[sr-dev] [kamailio/kamailio] RFC: tls - remove shared memory and pthreads shims in multi-threaded mode (PR #4640)

Thu, 12 Mar 2026 07:36:29 -0700 

#### Pre-Submission Checklist
<!-- Go over all points below, and after creating the PR, tick all the 
checkboxes that apply -->
<!-- All points should be verified, otherwise, read the CONTRIBUTING 
guidelines from above-->
<!-- If you're unsure about any of these, don't hesitate to ask on 
sr-dev mailing list -->
- [X ] Commit message has the format required by CONTRIBUTING guide
- [X] Commits are split per component (core, individual modules, libs, utils, 
...)
- [X ] Each component has a single commit (if not, squash them into one commit)
- [ ] No commits to README files for modules (changes must be done to docbook 
files
in `doc/` subfolder, the README file is autogenerated)

#### Type Of Change
- [ ] Small bug fix (non-breaking change which fixes an issue)
- [X] New feature (non-breaking change which adds new functionality)
- [ ] Breaking change (fix or feature that would change existing functionality)

#### Checklist:
<!-- Go over all points below, and after creating the PR, tick the 
checkboxes that apply -->
- [ ] PR should be backported to stable branches
- [X ] Tested changes locally
- [ ] Related to issue #XXXX (replace XXXX with an open issue number)

#### Description
This PR is based on the multi-threaded RPC OpenSSL work done by @miconda and 
released in 6.1. In that work - there are still many accessors (pv, sel) that 
peek into shared memory SSL* - that is why shared memory was retained.

This PR provides the next step for multi-threaded RPC OpenSSL
- disable CRYPTO_set_mem_functions - no more shared memory for OpenSSL(!)
- disable pthreads PROCESS_SHARED fixups(!)

To provide SSL metadata to all workers - the metadata is eagerly cached in the 
tcp connection; workers access the metadata (e.g. SSL_get_servername) as 
strings or bytes and do not peek at SSL* themselves. Based on looking through 
pv/sel - the following is cached

```
    tls_c->ssl_servername 
    tls_c->ssl_cipher_name
    tls_c->ssl_my_cert
    tls_c->ssl_peer_cert
    tls_c->ssl_cert_chain
    tls_c->ssl_verify_result
    tls_c->ssl_cipher_bits
    tls_c->ssl_version
    tls_c->ssl_cipher_desc
```
- this is sufficient to cover all known pv/sel and module functions.

This PR also provides the single SSL_CTX implementation - instead of being 
duplicated across all workers.

**Limitations**

- eager caching - if the routing script does not access pv/sel it may be a 
waste or memory: TODO: replace eager caching with lazy caching - in this case 
we would need an RPC to PROC_TCP_MAIN for metadata
- RPC tls.reload: this currently cannot execute as it is in the JSONRPC 
process; TODO: use an RPC to PROC_TCP_MAIN for reload

Co-authored-by: Claude Sonnet 4.6 <[email protected]>
You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/4640

-- Commit Summary --

  * tls: tls_rpc remove direct SSL access
  * tls: tls_mod remove direct SSL access
  * tls: cache SSL metadata in tcp connection
  * Add pkcs7 marshalling functions
  * tls: tls_select retrieve data from cache instead of shared memory
  * main: disable pthreads monkey patching when tcp_main_threads > 0
  * tls: disable OpenSSL shared memory for tcp_main_threads > 0
  * tls: RPC tls.reload is not supported ATM in multi-threaded mode
  * tls: ensure OpenSSL runs only in PROC_TCP_MAIN
  * tls: ensure OpenSSL is configured PROC_TCP_MAIN
  * tls: ensure correct SSL_CTX is chosen in multi-threaded mode
  * tls: refactor SSL metadata cache; apply in tls_connect as well

-- File Changes --

    M src/main.c (12)
    M src/modules/tls/tls_domain.c (28)
    M src/modules/tls/tls_init.c (33)
    M src/modules/tls/tls_mod.c (31)
    M src/modules/tls/tls_rpc.c (22)
    M src/modules/tls/tls_select.c (97)
    M src/modules/tls/tls_server.c (267)
    M src/modules/tls/tls_server.h (15)
    M src/modules/tls/tls_util.c (288)
    M src/modules/tls/tls_util.h (5)

-- Patch Links --

https://github.com/kamailio/kamailio/pull/4640.patch
https://github.com/kamailio/kamailio/pull/4640.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/4640
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/pull/[email protected]>

_______________________________________________
Kamailio - Development Mailing List -- [email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the 
sender!

Reply via email to