[SR-Users] Recommended openSSL version

Daniel-Constantin Mierla miconda at gmail.com
Fri Jun 24 10:32:38 CEST 2022 

Hello,

to add to this topic: tls module runs smooth when no other module uses
an external library that is linked also with tls, I didn't have issue
with in the past few years.

But if another module that indirectly links also the libssl, I also got
random crashes, usually during events when kamailio code is not involved
at all. For example, a while ago using the http_client module (which
uses libcurl that linked also libssl) resulted in sporadic crashes
during tls handshake -- that's all in libssl, nothing to do with sip
traffic at that stage. And actually there were also crashes when opening
the connection to the https server. The behaviour was non-deterministic,
months without any issue, then 1-2 crashes in a week or so, then all
good as well. I somehow related it to minor updates of the operating system.

After all, I ended up writing ruxc module to have an alternative
http_client() function and from that moment no libssl related crash on
the respective system. Strange that on another customer having same OS
and using http_client() function, all was and still is fine. So it could
be also related to tls settings in both sides of the connection (e.g.,
ciphers, renegotiation, tls version, ...).

If you migrate to kamailio 5.6.x, then you can also try using tlsa
module instead of tls, that should isolate the global libssl contexts,
one inside the tlsa and one in those modules linking dynamically libssl.

Cheers,
Daniel

On 23.06.22 16:46, Karsten Horsmann wrote:
> Hi Igor, 
>
> I jumped from 5.3 to 5.5.x so I read carefull the changelog and
> migrate steps. 
>
> https://www.kamailio.org/wiki/features/new-in-5.5.x
>
> Show a bit about tls. 
>
> Igor Olhovskiy <igorolhovskiy at gmail.com> schrieb am Mi., 22. Juni
> 2022, 21:08:
>
>     Karsten,
>
>     Thanks for your answer!
>
>     Out of your head, were there any significant changes in TCP/TLS on
>     5.4 -> 5.5 change?
>
>     Regards,
>     Igor
>
>     Le 22.06.2022 à 18:11, Karsten Horsmann a écrit :
>>     Hi Igor, 
>>
>>     I also use CentOS 7 with the same openssl version and between
>>     1000 up to 2000 tls/wss connections. 
>>
>>     Works for me. Main difference I use Kamailio 5.5.x
>>
>>     Kind regards 
>>     Karsten Horsmann 
>>
>>     Igor Olhovskiy <igorolhovskiy at gmail.com> schrieb am Mi., 22. Juni
>>     2022, 10:36:
>>
>>         Hello!
>>
>>         Due to I still experience irregular Kamailio 5.4 crashes
>>         (like 1/month) related to SSL (using websockets and SIPS) I'm
>>         wondering, could openSSL upgrade change the situation?
>>         As of now in CentOS 7 I have 1.0.2k version.
>>
>>         Does anyone have experience to fix crash-related to TLS
>>         problems with openSSL upgrade?
>>
>>         Or maye some tuneup of TCP parameters can help here?My
>>         current setup is quite simple:
>>
>>         children=4
>>         enable_tls=yes
>>         tcp_accept_no_cl=yes
>>         tcp_connection_lifetime=600
>>         tcp_max_connections=998976 # 1000000 - 1024, so we're leaving
>>         1k for system reserve
>>         tls_max_connections=998976
>>
>>         Number of clients ~ 200 constantly connected to websocket.
>>         -- 
>>         Best regards,
>>         Igor
>>         __________________________________________________________
>>         Kamailio - Users Mailing List - Non Commercial Discussions
>>           * sr-users at lists.kamailio.org
>>         Important: keep the mailing list in the recipients, do not
>>         reply only to the sender!
>>         Edit mailing list options or unsubscribe:
>>           * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>>     __________________________________________________________
>>     Kamailio - Users Mailing List - Non Commercial Discussions
>>       * sr-users at lists.kamailio.org
>>     Important: keep the mailing list in the recipients, do not reply only to the sender!
>>     Edit mailing list options or unsubscribe:
>>       * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>     __________________________________________________________
>     Kamailio - Users Mailing List - Non Commercial Discussions
>       * sr-users at lists.kamailio.org
>     Important: keep the mailing list in the recipients, do not reply
>     only to the sender!
>     Edit mailing list options or unsubscribe:
>       * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>   * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online: June 20-23, 2022
  * https://www.asipto.com/sw/kamailio-advanced-training-online/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20220624/f5afc9d9/attachment.htm>

More information about the sr-users mailing list