[SR-Users] Recommended openSSL version
Ihor Olkhovskyi
igorolhovskiy at gmail.com
Tue Oct 18 14:16:57 CEST 2022
Hello,
Sorry for bumping this old up, but some outcome from my research.
1. CentOS 7 provided OpenSSL (1.0.2k-fips 26 Jan 2017) really leads
Kamailio 5.x.x crash on high load (tested with 5.4 - 5.6) with sippts
<https://github.com/Pepelux/sippts> tool.
2. Good results are obtained with Kamailio 5.6.2 with tlsa flavour
statically linked with openssl 1.1.1q (here I have problem with lacking
of TLS connections, but it's something different)
And with this result I have a question, when I'm invoking
exit;
on Kamailio script it's not "freeing" TCP connection as I got, I've
managed "freeing" (or not occupying) connection with iptables
-j REJECT --reject-with tcp-reset
Is there anything same for Kamailio or I need to add smth like fail2ban
on top?
Thanks in advance!
Le 24/06/2022 à 14:15, Igor Olhovskiy a écrit :
> Daniel,
>
> Thanks for clarifying this!
> And to ask, is websocket module also uses libssl indirectly or should
> not be the cause in this one? (I'm not using http or so).
>
> Le ven. 24 juin 2022 à 08:36, Daniel-Constantin Mierla
> <miconda at gmail.com> a écrit :
>
> Hello,
>
> to add to this topic: tls module runs smooth when no other module
> uses an external library that is linked also with tls, I didn't
> have issue with in the past few years.
>
> But if another module that indirectly links also the libssl, I
> also got random crashes, usually during events when kamailio code
> is not involved at all. For example, a while ago using the
> http_client module (which uses libcurl that linked also libssl)
> resulted in sporadic crashes during tls handshake -- that's all in
> libssl, nothing to do with sip traffic at that stage. And actually
> there were also crashes when opening the connection to the https
> server. The behaviour was non-deterministic, months without any
> issue, then 1-2 crashes in a week or so, then all good as well. I
> somehow related it to minor updates of the operating system.
>
> After all, I ended up writing ruxc module to have an alternative
> http_client() function and from that moment no libssl related
> crash on the respective system. Strange that on another customer
> having same OS and using http_client() function, all was and still
> is fine. So it could be also related to tls settings in both sides
> of the connection (e.g., ciphers, renegotiation, tls version, ...).
>
> If you migrate to kamailio 5.6.x, then you can also try using tlsa
> module instead of tls, that should isolate the global libssl
> contexts, one inside the tlsa and one in those modules linking
> dynamically libssl.
>
> Cheers,
> Daniel
>
> On 23.06.22 16:46, Karsten Horsmann wrote:
>> Hi Igor,
>>
>> I jumped from 5.3 to 5.5.x so I read carefull the changelog and
>> migrate steps.
>>
>> https://www.kamailio.org/wiki/features/new-in-5.5.x
>>
>> Show a bit about tls.
>>
>> Igor Olhovskiy <igorolhovskiy at gmail.com> schrieb am Mi., 22. Juni
>> 2022, 21:08:
>>
>> Karsten,
>>
>> Thanks for your answer!
>>
>> Out of your head, were there any significant changes in
>> TCP/TLS on 5.4 -> 5.5 change?
>>
>> Regards,
>> Igor
>>
>> Le 22.06.2022 à 18:11, Karsten Horsmann a écrit :
>>> Hi Igor,
>>>
>>> I also use CentOS 7 with the same openssl version and
>>> between 1000 up to 2000 tls/wss connections.
>>>
>>> Works for me. Main difference I use Kamailio 5.5.x
>>>
>>> Kind regards
>>> Karsten Horsmann
>>>
>>> Igor Olhovskiy <igorolhovskiy at gmail.com> schrieb am Mi., 22.
>>> Juni 2022, 10:36:
>>>
>>> Hello!
>>>
>>> Due to I still experience irregular Kamailio 5.4 crashes
>>> (like 1/month) related to SSL (using websockets and
>>> SIPS) I'm wondering, could openSSL upgrade change the
>>> situation?
>>> As of now in CentOS 7 I have 1.0.2k version.
>>>
>>> Does anyone have experience to fix crash-related to TLS
>>> problems with openSSL upgrade?
>>>
>>> Or maye some tuneup of TCP parameters can help here?My
>>> current setup is quite simple:
>>>
>>> children=4
>>> enable_tls=yes
>>> tcp_accept_no_cl=yes
>>> tcp_connection_lifetime=600
>>> tcp_max_connections=998976 # 1000000 - 1024, so we're
>>> leaving 1k for system reserve
>>> tls_max_connections=998976
>>>
>>> Number of clients ~ 200 constantly connected to websocket.
>>> --
>>> Best regards,
>>> Igor
>>> __________________________________________________________
>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>> * sr-users at lists.kamailio.org
>>> Important: keep the mailing list in the recipients, do
>>> not reply only to the sender!
>>> Edit mailing list options or unsubscribe:
>>> *
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>> __________________________________________________________
>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>> *sr-users at lists.kamailio.org
>>> Important: keep the mailing list in the recipients, do not reply only to the sender!
>>> Edit mailing list options or unsubscribe:
>>> *https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> * sr-users at lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not
>> reply only to the sender!
>> Edit mailing list options or unsubscribe:
>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> *sr-users at lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to the sender!
>> Edit mailing list options or unsubscribe:
>> *https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> --
> Daniel-Constantin Mierla --www.asipto.com <http://www.asipto.com>
> www.twitter.com/miconda <http://www.twitter.com/miconda> --www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Kamailio Advanced Training - Online: June 20-23, 2022
> *https://www.asipto.com/sw/kamailio-advanced-training-online/
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply
> only to the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> --
> Best regards,
> Igor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221018/ba9bec41/attachment.htm>
More information about the sr-users
mailing list