certificate = no
>>> private_key = /etc/kamailio/example.org.key.pem
>>> certificate = /etc/kamailio/example.org.crt.pem
>>> server_name = example.org
>>> cipher_list =
>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
>>> AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES
>>> 256-
>>> SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-
>>> SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-
>>> SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-
>>> SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-
>>> SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
>>>
>>> [client:default]
>>> method = TLSv1+
>>> verify_certificate = no
>>> require_certificate = no
>>> private_key = /etc/kamailio/example.org.key.pem
>>> certificate = /etc/kamailio/example.org.crt.pem
>>> cipher_list =
>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
>>> AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES
>>> 256-
>>> SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-
>>> SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-
>>> SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-
>>> SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-
>>> SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
>>>
>>>
>>> Thanks.  -Anthony

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com
Kamailio Advanced Training, Nov 30-Dec 2, Berlin - http://asipto.com/kat

More information about the sr-users mailing list