> On 30 Aug 2021, at 14:23, Daniel-Constantin Mierla <mico...@gmail.com> wrote: > > Actually the active tls connections are not closed (and thus not > re-opened) on tls.reload. It should use the new tls.cfg and > corresponding certs only for the new connections. Old connections should > not affected by reload. Cool. Thank you for that clarification.
/O > > Cheers, > Daniel > > On 30.08.21 13:57, Olle E. Johansson wrote: >> For the archives: >> >> If you have a configuration file for your tls connections (not kamailio.cfg >> modparams) I believe the TLS module will reopen connections at tls.reload. >> If you update the certificates the new ones will be active after reload. >> This does not happen if you use modparams. Meaning if you use letsencrypt, >> your hook to reload with new certs is tls.reload. >> This propably means that open connections will be closed. >> >> I don’t know if connections are affected if you use modparams. >> /O >> >> >> >>> On 30 Aug 2021, at 13:39, Sebastian Damm <sd...@pascom.net> wrote: >>> >>> Hi, >>> >>> I suppose, it happens for real connections, too. But since it's so >>> sporadically, I guess, clients just retry and then it works. >>> >>> The operating system is an Ubuntu 18.04 (getting replaced by Ubuntu 20.04 >>> soon), thus it's running with libssl 1.1.1. >>> >>> Regards, >>> Sebastian >>> >>> ----- Ursprüngliche Mail ----- >>> Von: "miconda" <mico...@gmail.com> >>> An: "sr-users" <sr-users@lists.kamailio.org>, "Sebastian Damm" >>> <sd...@pascom.net> >>> Gesendet: Montag, 30. August 2021 13:28:04 >>> Betreff: Re: [SR-Users] What does "tls.reload" actually do? >>> >>> Hello, >>> >>> does it happen only for connections done by the monitoring system? Or >>> also for the connections tried from the usual sip phones? >>> >>> What is the operating system and libssl version? >>> >>> Cheers, >>> Daniel >>> >>> On 30.08.21 11:57, Sebastian Damm wrote: >>>> Hi Henning, >>>> >>>> unfortunately, I don't have a host without traffic showing the same >>>> behavior. Our dev hosts usually don't run long enough. (And they usually >>>> don't get monitored.) >>>> >>>> The "sporadically" meant, that it can take sometimes up to one week until >>>> it occurs on the same host again. And yes, some hosts have a bit more >>>> traffic than others, I suppose that's why it occurs earlier on some hosts, >>>> later on others. >>>> >>>> I guess we have to deploy updates more often. ;) >>>> >>>> Regards, >>>> Sebastian >>>> >>>> ----- Ursprüngliche Mail ----- >>>> Von: "Henning Westerholt" <h...@skalatan.de> >>>> An: "sr-users" <sr-users@lists.kamailio.org> >>>> CC: "Sebastian Damm" <sd...@pascom.net> >>>> Gesendet: Dienstag, 24. August 2021 14:21:31 >>>> Betreff: RE: What does "tls.reload" actually do? >>>> >>>> Hello Sebastian, >>>> >>>> on a first look to the code the tls.reload does similar operations as done >>>> during normal server startup, like >>>> - load configuration >>>> - fixing domains >>>> - check sockets >>>> >>>> If the error only happens sporadic and, on some servers, it is probably >>>> either an error that only occurs in specific circumstances unrelated to >>>> kamailio, or some internal corruption topic in the module/server. >>>> >>>> Do you see it also on e.g., test systems without any real load? Is there a >>>> difference between the systems in kind of load, and this maybe also causes >>>> some difference when the error occurs? >>>> >>>> Cheers, >>>> >>>> Henning >>>> >>>> -- >>>> Henning Westerholt - https://skalatan.de/blog/ >>>> Kamailio services - https://gilawa.com >>>> >>>> -----Original Message----- >>>> From: sr-users <sr-users-boun...@lists.kamailio.org> On Behalf Of >>>> Sebastian Damm >>>> Sent: Tuesday, August 24, 2021 1:58 PM >>>> To: sr-users <sr-users@lists.kamailio.org> >>>> Subject: [SR-Users] What does "tls.reload" actually do? >>>> >>>> Hi, >>>> >>>> I noticed a strange behavior on some of our proxy servers, all running >>>> Kamailio 5.3.8. After running for some time (weeks), our monitoring system >>>> sporadically starts reporting errors. The check connects via tls and >>>> registers to an Asterisk behind the proxy server. When this happens, the >>>> Kamailio log shows the following line: >>>> >>>> ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1409441B:SSL >>>> routines:ssl3_read_bytes:tlsv1 alert decrypt error >>>> >>>> When restarting Kamailio, the problem goes away only to come back after >>>> some weeks uptime again. >>>> >>>> On one host, I tried to find something using kamcmd, and I don't know why >>>> but I also issued "tls.reload". And from that point, the monitoring system >>>> has not reported the system as faulty anymore. I repeated the same thing >>>> on other hosts when the problem occured there, all with the same result. >>>> "tls.reload" helps. But from the documentation, I don't know why. >>>> >>>> Does anybody have an explanation for it? >>>> >>>> Regards, >>>> Sebastian >>>> >>>> >>>> __________________________________________________________ >>>> Kamailio - Users Mailing List - Non Commercial Discussions >>>> * sr-users@lists.kamailio.org >>>> Important: keep the mailing list in the recipients, do not reply only to >>>> the sender! >>>> Edit mailing list options or unsubscribe: >>>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>>> >>>> __________________________________________________________ >>>> Kamailio - Users Mailing List - Non Commercial Discussions >>>> * sr-users@lists.kamailio.org >>>> Important: keep the mailing list in the recipients, do not reply only to >>>> the sender! >>>> Edit mailing list options or unsubscribe: >>>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> -- >>> Daniel-Constantin Mierla -- www.asipto.com >>> www.twitter.com/miconda -- www.linkedin.com/in/miconda/ >>> >>> __________________________________________________________ >>> Kamailio - Users Mailing List - Non Commercial Discussions >>> * sr-users@lists.kamailio.org >>> Important: keep the mailing list in the recipients, do not reply only to >>> the sender! >>> Edit mailing list options or unsubscribe: >>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> >> __________________________________________________________ >> Kamailio - Users Mailing List - Non Commercial Discussions >> * sr-users@lists.kamailio.org >> Important: keep the mailing list in the recipients, do not reply only to the >> sender! >> Edit mailing list options or unsubscribe: >> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > -- > Daniel-Constantin Mierla -- www.asipto.com > www.twitter.com/miconda -- www.linkedin.com/in/miconda > __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
