[SR-Users] TLS not enough memory issue with git master

Anthony Messina amessina at messinet.com
Tue Nov 17 15:24:07 CET 2015 

I wish that were the case...

# kamcmd core.tcp_info
{
        readers: 2
        max_connections: 2048
        max_tls_connections: 2048
        opened_connections: 0
        opened_tls_connections: 0
        write_queued_bytes: 0
}

# kamcmd tls.info
{
        max_connections: 2048
        opened_connections: 0
        clear_text_write_queued_bytes: 0
}


On Tuesday, November 17, 2015 03:08:59 PM Daniel-Constantin Mierla wrote:
> Looks like a lot of connections being open, can you get the output for:
> 
> kamcmd core.tcp_info
> 
> kamcmd tls.info
> 
> Cheers,
> Daniel
> 
> On 17/11/15 14:59, Anthony Messina wrote:
> > Attached.  -A
> > 
> > On Tuesday, November 17, 2015 02:50:21 PM Daniel-Constantin Mierla wrote:
> >> Can you run the following commands:
> >> 
> >> kamcmd cfg.set_now_int core memlog 1
> >> kamcmd corex.shm_summary
> >> 
> >> Then grab the log messages from syslog related to shared memory summary
> >> and send them over here.
> >> 
> >> Cheers,
> >> Daniel
> >> 
> >> On 17/11/15 14:31, Anthony Messina wrote:
> >>> After I reported last night, I restarted Kamailio and even though the 5
> >>> UACs did nothing but ensure they had a registration overnight, this
> >>> morning the issue has recurred.  The following is the output you
> >>> requested.  Not sure how the memory is being used up by Kamailio.
> >>> 
> >>> # kamctl stats shmem
> >>> shmem:fragments = 181
> >>> shmem:free_size = 8922584
> >>> shmem:max_used_size = 58243792
> >>> shmem:real_used_size = 58186280
> >>> shmem:total_size = 67108864
> >>> shmem:used_size = 54346088
> >>> 
> >>> On Tuesday, November 17, 2015 09:03:24 AM Daniel-Constantin Mierla 
wrote:
> >>>> As you are using the master branch (development), do you run latest
> >>>> version?
> >>>> 
> >>>> Can you look at available shared memory?
> >>>> 
> >>>> kamctl stats shmem
> >>>> 
> >>>> Check it over time and see if the free memory is decreasing.
> >>>> 
> >>>> Cheers,
> >>>> Daniel
> >>>> 
> >>>> On 17/11/15 00:44, Anthony Messina wrote:
> >>>>> I have noticed the following issue which began with builds somewhere
> >>>>> between git master commits bff0a08 and 6173ef7. I did not see this
> >>>>> issue
> >>>>> with my previous builds and haven't been able to pin down the problem,
> >>>>> which is why I haven't formally filed a bug.
> >>>>> 
> >>>>> Any help or guidance is appreciated, because this has crippled my use
> >>>>> of
> >>>>> Kamailio.  Only a restart enables it to work again until the issue
> >>>>> recurs.
> >>>>> 
> >>>>> ERROR: tls [tls_server.c:189]: tls_complete_init(): tls: ssl bug #1491
> >>>>> workaround: not enough memory for safe operation: 8870536
> >>>>> ERROR: <core> [tcp_read.c:1303]: tcp_read_req(): ERROR: tcp_read_req:
> >>>>> error
> >>>>> reading
> >>>>> 
> >>>>> I currently build against and run openssl-1.0.1k-12.fc22.x86_64.
> >>>>> 
> >>>>> I have a very small operation and the only change on the operational
> >>>>> side
> >>>>> is that all 5 of my mobile UACs (yes, that's all) have switched from
> >>>>> CSipSimple/Android to Zoiper/Android, which doesn't yet have support
> >>>>> for
> >>>>> client-side certificates so verify_certificate and require_certificate
> >>>>> are
> >>>>> off for both the server and client config.
> >>>>> 
> >>>>> The server is started with:
> >>>>> /usr/sbin/kamailio -P /run/kamailio/kamailio.pid -m 64 -M 8
> >>>>> 
> >>>>> I have tried modifying the shared mem to 128 but the issue still
> >>>>> occurs.
> >>>>> 
> >>>>> Even right now, I am seeing the error when only one UAC has
> >>>>> established
> >>>>> a
> >>>>> TLS connection:
> >>>>> 
> >>>>> # kamcmd tls.list
> >>>>> {
> >>>>> 
> >>>>>         id: 572
> >>>>>         timeout: 3475
> >>>>>         src_ip: 10.77.79.156
> >>>>>         src_port: 58688
> >>>>>         dst_ip: 10.77.79.3
> >>>>>         dst_port: 5061
> >>>>>         cipher: ECDHE-RSA-RC4-SHA  SSLv3 Kx=ECDH Au=RSA  Enc=RC4(128)
> >>>>>         Mac=SHA1
> >>>>>         ct_wq_size: 0
> >>>>>         enc_rd_buf: 0
> >>>>>         flags: 2
> >>>>>         state: established
> >>>>> 
> >>>>> }
> >>>>> 
> >>>>> # kamailio.cfg
> >>>>> enable_tls=yes
> >>>>> loadmodule "tls.so"
> >>>>> modparam("tls", "connection_timeout", 60)
> >>>>> #modparam("tls", "tls_log", 1)
> >>>>> #modparam("tls", "tls_debug", 1)
> >>>>> #modparam("tls", "low_mem_threshold1", -1)
> >>>>> #modparam("tls", "low_mem_threshold2", 0)
> >>>>> modparam("tls", "session_cache", 1)
> >>>>> 
> >>>>> # tls.cfg
> >>>>> [server:default]
> >>>>> method = TLSv1+
> >>>>> verify_certificate = no
> >>>>> require_certificate = no
> >>>>> private_key = /etc/kamailio/example.org.key.pem
> >>>>> certificate = /etc/kamailio/example.org.crt.pem
> >>>>> server_name = example.org
> >>>>> cipher_list =
> >>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
> >>>>> AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-
> >>>>> AE
> >>>>> S
> >>>>> 256-
> >>>>> SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM
> >>>>> -
> >>>>> SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4
> >>>>> -
> >>>>> SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-
> >>>>> SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-
> >>>>> SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
> >>>>> 
> >>>>> [client:default]
> >>>>> method = TLSv1+
> >>>>> verify_certificate = no
> >>>>> require_certificate = no
> >>>>> private_key = /etc/kamailio/example.org.key.pem
> >>>>> certificate = /etc/kamailio/example.org.crt.pem
> >>>>> cipher_list =
> >>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
> >>>>> AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-
> >>>>> AE
> >>>>> S
> >>>>> 256-
> >>>>> SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM
> >>>>> -
> >>>>> SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4
> >>>>> -
> >>>>> SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-
> >>>>> SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-
> >>>>> SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
> >>>>> 
> >>>>> 
> >>>>> Thanks.  -Anthony

-- 
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20151117/8a02dba7/attachment.sig>

More information about the sr-users mailing list