[SR-Users] Recommended openSSL version

Ihor Olkhovskyi igorolhovskiy at gmail.com
Tue Oct 18 14:16:57 CEST 2022


Hello,

Sorry for bumping this old up, but some outcome from my research.

1. CentOS 7 provided OpenSSL (1.0.2k-fips  26 Jan 2017) really leads 
Kamailio 5.x.x crash on high load (tested with 5.4 - 5.6) with sippts 
<https://github.com/Pepelux/sippts> tool.

2. Good results are obtained with Kamailio 5.6.2 with tlsa flavour 
statically linked with openssl 1.1.1q (here I have problem with lacking 
of TLS connections, but it's something different)

And with this result I have a question, when I'm invoking

exit;

on Kamailio script it's not "freeing" TCP connection as I got, I've 
managed "freeing" (or not occupying) connection with iptables

-j REJECT --reject-with tcp-reset

Is there anything same for Kamailio or I need to add smth like fail2ban 
on top?

Thanks in advance!

Le 24/06/2022 à 14:15, Igor Olhovskiy a écrit :

> Daniel,
>
> Thanks for clarifying this!
> And to ask, is websocket module also uses libssl indirectly or should 
> not be the cause in this one? (I'm not using http or so).
>
> Le ven. 24 juin 2022 à 08:36, Daniel-Constantin Mierla 
> <miconda at gmail.com> a écrit :
>
>     Hello,
>
>     to add to this topic: tls module runs smooth when no other module
>     uses an external library that is linked also with tls, I didn't
>     have issue with in the past few years.
>
>     But if another module that indirectly links also the libssl, I
>     also got random crashes, usually during events when kamailio code
>     is not involved at all. For example, a while ago using the
>     http_client module (which uses libcurl that linked also libssl)
>     resulted in sporadic crashes during tls handshake -- that's all in
>     libssl, nothing to do with sip traffic at that stage. And actually
>     there were also crashes when opening the connection to the https
>     server. The behaviour was non-deterministic, months without any
>     issue, then 1-2 crashes in a week or so, then all good as well. I
>     somehow related it to minor updates of the operating system.
>
>     After all, I ended up writing ruxc module to have an alternative
>     http_client() function and from that moment no libssl related
>     crash on the respective system. Strange that on another customer
>     having same OS and using http_client() function, all was and still
>     is fine. So it could be also related to tls settings in both sides
>     of the connection (e.g., ciphers, renegotiation, tls version, ...).
>
>     If you migrate to kamailio 5.6.x, then you can also try using tlsa
>     module instead of tls, that should isolate the global libssl
>     contexts, one inside the tlsa and one in those modules linking
>     dynamically libssl.
>
>     Cheers,
>     Daniel
>
>     On 23.06.22 16:46, Karsten Horsmann wrote:
>>     Hi Igor,
>>
>>     I jumped from 5.3 to 5.5.x so I read carefull the changelog and
>>     migrate steps.
>>
>>     https://www.kamailio.org/wiki/features/new-in-5.5.x
>>
>>     Show a bit about tls.
>>
>>     Igor Olhovskiy <igorolhovskiy at gmail.com> schrieb am Mi., 22. Juni
>>     2022, 21:08:
>>
>>         Karsten,
>>
>>         Thanks for your answer!
>>
>>         Out of your head, were there any significant changes in
>>         TCP/TLS on 5.4 -> 5.5 change?
>>
>>         Regards,
>>         Igor
>>
>>         Le 22.06.2022 à 18:11, Karsten Horsmann a écrit :
>>>         Hi Igor,
>>>
>>>         I also use CentOS 7 with the same openssl version and
>>>         between 1000 up to 2000 tls/wss connections.
>>>
>>>         Works for me. Main difference I use Kamailio 5.5.x
>>>
>>>         Kind regards
>>>         Karsten Horsmann
>>>
>>>         Igor Olhovskiy <igorolhovskiy at gmail.com> schrieb am Mi., 22.
>>>         Juni 2022, 10:36:
>>>
>>>             Hello!
>>>
>>>             Due to I still experience irregular Kamailio 5.4 crashes
>>>             (like 1/month) related to SSL (using websockets and
>>>             SIPS) I'm wondering, could openSSL upgrade change the
>>>             situation?
>>>             As of now in CentOS 7 I have 1.0.2k version.
>>>
>>>             Does anyone have experience to fix crash-related to TLS
>>>             problems with openSSL upgrade?
>>>
>>>             Or maye some tuneup of TCP parameters can help here?My
>>>             current setup is quite simple:
>>>
>>>             children=4
>>>             enable_tls=yes
>>>             tcp_accept_no_cl=yes
>>>             tcp_connection_lifetime=600
>>>             tcp_max_connections=998976 # 1000000 - 1024, so we're
>>>             leaving 1k for system reserve
>>>             tls_max_connections=998976
>>>
>>>             Number of clients ~ 200 constantly connected to websocket.
>>>             -- 
>>>             Best regards,
>>>             Igor
>>>             __________________________________________________________
>>>             Kamailio - Users Mailing List - Non Commercial Discussions
>>>               * sr-users at lists.kamailio.org
>>>             Important: keep the mailing list in the recipients, do
>>>             not reply only to the sender!
>>>             Edit mailing list options or unsubscribe:
>>>               *
>>>             https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>>         __________________________________________________________
>>>         Kamailio - Users Mailing List - Non Commercial Discussions
>>>            *sr-users at lists.kamailio.org
>>>         Important: keep the mailing list in the recipients, do not reply only to the sender!
>>>         Edit mailing list options or unsubscribe:
>>>            *https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>         __________________________________________________________
>>         Kamailio - Users Mailing List - Non Commercial Discussions
>>           * sr-users at lists.kamailio.org
>>         Important: keep the mailing list in the recipients, do not
>>         reply only to the sender!
>>         Edit mailing list options or unsubscribe:
>>           * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>>     __________________________________________________________
>>     Kamailio - Users Mailing List - Non Commercial Discussions
>>        *sr-users at lists.kamailio.org
>>     Important: keep the mailing list in the recipients, do not reply only to the sender!
>>     Edit mailing list options or unsubscribe:
>>        *https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>     -- 
>     Daniel-Constantin Mierla --www.asipto.com  <http://www.asipto.com>
>     www.twitter.com/miconda  <http://www.twitter.com/miconda>  --www.linkedin.com/in/miconda  <http://www.linkedin.com/in/miconda>
>     Kamailio Advanced Training - Online: June 20-23, 2022
>        *https://www.asipto.com/sw/kamailio-advanced-training-online/
>
>     __________________________________________________________
>     Kamailio - Users Mailing List - Non Commercial Discussions
>       * sr-users at lists.kamailio.org
>     Important: keep the mailing list in the recipients, do not reply
>     only to the sender!
>     Edit mailing list options or unsubscribe:
>       * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> -- 
> Best regards,
> Igor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221018/ba9bec41/attachment.htm>


More information about the sr-users mailing list