Hi Ovidiu,
I solved this problem by hardcoding the cert address in the my_con.c
address. Guess the cert setup in the config file can't be loaded
correctly when my_con.c calls it.
On Tue, Sep 27, 2022 at 7:34 AM Ovidiu Sas <o...@voipembedded.com
<mailto:o...@voipembedded.com>> wrote:
I encountered a crash related to TLS connections and I was wondering
if it's a similar issue.
It seems not, the crash that I encountered happens only on 3.3.
If you installed opensips from a package, you need to install
opensips-dbg package to get the debug symbols.
After that, you can locate the core file on your server and
inspect it with gdb.
Everything should be detailed here:
https://www.opensips.org/Documentation/TroubleShooting-Crash
<https://www.opensips.org/Documentation/TroubleShooting-Crash>
-ovidiu
On Mon, Sep 26, 2022 at 2:54 AM jacky z <zjack0...@gmail.com
<mailto:zjack0...@gmail.com>> wrote:
>
> Hi Ovidiu,
>
> The version I am using is 3.2. I am not familiar with the debug
symbols, but guess this can be reproduced easily. With
?tls_domain=dom1 attached after the mysql address, it happens. Can
you simply check if it is the same behavior? If not, I will dig
further by learning how to use the debug symbols. Thanks!
>
> On Mon, Sep 26, 2022 at 12:30 AM Ovidiu Sas
<o...@voipembedded.com <mailto:o...@voipembedded.com>> wrote:
>>
>> Which version of opensips are you using?
>> Can you install the debug symbols and get a backtrace from the
core file?
>> https://www.opensips.org/Documentation/TroubleShooting-Crash
<https://www.opensips.org/Documentation/TroubleShooting-Crash>
>>
>> Regards,
>> Ovidiu Sas
>>
>> On Sun, Sep 25, 2022 at 6:32 AM jacky z <zjack0...@gmail.com
<mailto:zjack0...@gmail.com>> wrote:
>> >
>> > Hi Vlad,
>> >
>> > It seems opensips crashed when I set ?tls_domain=dom1 to
enable tls connection to mysql db. I followed the method in the
manual.
>> >
>> > modparam("usrloc", "db_url",
"mysql://root:1234@localhost/opensips?tls_domain=dom1")
>> >
>> >
>> > Here is the log.
>> >
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:mod_init: initializing TLS management
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined,
using default '/etc/pki/CA/'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT
activated. Weaker security.
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined,
using default '/etc/pki/CA/'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT
activated. Weaker security.
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:proto_tls:mod_init: initializing TLS protocol
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:proto_bin:mod_init: initializing BIN protocol
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:clusterer:mod_init: Clusterer module - initializing
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
CRITICAL:core:sig_usr: segfault in attendant (starter) process!
>> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243]
opensips[4935]: segfault at 0 ip 0000000000000000 sp
00007ffececa3d08 error 14 in opensips[558b5bb75000+1c000]
>> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code:
Bad RIP value.
>> > Sep 25 10:14:01 ip-10-100-20-35 opensips:
INFO:core:daemonize: pre-daemon process exiting with -1
>> >
>> > and my client domain settings
>> >
>> > #client domain
>> > modparam("tls_mgm", "client_domain", "dom1")
>> > modparam("tls_mgm", "match_ip_address", "[dom1]*")
>> > modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>> > modparam("tls_mgm","certificate",
"[dom1]/etc/ssl/certs/rootCACert.pem")
>> > modparam("tls_mgm","private_key",
"[dom1]/etc/ssl/private/rootCAKey.pem")
>> > modparam("tls_mgm","ca_list",
"[dom1]/etc/ssl/certs/rootCACert.pem")
>> > modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>> > modparam("tls_mgm","verify_cert", "[dom1]0")
>> > modparam("tls_mgm","require_cert", "[dom1]0")
>> >
>> > It is expected to see some other errors such as invalid cert
but not crash in pre-daemon process. Any clue on this for me to
debug? If I remove "?tls_domain=dom1", there is no such crash
though the opensips server still couldn't start because I forced
the mysql db to use ssl connection. Thanks!
>> >
>> > On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu
<vl...@opensips.org <mailto:vl...@opensips.org>> wrote:
>> >>
>> >> Hi Jacky,
>> >>
>> >> I cant think of any workaround unfortunately.
>> >>
>> >> Regards,
>> >>
>> >> --
>> >> Vlad Patrascu
>> >> OpenSIPS Core Developer
>> >> http://www.opensips-solutions.com
<http://www.opensips-solutions.com>
>> >>
>> >> On 17.09.2022 18:46, jacky z wrote:
>> >>
>> >> Hi Vlad,
>> >>
>> >> Is there any workaround to disable the client cert? Thanks!
>> >>
>> >> On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu
<vl...@opensips.org <mailto:vl...@opensips.org>> wrote:
>> >>>
>> >>> Hi Jacky,
>> >>>
>> >>> OpenSIPS will always require you to configure a client
certificate for TLS client domains and will also present that
certificate when connecting. But normally, a TLS server can simply
choose not to verify the client certificate. I don't have any
experience with AWS RDS though but it seems odd to not accept a
connection only because the client did present a certificate.
>> >>>
>> >>> Regards,
>> >>>
>> >>> --
>> >>> Vlad Patrascu
>> >>> OpenSIPS Core Developer
>> >>> http://www.opensips-solutions.com
<http://www.opensips-solutions.com>
>> >>>
>> >>> On 14.09.2022 05:42, jacky z wrote:
>> >>>
>> >>> Hi Bogdan-Andrei,
>> >>>
>> >>> I checked the mariadb documentation and found mariadb has
two options to set ssl connection: two-way TSL and one-way TSL. It
seems AWS RDS only supports one-way TSL, that is, TSL is used
without a client cert. Does OPENSIPS support such one-way TSL to
connect a database? Thanks!
>> >>>
>> >>> On Wed, Sep 14, 2022 at 12:06 AM jacky z
<zjack0...@gmail.com <mailto:zjack0...@gmail.com>> wrote:
>> >>>>
>> >>>> Hi Bogdan-Andrei,
>> >>>>
>> >>>> I have set the "certificate" and "private_key" in my
script, as I explained in method 1. However, AWS RDS doesn't
support a client cert. Please refer to
>> >>>>
https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
<https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws>
>> >>>>
>> >>>> Is there any workaround to use the public cert list
provided by AWS? Anyone has successfully used RDS with SSL
connections? Thanks!
>> >>>>
>> >>>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu
<bog...@opensips.org <mailto:bog...@opensips.org>> wrote:
>> >>>>>
>> >>>>> Set the certificate and key you have in the tls_mgm
module, for the "certificate" and "private_key" parameters.
>> >>>>>
>> >>>>> Regards,
>> >>>>>
>> >>>>> Bogdan-Andrei Iancu
>> >>>>>
>> >>>>> OpenSIPS Founder and Developer
>> >>>>> https://www.opensips-solutions.com
<https://www.opensips-solutions.com>
>> >>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>> >>>>> https://www.opensips.org/events/Summit-2022Athens/
<https://www.opensips.org/events/Summit-2022Athens/>
>> >>>>>
>> >>>>> On 9/13/22 2:57 PM, jacky z wrote:
>> >>>>>
>> >>>>> Hi Bogdan-Andrei,
>> >>>>>
>> >>>>> I tried two methods.
>> >>>>>
>> >>>>> Method 1:
>> >>>>>
>> >>>>> #enabled TLS connection:
>> >>>>> modparam("db_mysql", "use_tls", 1)
>> >>>>>
>> >>>>> #setup a client domain:
>> >>>>> modparam("tls_mgm", "client_domain", "dom1")
>> >>>>> modparam("tls_mgm", "match_ip_address", "[dom1]*")
>> >>>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>> >>>>> modparam("tls_mgm","certificate",
"[dom1]/etc/ssl/certs/rootCACert.pem")
>> >>>>> modparam("tls_mgm","private_key",
"[dom1]/etc/ssl/private/rootCAKey.pem")
>> >>>>> modparam("tls_mgm","ca_list",
"[dom1]/etc/ssl/certs/rootCACert.pem")
>> >>>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>> >>>>> modparam("tls_mgm","verify_cert", "[dom1]0")
>> >>>>> modparam("tls_mgm","require_cert", "[dom1]0")
>> >>>>> # set db_url
>> >>>>> modparam("usrloc", "db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1")
>> >>>>> ...
>> >>>>>
>> >>>>> I couldn't figure out how to use global-bundle.pem AWS
provided with this method. No luck to get a connection with RDS.
If I don't use ssl, opensips can connect to RDS without encryption.
>> >>>>>
>> >>>>> Method 2:
>> >>>>>
>> >>>>> I tried
>> >>>>>
>> >>>>> modparam("usrloc", "db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>> >>>>>
>> >>>>> to include the AWS cert. Still no luck.
>> >>>>>
>> >>>>> Thanks!
>> >>>>>
>> >>>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu
<bog...@opensips.org <mailto:bog...@opensips.org>> wrote:
>> >>>>>>
>> >>>>>> Hi,
>> >>>>>>
>> >>>>>> sorry for my silly question, but how do you connect from
the OpenSIPS side ??
>> >>>>>>
>> >>>>>> Regards,
>> >>>>>>
>> >>>>>> Bogdan-Andrei Iancu
>> >>>>>>
>> >>>>>> OpenSIPS Founder and Developer
>> >>>>>> https://www.opensips-solutions.com
<https://www.opensips-solutions.com>
>> >>>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>> >>>>>> https://www.opensips.org/events/Summit-2022Athens/
<https://www.opensips.org/events/Summit-2022Athens/>
>> >>>>>>
>> >>>>>> On 9/13/22 10:41 AM, jacky z wrote:
>> >>>>>>
>> >>>>>> Hi Team,
>> >>>>>>
>> >>>>>> We hope to connect to aws RDS database with ssl
encryption. We have setup a client domain according to OPENSIPS
documents. However, AWS RDS does not support client cert as
someone has confirmed with AWS
https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
<https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws>
>> >>>>>>
>> >>>>>> Is there any way to use the cert provided by AWS to
connect? AWS provides a global-bundle.pem
(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
<https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html>)
for such a connection, but we don't know how to include it in the
config file.
>> >>>>>>
>> >>>>>> Thanks
>> >>>>>>
>> >>>>>> Jacky z
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> Users mailing list
>> >>>>>> Users@lists.opensips.org <mailto:Users@lists.opensips.org>
>> >>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>> >>>>>>
>> >>>>>>
>> >>>>>
>> >>>
>> >>> _______________________________________________
>> >>> Users mailing list
>> >>> Users@lists.opensips.org <mailto:Users@lists.opensips.org>
>> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>> >>>
>> >>> _______________________________________________
>> >>> Users mailing list
>> >>> Users@lists.opensips.org <mailto:Users@lists.opensips.org>
>> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>> >>
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users@lists.opensips.org <mailto:Users@lists.opensips.org>
>> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users@lists.opensips.org <mailto:Users@lists.opensips.org>
>> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users@lists.opensips.org <mailto:Users@lists.opensips.org>
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>>
>>
>>
>> --
>> VoIP Embedded, Inc.
>> http://www.voipembedded.com <http://www.voipembedded.com>
>>
>> _______________________________________________
>> Users mailing list
>> Users@lists.opensips.org <mailto:Users@lists.opensips.org>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
> _______________________________________________
> Users mailing list
> Users@lists.opensips.org <mailto:Users@lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
--
VoIP Embedded, Inc.
http://www.voipembedded.com <http://www.voipembedded.com>
_______________________________________________
Users mailing list
Users@lists.opensips.org <mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
