Hi Since TLS run on TCP, the max TLS connections accepted is based on tcp_max_connections. I thought its better to limit the max tls connections, since tls require more memory for each tls connection.
I did look futher into the issue and the kamailio crashes only when the tool(*thc-ssl-dos)* is ran with periodic renegotiation. Kamailo doesn't crash if the renegotiation is disabled in the tool. The htppd has fixed this issue by providing a flag to disable TLS renegotation in the server from any client. Please find the httpd patch at http://mail-archives.apache.org/mod_mbox/httpd-dev/200911.mbox/raw/%[email protected]%3e/ So I was thinking to apply the same patch in kamailio also. We could have a new flag in tls_domain structure to enable or disable renegotation. Please have a look and let me know your findings. Thanks Jijo On Fri, Dec 9, 2011 at 1:53 AM, Daniel-Constantin Mierla <[email protected]>wrote: > Hello, > > my plan is to look at it as I get back to office (being few days off). > > But, isn't tcp_max_connections applied to tls connections? If not, adding > such limit will be good anyhow. > > Cheers, > Daniel > > > > On 12/7/11 8:57 PM, Jijo wrote: > > Hi All.. > > Any comments/suggestions on this issue? > > Thanks > Jijo > > On Mon, Dec 5, 2011 at 6:56 PM, Jijo <[email protected]> wrote: > >> Hello >> >> I tested using 3.2 and i got the same error. I couldn't get the memlog, >> when i enable , the system doesn't come up. >> >> The latest update from http://www.thc.org/thc-ssl-dos/ says that >> >> "2011-OCT-24 UPDATE: >> SSL-DOS released. Some organizations already found out about this release >> a while ago and mistakenly identified it as an SSL-RENEGOTIATION BUG. This >> is not true. The tool can be modified to work without SSL-RENEGOTIATION by >> just establishing a new TCP connection for every new handshake. " >> >> So this issue could happen if we do TCP connection for every new TLS >> connection with renegotiation. I believe this could be fixed if we could >> block based on max active TLS connections, probably a similar flag for max >> TLS connections like "tcp_max_connections" >> >> >> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 160 -f >> /etc/kamailio/kamailio.cfg'. >> >> Program terminated with signal 11, Segmentation fault. >> #0 0xb61cc2e3 in ?? () from /usr/lib/kamailio/modules/tls.so >> (gdb) bt >> #0 0xb61cc2e3 in ?? () from /usr/lib/kamailio/modules/tls.so >> #1 0xb65199fd in CRYPTO_lock () from /lib/libcrypto.so.1.0.0 >> #2 0xb658c133 in ?? () from /lib/libcrypto.so.1.0.0 >> #3 0xb658d240 in RAND_add () from /lib/libcrypto.so.1.0.0 >> #4 0xb6690d50 in ssl3_accept () from /lib/libssl.so.1.0.0 >> #5 0xb669bd2f in ssl3_read_bytes () from /lib/libssl.so.1.0.0 >> #6 0xb66989b9 in ?? () from /lib/libssl.so.1.0.0 >> #7 0xb66ae499 in SSL_read () from /lib/libssl.so.1.0.0 >> #8 0xb61e1e33 in tls_read_f () from /usr/lib/kamailio/modules/tls.so >> #9 0x08177036 in tcp_read_headers () >> #10 0x081771f6 in tcp_read_req () >> #11 0x08178480 in ?? () >> #12 0x0817af77 in tcp_receive_loop () >> #13 0x08173597 in tcp_init_children () >> #14 0x080b20bf in main_loop () >> #15 0x080b38c3 in main () >> (gdb) >> >> >> >> On Wed, Nov 23, 2011 at 10:35 AM, Daniel-Constantin Mierla < >> [email protected]> wrote: >> >>> Hello, >>> >>> 3.1.0 is not the right choice in 3.1 series, there were many fixes that >>> were added to that release series branch. The latest stable version there >>> is 3.1.5. Try with it (even better, try with latest version from git branch >>> 3.1 -- see >>> http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.1.x-from-git >>> ) >>> >>> In this way we are sure it is not a bug that was fixed after the time of >>> releasing 3.1.0 -- config file and database is the same as for 3.1.0. >>> >>> Cheers, >>> Daniel >>> >>> >>> On 11/23/11 4:01 PM, Jijo wrote: >>> >>> Thanks I will attach the logs soon..meanwhile here is the kamailio and >>> openssl version >>> >>> OB151:~ # /usr/sbin/kamailio -V >>> version: kamailio 3.1.0 (i386/linux) 21a375 >>> flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS, >>> USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC, >>> USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, >>> USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES >>> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, >>> MAX_URI_SIZE 1024, BUF_SIZE 65535, PKG_SIZE 15MB >>> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. >>> id: 21a375 >>> compiled on 09:22:51 Nov 4 2011 with gcc 4.5.0 >>> >>> >>> OB151:~ # openssl version -a >>> OpenSSL 1.0.0 29 Mar 2010 >>> built on: 2011-05-31 07:52:17.000000000 +0000 >>> platform: linux-elf >>> options: bn(64,32) rc4(4x,int) des(ptr,risc1,16,long) blowfish(idx) >>> compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT >>> -DDSO_DLFCN -DHAVE_DLFCN_H >>> -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -fomit-frame-pointer >>> -fmessage-length=0 -O2 -Wall >>> -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables >>> -fasynchronous-unwind-tables -g -Wa,--noexecstack -fomit-frame-pointer >>> -fno-strict-aliasing >>> -DTERMIO -Wall -fstack-protector -DOPENSSL_BN_ASM_PART_WORDS >>> -DOPENSSL_IA32_SSE2 >>> -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM >>> -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM >>> OPENSSLDIR: "/etc/ssl" >>> >>> >>> On Wed, Nov 23, 2011 at 4:44 AM, Daniel-Constantin Mierla < >>> [email protected]> wrote: >>> >>>> Hello, >>>> >>>> (discussion kept only on sr-dev as it is very likely going to require >>>> mostly devel interaction). >>>> >>>> What is the version of kamailio (-V command line option). Also, send >>>> the verision of openssl library -- there were many bugs in various lib >>>> versions that had to be workarounded in the module, maybe this is a new one >>>> that has to be fixed. >>>> >>>> Do you get any error message in the syslog at the moment of the crash? >>>> >>>> What would be useful is to get the memory operations log, you can get >>>> it by setting: >>>> >>>> memdbg=1 >>>> memlog=1 >>>> >>>> in config file. >>>> >>>> Then repeat the test and make the log available for download somehow >>>> (if it is too big), from start to the moment of the crash. >>>> >>>> Cheers, >>>> Daniel >>>> >>>> >>>> On 11/22/11 11:30 PM, Jijo wrote: >>>> >>>> Hi All, >>>> >>>> Kamailio is resetting when we do TLS renegotiation dos attack using the >>>> tool available at http://www.thc.org/thc-ssl-dos/. >>>> >>>> Anybody looked at this issue? How we could resolve it. Any idea? >>>> >>>> The core generated for 3 pid's as below >>>> >>>> Pid 1: >>>> >>>> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f >>>> /etc/kamailio/kamailio.cfg'. >>>> Program terminated with signal 11, Segmentation fault. >>>> #0 atomic_inc_int () at atomic/atomic_x86.h:225 >>>> (gdb) bt >>>> #0 atomic_inc_int () at atomic/atomic_x86.h:225 >>>> #1 cfg_update_local () at cfg/cfg_struct.h:228 >>>> #2 timer_main () at timer.c:994 >>>> #3 0x080b0579 in main_loop () at main.c:1632 >>>> #4 0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446 >>>> >>>> >>>> Pid 2: >>>> >>>> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f >>>> /etc/kamailio/kamailio.cfg'. >>>> Program terminated with signal 11, Segmentation fault. >>>> #0 0x0819bfe8 in qm_insert_free (qm=0xaf6c5000, p=0xb05eec30, >>>> file=0xb6fb4140 "tls: tls_init.c", func=0xb6fb4ce0 "ser_free", line=296) >>>> at mem/q_malloc.c:184 >>>> 184 if (frag->size <= f->size) break; >>>> (gdb) bt >>>> #0 0x0819bfe8 in qm_insert_free (qm=0xaf6c5000, p=0xb05eec30, >>>> file=0xb6fb4140 "tls: tls_init.c", func=0xb6fb4ce0 "ser_free", line=296) >>>> at mem/q_malloc.c:184 >>>> #1 qm_free (qm=0xaf6c5000, p=0xb05eec30, file=0xb6fb4140 "tls: >>>> tls_init.c", func=0xb6fb4ce0 "ser_free", line=296) at mem/q_malloc.c:518 >>>> #2 0xb6f95404 in ser_free (ptr=0xb05eec30) at tls_init.c:296 >>>> #3 0xb732e9ba in CRYPTO_free (str=0xb05eec30) at mem.c:391 >>>> #4 0xb7330bee in int_new_ex_data (class_index=5, obj=0xbfd414f4, >>>> ad=0xbfd41574) at ex_data.c:440 >>>> #5 0xb7330443 in CRYPTO_new_ex_data (class_index=5, obj=0xbfd414f4, >>>> ad=0xbfd41574) at ex_data.c:575 >>>> #6 0xb73dfde3 in X509_STORE_CTX_init (ctx=0xbfd414f4, >>>> store=0xafd8b3d0, x509=0xafe08ff0, chain=0x0) at x509_vfy.c:2114 >>>> #7 0xb74b0f31 in ssl3_output_cert_chain (s=0xb0553a10, x=0xafe08ff0) >>>> at s3_both.c:349 >>>> #8 0xb74a4728 in ssl3_send_server_certificate (s=0xb0553a10) at >>>> s3_srvr.c:3034 >>>> #9 0xb74a5879 in ssl3_accept (s=0xb0553a10) at s3_srvr.c:353 >>>> #10 0xb74afa8f in ssl3_read_bytes (s=0xb0553a10, type=23, >>>> buf=0xb0ad44ec "", len=4095, peek=0) at s3_pkt.c:1266 >>>> #11 0xb74ac9c9 in ssl3_read_internal (s=0xb0553a10, buf=0xb0ad44ec, >>>> len=4095, peek=0) at s3_lib.c:3265 >>>> #12 0xb74c24a9 in SSL_read (s=0xb0553a10, buf=0xb0ad44ec, num=4095) at >>>> ssl_lib.c:954 >>>> #13 0xb6fad1c3 in tls_read_f (c=0xb0ad431c, flags=0xbfd619c4) at >>>> tls_server.c:1058 >>>> #14 0x08171c0e in tcp_read_headers (c=0xb0ad431c, >>>> read_flags=0xbfd619c4) at tcp_read.c:406 >>>> #15 0x08171db8 in tcp_read_req (con=0xb0ad431c, bytes_read=0xbfd619cc, >>>> read_flags=0xbfd619c4) at tcp_read.c:885 >>>> #16 0x08172f67 in handle_io (fm=<value optimized out>, events=1, >>>> idx=<value optimized out>) at tcp_read.c:1234 >>>> #17 0x0817583b in io_wait_loop_epoll (unix_sock=89) at io_wait.h:1092 >>>> #18 tcp_receive_loop (unix_sock=89) at tcp_read.c:1345 >>>> #19 0x0816e2e9 in tcp_init_children () at tcp_main.c:4867 >>>> #20 0x080affb1 in main_loop () at main.c:1646 >>>> #21 0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446 >>>> >>>> Pid 3: >>>> >>>> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f >>>> /etc/kamailio/kamailio.cfg'. >>>> Program terminated with signal 11, Segmentation fault. >>>> #0 0xb76c9e7c in memmove () from /lib/libc.so.6 >>>> (gdb) bt >>>> #0 0xb76c9e7c in memmove () from /lib/libc.so.6 >>>> #1 0x081724e7 in tcp_read_req (con=0xb022c8f0, bytes_read=0xbfd619cc, >>>> read_flags=0xbfd619c4) at tcp_read.c:1026 >>>> #2 0x08172f67 in handle_io (fm=<value optimized out>, events=1, >>>> idx=<value optimized out>) at tcp_read.c:1234 >>>> #3 0x0817583b in io_wait_loop_epoll (unix_sock=93) at io_wait.h:1092 >>>> #4 tcp_receive_loop (unix_sock=93) at tcp_read.c:1345 >>>> #5 0x0816e2e9 in tcp_init_children () at tcp_main.c:4867 >>>> #6 0x080affb1 in main_loop () at main.c:1646 >>>> #7 0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446 >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> sr-dev mailing >>>> [email protected]http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev >>>> >>>> >>>> -- >>>> Daniel-Constantin Mierla -- http://www.asipto.com >>>> Kamailio Advanced Training, Dec 5-8, Berlin: >>>> http://asipto.com/u/kathttp://linkedin.com/in/miconda -- >>>> http://twitter.com/miconda >>>> >>>> >>> >>> -- >>> Daniel-Constantin Mierla -- http://www.asipto.com >>> Kamailio Advanced Training, Dec 5-8, Berlin: >>> http://asipto.com/u/kathttp://linkedin.com/in/miconda -- >>> http://twitter.com/miconda >>> >>> >> > > -- > Daniel-Constantin Mierla -- > http://www.asipto.comhttp://linkedin.com/in/miconda -- > http://twitter.com/miconda > >
_______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
