Hi Ovidiu, The version I am using is 3.2. I am not familiar with the debug symbols, but guess this can be reproduced easily. With ?tls_domain=dom1 attached after the mysql address, it happens. Can you simply check if it is the same behavior? If not, I will dig further by learning how to use the debug symbols. Thanks!
On Mon, Sep 26, 2022 at 12:30 AM Ovidiu Sas <[email protected]> wrote: > Which version of opensips are you using? > Can you install the debug symbols and get a backtrace from the core file? > https://www.opensips.org/Documentation/TroubleShooting-Crash > > Regards, > Ovidiu Sas > > On Sun, Sep 25, 2022 at 6:32 AM jacky z <[email protected]> wrote: > > > > Hi Vlad, > > > > It seems opensips crashed when I set ?tls_domain=dom1 to enable tls > connection to mysql db. I followed the method in the manual. > > > > modparam("usrloc", "db_url", "mysql://root:1234@localhost > /opensips?tls_domain=dom1") > > > > > > Here is the log. > > > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > INFO:tls_mgm:mod_init: initializing TLS management > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom' > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined, using default > '/etc/pki/CA/' > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT > activated. Weaker security. > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1' > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined, using > default '/etc/pki/CA/' > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT > activated. Weaker security. > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > INFO:proto_tls:mod_init: initializing TLS protocol > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > INFO:proto_bin:mod_init: initializing BIN protocol > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > INFO:clusterer:mod_init: Clusterer module - initializing > > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: > CRITICAL:core:sig_usr: segfault in attendant (starter) process! > > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243] opensips[4935]: > segfault at 0 ip 0000000000000000 sp 00007ffececa3d08 error 14 in > opensips[558b5bb75000+1c000] > > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code: Bad RIP > value. > > Sep 25 10:14:01 ip-10-100-20-35 opensips: INFO:core:daemonize: > pre-daemon process exiting with -1 > > > > and my client domain settings > > > > #client domain > > modparam("tls_mgm", "client_domain", "dom1") > > modparam("tls_mgm", "match_ip_address", "[dom1]*") > > modparam("tls_mgm", "match_sip_domain", "[dom1]*") > > modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem") > > modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem") > > modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem") > > modparam("tls_mgm","tls_method", "[dom1]SSLv23") > > modparam("tls_mgm","verify_cert", "[dom1]0") > > modparam("tls_mgm","require_cert", "[dom1]0") > > > > It is expected to see some other errors such as invalid cert but not > crash in pre-daemon process. Any clue on this for me to debug? If I remove > "?tls_domain=dom1", there is no such crash though the opensips server still > couldn't start because I forced the mysql db to use ssl connection. Thanks! > > > > On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu <[email protected]> > wrote: > >> > >> Hi Jacky, > >> > >> I cant think of any workaround unfortunately. > >> > >> Regards, > >> > >> -- > >> Vlad Patrascu > >> OpenSIPS Core Developer > >> http://www.opensips-solutions.com > >> > >> On 17.09.2022 18:46, jacky z wrote: > >> > >> Hi Vlad, > >> > >> Is there any workaround to disable the client cert? Thanks! > >> > >> On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu <[email protected]> > wrote: > >>> > >>> Hi Jacky, > >>> > >>> OpenSIPS will always require you to configure a client certificate for > TLS client domains and will also present that certificate when connecting. > But normally, a TLS server can simply choose not to verify the client > certificate. I don't have any experience with AWS RDS though but it seems > odd to not accept a connection only because the client did present a > certificate. > >>> > >>> Regards, > >>> > >>> -- > >>> Vlad Patrascu > >>> OpenSIPS Core Developer > >>> http://www.opensips-solutions.com > >>> > >>> On 14.09.2022 05:42, jacky z wrote: > >>> > >>> Hi Bogdan-Andrei, > >>> > >>> I checked the mariadb documentation and found mariadb has two options > to set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only > supports one-way TSL, that is, TSL is used without a client cert. Does > OPENSIPS support such one-way TSL to connect a database? Thanks! > >>> > >>> On Wed, Sep 14, 2022 at 12:06 AM jacky z <[email protected]> wrote: > >>>> > >>>> Hi Bogdan-Andrei, > >>>> > >>>> I have set the "certificate" and "private_key" in my script, as I > explained in method 1. However, AWS RDS doesn't support a client cert. > Please refer to > >>>> > https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws > >>>> > >>>> Is there any workaround to use the public cert list provided by AWS? > Anyone has successfully used RDS with SSL connections? Thanks! > >>>> > >>>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu < > [email protected]> wrote: > >>>>> > >>>>> Set the certificate and key you have in the tls_mgm module, for the > "certificate" and "private_key" parameters. > >>>>> > >>>>> Regards, > >>>>> > >>>>> Bogdan-Andrei Iancu > >>>>> > >>>>> OpenSIPS Founder and Developer > >>>>> https://www.opensips-solutions.com > >>>>> OpenSIPS Summit 27-30 Sept 2022, Athens > >>>>> https://www.opensips.org/events/Summit-2022Athens/ > >>>>> > >>>>> On 9/13/22 2:57 PM, jacky z wrote: > >>>>> > >>>>> Hi Bogdan-Andrei, > >>>>> > >>>>> I tried two methods. > >>>>> > >>>>> Method 1: > >>>>> > >>>>> #enabled TLS connection: > >>>>> modparam("db_mysql", "use_tls", 1) > >>>>> > >>>>> #setup a client domain: > >>>>> modparam("tls_mgm", "client_domain", "dom1") > >>>>> modparam("tls_mgm", "match_ip_address", "[dom1]*") > >>>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*") > >>>>> modparam("tls_mgm","certificate", > "[dom1]/etc/ssl/certs/rootCACert.pem") > >>>>> modparam("tls_mgm","private_key", > "[dom1]/etc/ssl/private/rootCAKey.pem") > >>>>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem") > >>>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23") > >>>>> modparam("tls_mgm","verify_cert", "[dom1]0") > >>>>> modparam("tls_mgm","require_cert", "[dom1]0") > >>>>> # set db_url > >>>>> modparam("usrloc", "db_url", "mysql://root:1234@ > <awsrdsaddress>/opensips?tls_domain=dom1") > >>>>> ... > >>>>> > >>>>> I couldn't figure out how to use global-bundle.pem AWS provided with > this method. No luck to get a connection with RDS. If I don't use ssl, > opensips can connect to RDS without encryption. > >>>>> > >>>>> Method 2: > >>>>> > >>>>> I tried > >>>>> > >>>>> modparam("usrloc", "db_url", "mysql://root:1234@ > <awsrdsaddress>/opensips?ssl=true&ssl_ca_certs=/etc/ssl/certs/global-bundle.pem") > >>>>> > >>>>> to include the AWS cert. Still no luck. > >>>>> > >>>>> Thanks! > >>>>> > >>>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu < > [email protected]> wrote: > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>> sorry for my silly question, but how do you connect from the > OpenSIPS side ?? > >>>>>> > >>>>>> Regards, > >>>>>> > >>>>>> Bogdan-Andrei Iancu > >>>>>> > >>>>>> OpenSIPS Founder and Developer > >>>>>> https://www.opensips-solutions.com > >>>>>> OpenSIPS Summit 27-30 Sept 2022, Athens > >>>>>> https://www.opensips.org/events/Summit-2022Athens/ > >>>>>> > >>>>>> On 9/13/22 10:41 AM, jacky z wrote: > >>>>>> > >>>>>> Hi Team, > >>>>>> > >>>>>> We hope to connect to aws RDS database with ssl encryption. We have > setup a client domain according to OPENSIPS documents. However, AWS RDS > does not support client cert as someone has confirmed with AWS > https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws > >>>>>> > >>>>>> Is there any way to use the cert provided by AWS to connect? AWS > provides a global-bundle.pem ( > https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) > for such a connection, but we don't know how to include it in the config > file. > >>>>>> > >>>>>> Thanks > >>>>>> > >>>>>> Jacky z > >>>>>> > >>>>>> _______________________________________________ > >>>>>> Users mailing list > >>>>>> [email protected] > >>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >>>>>> > >>>>>> > >>>>> > >>> > >>> _______________________________________________ > >>> Users mailing list > >>> [email protected] > >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >>> > >>> _______________________________________________ > >>> Users mailing list > >>> [email protected] > >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >> > >> > >> _______________________________________________ > >> Users mailing list > >> [email protected] > >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >> > >> _______________________________________________ > >> Users mailing list > >> [email protected] > >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > -- > VoIP Embedded, Inc. > http://www.voipembedded.com > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
