[SR-Users] SIPS Errors on Kamailio
Christopher Vincent
CDV at redwoodtech.com
Wed Mar 23 19:13:54 CET 2022
Recompiled Kamailio from source
kamailio -v
version: kamailio 5.5.4 (x86_64/linux) 4c8938
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 4c8938
compiled on 14:21:51 Mar 23 2022 with gcc 4.8.5
Compiled a newer version of OpenSSL
openssl version
OpenSSL 1.1.1m 14 Dec 2021
Then followed through this http://www.kamailio.org/wiki/tutorials/tls/howto-openssl-1-0
Errors changed slightly, but issue still persists
kamailio -c
loading modules under config path: /usr/local/lib64/kamailio/modules/
0(3878) ERROR: <core> [core/sr_module.c:570]: load_module(): could not open module </usr/local/lib64/kamailio/modules/tls.so>: /usr/local/lib64/kamailio/modules/tls.so: undefined symbol: OPENSSL_sk_num
0(3878) CRITICAL: <core> [core/cfg.y:3684]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 106, column 12-19: failed to load module
0(3878) INFO: pv [pv_shv.c:60]: shvar_init_locks(): locks array size 16
0(3878) ERROR: <core> [core/modparam.c:181]: set_mod_param_regex(): No module matching <tls> found
0(3878) CRITICAL: <core> [core/cfg.y:3687]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 253, column 72: Can't set module parameter
0(3878) ERROR: <core> [core/modparam.c:181]: set_mod_param_regex(): No module matching <tls> found
0(3878) CRITICAL: <core> [core/cfg.y:3687]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 254, column 72: Can't set module parameter
0(3878) ERROR: <core> [core/modparam.c:181]: set_mod_param_regex(): No module matching <tls> found
0(3878) CRITICAL: <core> [core/cfg.y:3687]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 255, column 68: Can't set module parameter
0(3878) ERROR: <core> [core/modparam.c:181]: set_mod_param_regex(): No module matching <tls> found
0(3878) CRITICAL: <core> [core/cfg.y:3687]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 260, column 39: Can't set module parameter
ERROR: bad config file (5 errors) (parsing code: 0)
0(3878) INFO: <core> [core/sctp_core.c:53]: sctp_core_destroy(): SCTP API not initialized
sed /usr/local/etc/kamailio/kamailio.cfg -n -e 106p -e 253p -e 254p -e 255p -e 260p
loadmodule "tls.so"
modparam("tls", "private_key", "/etc/kamailio/star.redwoodtest.com.pem")
modparam("tls", "certificate", "/etc/kamailio/star.redwoodtest.com.pem")
modparam("tls", "ca_list", "/etc/kamailio/star.redwoodtest.com.pem")
modparam("tls", "tls_method", "TLSv1+")
Thanks,
Chris
From: Christopher Vincent
Sent: 21 March 2022 09:41
To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
Cc: Christopher Vincent <CDV at redwoodtech.com>
Subject: RE: [SR-Users] SIPS Errors on Kamailio
Hi Karsten, Sergey,
Thank you for your responses.
Kamailio module appears to be installed
rpm -ql kamailio-tls
/usr/lib64/kamailio/modules/auth_identity.so
/usr/lib64/kamailio/modules/tls.so
/usr/lib64/kamailio/openssl_mutex_shared
/usr/lib64/kamailio/openssl_mutex_shared/openssl_mutex_shared.so
/usr/share/doc/kamailio/modules/README.auth_identity
/usr/share/doc/kamailio/modules/README.tl
Kamailio was installed from the repository using yum / dnf https://rpm.kamailio.org/centos/kamailio.repo
Load module order has been corrected to as below
loadmodule "sl.so"
loadmodule "tls.so"
loadmodule "jsonrpcs.so"
loadmodule "db_mysql.so"
loadmodule "kex.so"
...
Kamailio –c still showed the same errors
Thanks,
Chris
From: sr-users <sr-users-bounces at lists.kamailio.org<mailto:sr-users-bounces at lists.kamailio.org>> On Behalf Of Safarov
Sent: 19 March 2022 07:38
To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org<mailto:sr-users at lists.kamailio.org>>
Subject: Re: [SR-Users] SIPS Errors on Kamailio
SECURITY WARNING: This email is from an external source - do not open or click any attachments if you suspect the email is suspicious. Please report any suspicious emails to Information Security (InformationSecurity at redwoodtech.com<mailto:InformationSecurity at redwoodtech.com>)
In your config "tls" module after "sl" module.
loadmodule "sl.so"
loadmodule "tls.so"
you need load tls module before "jsonrpcs" module.
On Fri, Mar 18, 2022 at 9:59 PM Karsten Horsmann <khorsmann at gmail.com<mailto:khorsmann at gmail.com>> wrote:
Hi,
are you sure the Kamailio tls module is on your system? Check the module path for tls.so like this or if you have build it from source?
rpm -ql kamailio-tls
/usr/lib64/kamailio/modules/auth_identity.so
/usr/lib64/kamailio/modules/tls.so
/usr/lib64/kamailio/openssl_mutex_shared
/usr/lib64/kamailio/openssl_mutex_shared/openssl_mutex_shared.so
/usr/share/doc/kamailio/modules/README.auth_identity
/usr/share/doc/kamailio/modules/README.tls
Christopher Vincent <CDV at redwoodtech.com<mailto:CDV at redwoodtech.com>> schrieb am Fr., 18. März 2022, 12:37:
Hi,
Kamailio / RTPEngine was set up on CentOS 8 running SIP to SIPS and RTP to SDES SRTP conversion. This worked as expected
Attempted to duplicate the setup on RHEL but errors were seen. These errors were present on both RHEL 7 / RHEL 8.
The errors seen were as below
kamailio -c
loading modules under config path: /usr/lib64/kamailio/modules/
0(9165) ERROR: tls [tls_init.c:611]: tls_pre_init(): Unable to set the memory allocation functions
0(9165) ERROR: tls [tls_init.c:613]: tls_pre_init(): libssl current mem functions - m: 0x7f7a77c367a0 r: 0x7f7a77c367f0 f: 0x7f7a77c36770
0(9165) ERROR: tls [tls_init.c:615]: tls_pre_init(): module mem functions - m: 0x7f7a72db7653 r: 0x7f7a72db769f f: 0x7f7a72db76fc
0(9165) ERROR: tls [tls_init.c:617]: tls_pre_init(): Be sure tls module is loaded before any other module using libssl (can be loaded first to be safe)
0(9165) ERROR: <core> [core/sr_module.c:590]: load_module(): /usr/lib64/kamailio/modules/tls.so: mod_register failed
0(9165) CRITICAL: <core> [core/cfg.y:3683]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 137, column 12-19: failed to load module
0(9165) INFO: pv [pv_shv.c:60]: shvar_init_locks(): locks array size 16
0(9165) ERROR: <core> [core/modparam.c:181]: set_mod_param_regex(): No module matching <tls> found
0(9165) CRITICAL: <core> [core/cfg.y:3686]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 249, column 72: Can't set module parameter
0(9165) ERROR: <core> [core/modparam.c:181]: set_mod_param_regex(): No module matching <tls> found
0(9165) CRITICAL: <core> [core/cfg.y:3686]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 250, column 72: Can't set module parameter
0(9165) ERROR: <core> [core/modparam.c:181]: set_mod_param_regex(): No module matching <tls> found
0(9165) CRITICAL: <core> [core/cfg.y:3686]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 251, column 68: Can't set module parameter
0(9165) ERROR: <core> [core/modparam.c:181]: set_mod_param_regex(): No module matching <tls> found
0(9165) CRITICAL: <core> [core/cfg.y:3686]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 256, column 39: Can't set module parameter
ERROR: bad config file (5 errors) (parsing code: 0)
0(9165) INFO: <core> [core/sctp_core.c:53]: sctp_core_destroy(): SCTP API not initialized
The kamailio config was exactly the same as on the CentOS systems and started as below
/* Server ports: */
#!substdef "!SIP_PORT!5060!g"
#!substdef "!SIPS_PORT!5061!g"
/* Listen addresses */
#!substdef "!UDP_LOCAL_ADDR!udp:SERVER_IP_ADDR:SIP_PORT!g"
#!substdef "!TCP_LOCAL_ADDR!tcp:SERVER_IP_ADDR:SIPS_PORT!g"
/* Server connections: */
#!ifndef MAX_CONNECTIONS
#!define MAX_CONNECTIONS 8192
#!endif
##!define WITH_DEBUG
/* Transaction and branch flags:
FLT_ - per transaction (message) flags
FLB_ - per branch flags
*/
#!define FLT_ACC 1
#!define FLT_ACCMISSED 2
#!define FLT_ACCFAILED 3
#!define FLT_NATS 5
#!define FLT_OUT 8
#!define FLB_NATB 6
#!define FLB_NATSIPPING 7
#!define KAMAILIODBURL1 "mysql://kamailio:kamailiorw@localhost/kamailio"
#!define WITH_TLS
enable_tls=1
listen=tls:<ipaddr>:5062
####### Global Parameters #########
### LOG Levels: ALERT=-5, BUG=-4, CRIT=-3, ERR=-1, WARN=0, NOTICE=1, INFO=2, DBG=3
#!ifdef WITH_DEBUG
debug=4
log_stderror=no
#!else
debug=2
log_stderror=no
#!endif
memdbg=5
memlog=5
log_facility=LOG_LOCAL0
/* display memory usage on exit */
mem_summary=15
/* join free memory fragments */
mem_join=1
/* proxy will fork and run in daemon mode */
/* one process will be created for each network interface the proxy listens to and for each protocol (TCP/UDP), multiplied with the value of 'children' parameter */
fork=yes
children=8
listen=TCP_LOCAL_ADDR
listen=UDP_LOCAL_ADDR
/* life time of TCP connection when there is no traffic
- a bit higher than registration expires to cope with UA behind NAT */
tcp_connection_lifetime=3605
/* sip over websockets may not specify a content length header */
tcp_accept_no_cl=yes
/* buffer size used for tcp reads, limits the maximum message size (SIP, HTTP) that can be received over tcp */
tcp_rd_buf_size=65536
/* max number of tcp connections */
tcp_max_connections=MAX_CONNECTIONS
####### Modules Section ########
# set paths to location of modules
mpath="/usr/lib64/kamailio/modules/"
loadmodule "jsonrpcs.so"
loadmodule "db_mysql.so"
loadmodule "kex.so"
loadmodule "corex.so"
loadmodule "tm.so"
loadmodule "tmx.so"
loadmodule "rr.so"
loadmodule "pv.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "siputils.so"
loadmodule "xlog.so"
loadmodule "sanity.so"
loadmodule "ctl.so"
loadmodule "cfg_rpc.so"
loadmodule "acc.so"
loadmodule "dispatcher.so"
loadmodule "cfgutils.so"
loadmodule "textopsx.so"
loadmodule "nathelper.so"
loadmodule "uac.so"
loadmodule "ipops.so"
loadmodule "debugger.so"
loadmodule "exec.so"
loadmodule "avpops.so"
loadmodule "sqlops.so"
loadmodule "rtpengine.so"
loadmodule "sl.so"
loadmodule "tls.so"
# ----------------- setting module-specific parameters ---------------
# ----- usrloc params -----
# store contacts in memory only
modparam("usrloc", "db_mode", 0)
# hash size of 16,384
modparam("usrloc", "hash_size", 14)
# removes contact if ws disconnects
modparam("usrloc", "handle_lost_tcp", 1)
modparam("tm|usrloc", "xavp_contact", "ulattrs")
# ----- jsonrpcs params -----
modparam("jsonrpcs", "fifo_name", "/tmp/kamailio_jsonrpc.fifo")
modparam("jsonrpcs", "dgram_socket", "/tmp/kamailio_rpc.sock")
# ----- tm params -----
# auto-discard branches from previous serial forking leg
modparam("tm", "failure_reply_mode", 3)
# default retransmission timeout: 30sec
modparam("tm", "fr_timer", 30000)
#default invite retransmission timeout after 1xx: 120sec
modparam("tm", "fr_inv_timer", 120000)
# ----- rr params -----
# set next param to 1 to add value to ;lr param (helps with some UAs)
modparam("rr", "enable_full_lr", 0)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)
# ----- uac params -----
modparam("uac", "restore_mode", "none")
# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
modparam("registrar", "max_contacts", 1)
# max value for expires of registrations
modparam("registrar", "max_expires", 3600)
# disable GRUU
modparam("registrar", "gruu_enabled", 0)
# ----- acc params -----
/* what special events should be accounted? */
modparam("acc", "early_media", 0)
modparam("acc", "report_ack", 0)
modparam("acc", "report_cancels", 0)
/* by default ww do not adjust the direction of the sequential requests.
if you enable this parameter, be sure the enable "append_fromtag"
in "rr" module */
modparam("acc", "detect_direction", 0)
/* account triggers (flags) */
modparam("acc", "log_flag", FLT_ACC)
modparam("acc", "log_missed_flag", FLT_ACCMISSED)
modparam("acc", "log_extra", "src_user=$fU;src_domain=$fd;src_ip=$si;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd")
modparam("acc", "failed_transaction_flag", FLT_ACCFAILED)
# ----- dispatcher params -----
modparam("dispatcher", "db_url", KAMAILIODBURL1)
modparam("dispatcher", "flags", 2)
modparam("dispatcher", "ds_ping_method", "OPTIONS")
modparam("dispatcher", "ds_ping_from", "sip:<address>.com<sip:%3caddress%3e.com>")
modparam("dispatcher", "ds_ping_interval", 5)
modparam("dispatcher", "ds_probing_threshold", 1)
modparam("dispatcher", "ds_inactive_threshold", 1)
modparam("dispatcher", "ds_probing_mode", 3)
# ----- pv params -----
modparam("pv", "shvset", "maintenance=i:0")
modparam("pv", "shvset", "virtualIP1=i:0")
modparam("pv", "shvset", "virtualIP2=i:0")
# ----- nathelper params -----
modparam("nathelper|registrar", "received_avp", "$avp(RECEIVED)")
# Note: leaving NAT pings turned off here as nathelper is only being used for
# WebSocket connections. NAT pings are not needed as WebSockets have
# their own keep-alives.
# ----- rtpengine params -----
modparam("rtpengine", "rtpengine_sock", "udp:localhost:2223")
modparam("rtpengine", "rtpengine_sock", "udp:localhost:2223")
#modparam("rtpengine", "write_sdp_pv", "$avp(sdp)")
#modparam("rtpengine", "force_send_interface", SERVER_IP_ADDR)
#modparam("rtpengine", "setid_default", -1)
#modparam("rtpengine", "rtp_inst_pvar", "$avp(RTPENGINE)")
#modparam("rtpengine", "rtpengine_retr", 5)
#modparam("rtpengine", "queried_nodes_limit", 5)
#modparam("rtpengine", "rtpengine_allow_op", 1)
#modparam("rtpengine", "hash_table_size", MAX_CONNECTIONS)
#modparam("rtpengine", "hash_table_tout", 7200)
modparam("tls", "private_key", "<cert path>")
modparam("tls", "certificate", "<cert path>")
modparam("tls", "ca_list", "<cert path>")
# modparam("tls", "ca_list", "<cert path>")
modparam("tls", "tls_method", "TLSv1+")
####### Routing Logic ########
If load module lines for TLS are move to near the top of the config file, config will parse and non-SIPS calls will work
loadmodule "sl.so"
loadmodule "tls.so"
But logs will show
WARNING: <core> [main.c:2985]: main(): tls support enabled, but no tls engine available (forgot to load the tls module?)
WARNING: <core> [main.c:2987]: main(): disabling tls...
Presumably loading the module before configuring it just gives it default values so the latter config is ignored
Any advice on the matter would be appreciated
Thanks in advance,
Chris
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users at lists.kamailio.org<mailto:sr-users at lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users at lists.kamailio.org<mailto:sr-users at lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20220323/4d2d15a7/attachment.htm>
More information about the sr-users
mailing list