I encountered a crash related to TLS connections and I was wondering if it's a similar issue. It seems not, the crash that I encountered happens only on 3.3.
If you installed opensips from a package, you need to install opensips-dbg package to get the debug symbols. After that, you can locate the core file on your server and inspect it with gdb. Everything should be detailed here: https://www.opensips.org/Documentation/TroubleShooting-Crash -ovidiu On Mon, Sep 26, 2022 at 2:54 AM jacky z <[email protected]> wrote: > > Hi Ovidiu, > > The version I am using is 3.2. I am not familiar with the debug symbols, but > guess this can be reproduced easily. With ?tls_domain=dom1 attached after the > mysql address, it happens. Can you simply check if it is the same behavior? > If not, I will dig further by learning how to use the debug symbols. Thanks! > > On Mon, Sep 26, 2022 at 12:30 AM Ovidiu Sas <[email protected]> wrote: >> >> Which version of opensips are you using? >> Can you install the debug symbols and get a backtrace from the core file? >> https://www.opensips.org/Documentation/TroubleShooting-Crash >> >> Regards, >> Ovidiu Sas >> >> On Sun, Sep 25, 2022 at 6:32 AM jacky z <[email protected]> wrote: >> > >> > Hi Vlad, >> > >> > It seems opensips crashed when I set ?tls_domain=dom1 to enable tls >> > connection to mysql db. I followed the method in the manual. >> > >> > modparam("usrloc", "db_url", >> > "mysql://root:1234@localhost/opensips?tls_domain=dom1") >> > >> > >> > Here is the log. >> > >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > INFO:tls_mgm:mod_init: initializing TLS management >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom' >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined, using >> > default '/etc/pki/CA/' >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT >> > activated. Weaker security. >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1' >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined, using >> > default '/etc/pki/CA/' >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT >> > activated. Weaker security. >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > INFO:proto_tls:mod_init: initializing TLS protocol >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > INFO:proto_bin:mod_init: initializing BIN protocol >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > INFO:clusterer:mod_init: Clusterer module - initializing >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: >> > CRITICAL:core:sig_usr: segfault in attendant (starter) process! >> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243] opensips[4935]: >> > segfault at 0 ip 0000000000000000 sp 00007ffececa3d08 error 14 in >> > opensips[558b5bb75000+1c000] >> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code: Bad RIP value. >> > Sep 25 10:14:01 ip-10-100-20-35 opensips: INFO:core:daemonize: pre-daemon >> > process exiting with -1 >> > >> > and my client domain settings >> > >> > #client domain >> > modparam("tls_mgm", "client_domain", "dom1") >> > modparam("tls_mgm", "match_ip_address", "[dom1]*") >> > modparam("tls_mgm", "match_sip_domain", "[dom1]*") >> > modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem") >> > modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem") >> > modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem") >> > modparam("tls_mgm","tls_method", "[dom1]SSLv23") >> > modparam("tls_mgm","verify_cert", "[dom1]0") >> > modparam("tls_mgm","require_cert", "[dom1]0") >> > >> > It is expected to see some other errors such as invalid cert but not crash >> > in pre-daemon process. Any clue on this for me to debug? If I remove >> > "?tls_domain=dom1", there is no such crash though the opensips server >> > still couldn't start because I forced the mysql db to use ssl connection. >> > Thanks! >> > >> > On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu <[email protected]> wrote: >> >> >> >> Hi Jacky, >> >> >> >> I cant think of any workaround unfortunately. >> >> >> >> Regards, >> >> >> >> -- >> >> Vlad Patrascu >> >> OpenSIPS Core Developer >> >> http://www.opensips-solutions.com >> >> >> >> On 17.09.2022 18:46, jacky z wrote: >> >> >> >> Hi Vlad, >> >> >> >> Is there any workaround to disable the client cert? Thanks! >> >> >> >> On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu <[email protected]> wrote: >> >>> >> >>> Hi Jacky, >> >>> >> >>> OpenSIPS will always require you to configure a client certificate for >> >>> TLS client domains and will also present that certificate when >> >>> connecting. But normally, a TLS server can simply choose not to verify >> >>> the client certificate. I don't have any experience with AWS RDS though >> >>> but it seems odd to not accept a connection only because the client did >> >>> present a certificate. >> >>> >> >>> Regards, >> >>> >> >>> -- >> >>> Vlad Patrascu >> >>> OpenSIPS Core Developer >> >>> http://www.opensips-solutions.com >> >>> >> >>> On 14.09.2022 05:42, jacky z wrote: >> >>> >> >>> Hi Bogdan-Andrei, >> >>> >> >>> I checked the mariadb documentation and found mariadb has two options to >> >>> set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only >> >>> supports one-way TSL, that is, TSL is used without a client cert. Does >> >>> OPENSIPS support such one-way TSL to connect a database? Thanks! >> >>> >> >>> On Wed, Sep 14, 2022 at 12:06 AM jacky z <[email protected]> wrote: >> >>>> >> >>>> Hi Bogdan-Andrei, >> >>>> >> >>>> I have set the "certificate" and "private_key" in my script, as I >> >>>> explained in method 1. However, AWS RDS doesn't support a client cert. >> >>>> Please refer to >> >>>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws >> >>>> >> >>>> Is there any workaround to use the public cert list provided by AWS? >> >>>> Anyone has successfully used RDS with SSL connections? Thanks! >> >>>> >> >>>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu >> >>>> <[email protected]> wrote: >> >>>>> >> >>>>> Set the certificate and key you have in the tls_mgm module, for the >> >>>>> "certificate" and "private_key" parameters. >> >>>>> >> >>>>> Regards, >> >>>>> >> >>>>> Bogdan-Andrei Iancu >> >>>>> >> >>>>> OpenSIPS Founder and Developer >> >>>>> https://www.opensips-solutions.com >> >>>>> OpenSIPS Summit 27-30 Sept 2022, Athens >> >>>>> https://www.opensips.org/events/Summit-2022Athens/ >> >>>>> >> >>>>> On 9/13/22 2:57 PM, jacky z wrote: >> >>>>> >> >>>>> Hi Bogdan-Andrei, >> >>>>> >> >>>>> I tried two methods. >> >>>>> >> >>>>> Method 1: >> >>>>> >> >>>>> #enabled TLS connection: >> >>>>> modparam("db_mysql", "use_tls", 1) >> >>>>> >> >>>>> #setup a client domain: >> >>>>> modparam("tls_mgm", "client_domain", "dom1") >> >>>>> modparam("tls_mgm", "match_ip_address", "[dom1]*") >> >>>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*") >> >>>>> modparam("tls_mgm","certificate", >> >>>>> "[dom1]/etc/ssl/certs/rootCACert.pem") >> >>>>> modparam("tls_mgm","private_key", >> >>>>> "[dom1]/etc/ssl/private/rootCAKey.pem") >> >>>>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem") >> >>>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23") >> >>>>> modparam("tls_mgm","verify_cert", "[dom1]0") >> >>>>> modparam("tls_mgm","require_cert", "[dom1]0") >> >>>>> # set db_url >> >>>>> modparam("usrloc", "db_url", >> >>>>> "mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1") >> >>>>> ... >> >>>>> >> >>>>> I couldn't figure out how to use global-bundle.pem AWS provided with >> >>>>> this method. No luck to get a connection with RDS. If I don't use ssl, >> >>>>> opensips can connect to RDS without encryption. >> >>>>> >> >>>>> Method 2: >> >>>>> >> >>>>> I tried >> >>>>> >> >>>>> modparam("usrloc", "db_url", >> >>>>> "mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&ssl_ca_certs=/etc/ssl/certs/global-bundle.pem") >> >>>>> >> >>>>> to include the AWS cert. Still no luck. >> >>>>> >> >>>>> Thanks! >> >>>>> >> >>>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu >> >>>>> <[email protected]> wrote: >> >>>>>> >> >>>>>> Hi, >> >>>>>> >> >>>>>> sorry for my silly question, but how do you connect from the OpenSIPS >> >>>>>> side ?? >> >>>>>> >> >>>>>> Regards, >> >>>>>> >> >>>>>> Bogdan-Andrei Iancu >> >>>>>> >> >>>>>> OpenSIPS Founder and Developer >> >>>>>> https://www.opensips-solutions.com >> >>>>>> OpenSIPS Summit 27-30 Sept 2022, Athens >> >>>>>> https://www.opensips.org/events/Summit-2022Athens/ >> >>>>>> >> >>>>>> On 9/13/22 10:41 AM, jacky z wrote: >> >>>>>> >> >>>>>> Hi Team, >> >>>>>> >> >>>>>> We hope to connect to aws RDS database with ssl encryption. We have >> >>>>>> setup a client domain according to OPENSIPS documents. However, AWS >> >>>>>> RDS does not support client cert as someone has confirmed with AWS >> >>>>>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws >> >>>>>> >> >>>>>> Is there any way to use the cert provided by AWS to connect? AWS >> >>>>>> provides a global-bundle.pem >> >>>>>> (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) >> >>>>>> for such a connection, but we don't know how to include it in the >> >>>>>> config file. >> >>>>>> >> >>>>>> Thanks >> >>>>>> >> >>>>>> Jacky z >> >>>>>> >> >>>>>> _______________________________________________ >> >>>>>> Users mailing list >> >>>>>> [email protected] >> >>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >>>>>> >> >>>>>> >> >>>>> >> >>> >> >>> _______________________________________________ >> >>> Users mailing list >> >>> [email protected] >> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >>> >> >>> _______________________________________________ >> >>> Users mailing list >> >>> [email protected] >> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> >> >> >> >> _______________________________________________ >> >> Users mailing list >> >> [email protected] >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> >> >> _______________________________________________ >> >> Users mailing list >> >> [email protected] >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > >> > _______________________________________________ >> > Users mailing list >> > [email protected] >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> >> >> -- >> VoIP Embedded, Inc. >> http://www.voipembedded.com >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- VoIP Embedded, Inc. http://www.voipembedded.com _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
