[OpenSIPS-Users] tls error

Pasan Meemaduma pasan_5 at yahoo.com
Wed Apr 8 09:35:41 EST 2020


Hi Guys.
Hope everyone is safe and be safe. I'm running into an issue with using tls in opensips. I'm trying to have two connections from asterisk servers and onlyone server connection is accepted at a time, Both asterisk servers are using the same wild card cert for their tls connections. I'm getting the below error
Apr  8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr  8 09:22:46 [2863] ERROR:proto_tls:_tls_read: SYSCALL error -> (11) <Resource temporarily unavailable>
Apr  8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr  8 09:22:46 [2863] ERROR:proto_tls:_tls_read: TLS connection to x.x.x.x:60550 read failed
Apr  8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr  8 09:22:46 [2863] ERROR:proto_tls:_tls_read: TLS read error: 5
Apr  8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr  8 09:22:46 [2863] ERROR:proto_tls:tls_print_errstack: TLS errstack: error:0200100D:system library:fopen:Permission denied
Apr  8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr  8 09:22:46 [2863] ERROR:proto_tls:tls_print_errstack: TLS errstack: error:20074002:BIO routines:file_ctrl:system lib
Apr  8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr  8 09:22:46 [2863] ERROR:proto_tls:tls_print_errstack: TLS errstack: error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib
Apr  8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr  8 09:22:46 [2863] ERROR:proto_tls:tls_read_req: failed to read


asterisk 1  (tls) ---> opensipsasterisk 2  (tls) --->

I'm using below opensips
opensips -V
version: opensips 2.4.6 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
main.c compiled on  with gcc 6.3.0


I tried to update to latest 2.4.7 and then opensips processes get stuck in a loop consuming all CPUs when tls module loaded with exact config which running on 2.4.6. Any hint clue would be helpful
opensips config is as below,
####### Global Parameters #########

log_level=5
log_stderror=yes
log_facility=LOG_LOCAL0

#udp_workers=1
#tcp_workers=1
tcp_connect_timeout=900

auto_aliases=no
alias=tls:x.cloud:5061
alias=udp:172.31.36.39:5060

listen=tls:172.31.36.39:5061
listen=udp:172.31.36.39:5060   # CUSTOMIZE ME
advertised_address=x.x.x.x




####### Modules Section ########

#set module path
mpath="/usr/lib/x86_64-linux-gnu/opensips/modules/"

loadmodule "tls_mgm.so"
loadmodule "proto_tls.so"
#loadmodule "proto_hep.so"
loadmodule "uri.so"
loadmodule "drouting.so"
loadmodule "db_mysql.so"
#### SIGNALING module
loadmodule "signaling.so"
loadmodule "textops.so"
#### StateLess module
loadmodule "sl.so"
loadmodule "avpops.so"

#### Transaction Module
loadmodule "tm.so"
modparam("tm", "fr_timeout", 30)
modparam("tm", "fr_inv_timeout", 60)
modparam("tm", "restart_fr_on_each_reply", 0)
modparam("tm", "onreply_avp_mode", 1)
modparam("tm", "via1_matching", 0)
modparam("tm", "ruri_matching", 0)
modparam("tm", "T1_timer", 1000)

#### Record Route Module
loadmodule "rr.so"
#modparam("rr", "append_fromtag", 1)
#### MAX ForWarD module
loadmodule "maxfwd.so"

loadmodule "nathelper.so"

#### SIP MSG OPerationS module
loadmodule "sipmsgops.so"

#### FIFO Management Interface
loadmodule "mi_fifo.so"
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
modparam("mi_fifo", "fifo_mode", 0666)

loadmodule "permissions.so"
modparam("permissions", "db_url","mysql://opensips:xx@localhost/opensips")


loadmodule "proto_udp.so"

# RULE of THUMB make sure certs can be read by opensips user 
# otherwise Its a nightmare to debug :(
modparam("tls_mgm", "certificate", "/etc/opensips/tls/default.crt")
modparam("tls_mgm", "private_key","/etc/opensips/tls/default.key")
modparam("tls_mgm", "ca_list", "/etc/opensips/tls/ca-default.crt")
modparam("tls_mgm", "ca_dir", "/etc/ssl/certs/")
modparam("tls_mgm","verify_cert", "1")
modparam("tls_mgm","require_cert", "1")


modparam("tls_mgm", "server_domain", "dom1=172.31.36.39:5061")
modparam("tls_mgm","verify_cert", "[dom1]1")
modparam("tls_mgm","require_cert", "[dom1]1")
modparam("tls_mgm","tls_method", "[dom1]TLSv1_2")
modparam("tls_mgm","certificate", "[dom1]/etc/tls/x.cloud/x.cloud.crt")
modparam("tls_mgm","private_key", "[dom1]/etc/tls/x.cloud/x.cloud.key")
modparam("tls_mgm", "ca_list", "[dom1]/etc/tls/x.cloud/x.cloud-ca.crt")
modparam("tls_mgm", "ca_dir", "[dom1]/etc/ssl/certs/")
modparam("tls_mgm", "tls_handshake_timeout", 900)
modparam("proto_tls", "tls_max_msg_chunks", 1024)


modparam("drouting", "db_url","mysql://opensips:x@localhost/opensips")
modparam("drouting", "probing_from", "sip:pinger at x.x.x.x")

modparam("avpops","db_url","mysql://opensips:x@localhost/opensips")

####### Routing Logic ########

# main request routing logic

route{
    force_rport();
    if (!mf_process_maxfwd_header("10")) {
        sl_send_reply("483","Too Many Hops");
        exit;
    }

    if(is_method("OPTIONS")) {
          xlog("L_INFO", "[MS TEAMS] OPTIONS In\n");
          sl_send_reply("200", "OK");
          exit;
    }

    # absorb retransmissions, but do not create transaction
    t_check_trans();
    if (has_totag()) {

        # sequential request within a dialog should
        # take the path determined by record-routing
        if(is_method("INVITE|BYE") && check_source_address("0")) {
            xlog("In dialog Method=$rm, RURI=$ruri, SI=$si ,DU=$du\n");
            t_relay();
        }
        if ( !loose_route() ) {
            # we do record-routing for all our traffic, so we should not
            # receive any sequential requests without Route hdr.
            sl_send_reply("404", "Not here");
            exit;
        }
        # route it out to whatever destination was set by loose_route()
        # in $du (destination URI).
        route(relay);
        exit;
    }

    # CANCEL processing
    if (is_method("CANCEL")) {
        if (t_check_trans())
            t_relay();
        exit;
    }

        # record routing

    if (is_method("INVITE") && ! has_totag() && ! check_source_address("0")) {
        xlog("Incoming call to MS: RURI=$ruri, SI=$si, M=$rm\n");
        if(!avp_db_query("SELECT msteams_domain FROM vpabx_routing WHERE phone_number='$(rU{s.escape.common})'", "$avp(teamsdomain)")){
            sl_send_reply("404", "User Not Found");
                        exit;
        }
        $var(rrhdr) = $avp(teamsdomain) + ":5061;transport=tls";
        strip(1);
        do_routing("1");
        prefix("+");
                record_route_preset("$var(rrhdr)", "172.31.36.39:5060");
                add_rr_param(";r2=on");
        route(relay);            
    } else if (is_method("INVITE") && ! has_totag()) {
        record_route();
        xlog("Incoming call from MS: RURI=$ruri, SI=$si, M=$rm\n");
        if(!avp_db_query("SELECT vpabx_domain FROM vpabx_routing WHERE phone_number='$(fU{s.escape.common})'","$avp(ddomain)")){
            sl_send_reply("404", "User Not Found");
            exit;
        } 
        else {
            $rd = $avp(ddomain);
            route(relay);
        }
    }

    if (!is_myself("$rd")) {
        append_hf("P-hint: outbound\r\n"); 
        
        route(relay);
    }

    # requests for my domain
    
    if (is_method("PUBLISH|SUBSCRIBE")) {
        sl_send_reply("503", "Service Unavailable");
        exit;
    }

    if ($rU==NULL) {
        # request with no Username in RURI
        sl_send_reply("484", "Address Incomplete");
        exit;
    }

    # when routing via usrloc, log the missed calls also
    #route(relay);
}


route[relay] {
    # for INVITEs enable some additional helper routes
    if (is_method("INVITE") && !has_totag() ) {
        t_newtran();
        t_on_reply("handle_nat");
    }
    xlog("Method=$rm, RURI=$ruri, SI=$si ,DU=$du\n");
    if (!t_relay()) {
        sl_send_reply("500", "Internal Error");
    }
    exit;
}




branch_route[per_branch_ops] {
    xlog("new branch at $ru\n");
}


onreply_route[handle_nat] {
    xlog("incoming reply: RR=$rr, RS=$rs, SI=$si\n");
}


failure_route[missed_call] {
    if (t_was_cancelled()) {
        exit;
    }
}


local_route {
  $var(dst) = "pstnhub.microsoft.com";
  if (is_method("OPTIONS") && ($(ru{s.index, $var(dst)}) != NULL))
    append_hf("Contact: <sip:x.x:5061;transport=tls>\r\n");
}

  Thank you 
Pasan
Distinguishing What && How !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200408/714c5353/attachment-0001.html>


More information about the Users mailing list