<html><head></head><body><div class="ydp35db272byahoo-style-wrap" style="font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 10px;"><div><div dir="ltr" data-setdir="false">Hi Guys.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Hope everyone is safe and be safe. I'm running into an issue with using tls in opensips. I'm trying to have two connections from asterisk servers and only</div><div dir="ltr" data-setdir="false">one server connection is accepted at a time, Both asterisk servers are using the same wild card cert for their tls connections. I'm getting the below error</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div>Apr 8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr 8 09:22:46 [2863] ERROR:proto_tls:_tls_read: SYSCALL error -> (11) <Resource temporarily unavailable><br>Apr 8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr 8 09:22:46 [2863] ERROR:proto_tls:_tls_read: TLS connection to x.x.x.x:60550 read failed<br>Apr 8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr 8 09:22:46 [2863] ERROR:proto_tls:_tls_read: TLS read error: 5<br>Apr 8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr 8 09:22:46 [2863] ERROR:proto_tls:tls_print_errstack: TLS errstack: error:0200100D:system library:fopen:Permission denied<br>Apr 8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr 8 09:22:46 [2863] ERROR:proto_tls:tls_print_errstack: TLS errstack: error:20074002:BIO routines:file_ctrl:system lib<br>Apr 8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr 8 09:22:46 [2863] ERROR:proto_tls:tls_print_errstack: TLS errstack: error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib<br>Apr 8 09:22:46 ip-172-31-36-39 opensips[2846]: Apr 8 09:22:46 [2863] ERROR:proto_tls:tls_read_req: failed to read<br><br></div><div><br></div><div dir="ltr" data-setdir="false">asterisk 1 (tls) ---> opensips</div><div dir="ltr" data-setdir="false">asterisk 2 (tls) ---><br></div><div><br></div><div dir="ltr" data-setdir="false">I'm using below opensips</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div>opensips -V<br>version: opensips 2.4.6 (x86_64/linux)<br>flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT<br>ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535<br>poll method support: poll, epoll, sigio_rt, select.<br>main.c compiled on with gcc 6.3.0<br><br></div><div><br></div><div dir="ltr" data-setdir="false">I tried to update to latest 2.4.7 and then opensips processes get stuck in a loop consuming all CPUs when tls module loaded with exact config which running on 2.4.6. Any hint clue would be helpful<br></div><div dir="ltr" data-setdir="false">opensips config is as below,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div>####### Global Parameters #########<br><br>log_level=5<br>log_stderror=yes<br>log_facility=LOG_LOCAL0<br><br>#udp_workers=1<br>#tcp_workers=1<br>tcp_connect_timeout=900<br><br>auto_aliases=no<br>alias=tls:x.cloud:5061<br>alias=udp:172.31.36.39:5060<br><br>listen=tls:172.31.36.39:5061<br>listen=udp:172.31.36.39:5060 # CUSTOMIZE ME<br>advertised_address=x.x.x.x<br><br><br><br><br>####### Modules Section ########<br><br>#set module path<br>mpath="/usr/lib/x86_64-linux-gnu/opensips/modules/"<br><br>loadmodule "tls_mgm.so"<br>loadmodule "proto_tls.so"<br>#loadmodule "proto_hep.so"<br>loadmodule "uri.so"<br>loadmodule "drouting.so"<br>loadmodule "db_mysql.so"<br>#### SIGNALING module<br>loadmodule "signaling.so"<br>loadmodule "textops.so"<br>#### StateLess module<br>loadmodule "sl.so"<br>loadmodule "avpops.so"<br><br>#### Transaction Module<br>loadmodule "tm.so"<br>modparam("tm", "fr_timeout", 30)<br>modparam("tm", "fr_inv_timeout", 60)<br>modparam("tm", "restart_fr_on_each_reply", 0)<br>modparam("tm", "onreply_avp_mode", 1)<br>modparam("tm", "via1_matching", 0)<br>modparam("tm", "ruri_matching", 0)<br>modparam("tm", "T1_timer", 1000)<br><br>#### Record Route Module<br>loadmodule "rr.so"<br>#modparam("rr", "append_fromtag", 1)<br>#### MAX ForWarD module<br>loadmodule "maxfwd.so"<br><br>loadmodule "nathelper.so"<br><br>#### SIP MSG OPerationS module<br>loadmodule "sipmsgops.so"<br><br>#### FIFO Management Interface<br>loadmodule "mi_fifo.so"<br>modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")<br>modparam("mi_fifo", "fifo_mode", 0666)<br><br>loadmodule "permissions.so"<br>modparam("permissions", "db_url","mysql://opensips:xx@localhost/opensips")<br><br><br>loadmodule "proto_udp.so"<br><br># RULE of THUMB make sure certs can be read by opensips user <br># otherwise Its a nightmare to debug :(<br>modparam("tls_mgm", "certificate", "/etc/opensips/tls/default.crt")<br>modparam("tls_mgm", "private_key","/etc/opensips/tls/default.key")<br>modparam("tls_mgm", "ca_list", "/etc/opensips/tls/ca-default.crt")<br>modparam("tls_mgm", "ca_dir", "/etc/ssl/certs/")<br>modparam("tls_mgm","verify_cert", "1")<br>modparam("tls_mgm","require_cert", "1")<br><br><br>modparam("tls_mgm", "server_domain", "dom1=172.31.36.39:5061")<br>modparam("tls_mgm","verify_cert", "[dom1]1")<br>modparam("tls_mgm","require_cert", "[dom1]1")<br>modparam("tls_mgm","tls_method", "[dom1]TLSv1_2")<br>modparam("tls_mgm","certificate", "[dom1]/etc/tls/x.cloud/x.cloud.crt")<br>modparam("tls_mgm","private_key", "[dom1]/etc/tls/x.cloud/x.cloud.key")<br>modparam("tls_mgm", "ca_list", "[dom1]/etc/tls/x.cloud/x.cloud-ca.crt")<br>modparam("tls_mgm", "ca_dir", "[dom1]/etc/ssl/certs/")<br>modparam("tls_mgm", "tls_handshake_timeout", 900)<br>modparam("proto_tls", "tls_max_msg_chunks", 1024)<br><br><br>modparam("drouting", "db_url","mysql://opensips:x@localhost/opensips")<br>modparam("drouting", "probing_from", "sip:pinger@x.x.x.x")<br><br>modparam("avpops","db_url","mysql://opensips:x@localhost/opensips")<br><br>####### Routing Logic ########<br><br># main request routing logic<br><br>route{<br> force_rport();<br> if (!mf_process_maxfwd_header("10")) {<br> sl_send_reply("483","Too Many Hops");<br> exit;<br> }<br><br> if(is_method("OPTIONS")) {<br> xlog("L_INFO", "[MS TEAMS] OPTIONS In\n");<br> sl_send_reply("200", "OK");<br> exit;<br> }<br><br> # absorb retransmissions, but do not create transaction<br> t_check_trans();<br> if (has_totag()) {<br><br> # sequential request within a dialog should<br> # take the path determined by record-routing<br> if(is_method("INVITE|BYE") && check_source_address("0")) {<br> xlog("In dialog Method=$rm, RURI=$ruri, SI=$si ,DU=$du\n");<br> t_relay();<br> }<br> if ( !loose_route() ) {<br> # we do record-routing for all our traffic, so we should not<br> # receive any sequential requests without Route hdr.<br> sl_send_reply("404", "Not here");<br> exit;<br> }<br> # route it out to whatever destination was set by loose_route()<br> # in $du (destination URI).<br> route(relay);<br> exit;<br> }<br><br> # CANCEL processing<br> if (is_method("CANCEL")) {<br> if (t_check_trans())<br> t_relay();<br> exit;<br> }<br><br> # record routing<br><br> if (is_method("INVITE") && ! has_totag() && ! check_source_address("0")) {<br> xlog("Incoming call to MS: RURI=$ruri, SI=$si, M=$rm\n");<br> if(!avp_db_query("SELECT msteams_domain FROM vpabx_routing WHERE phone_number='$(rU{s.escape.common})'", "$avp(teamsdomain)")){<br> sl_send_reply("404", "User Not Found");<br> exit;<br> }<br> $var(rrhdr) = $avp(teamsdomain) + ":5061;transport=tls";<br> strip(1);<br> do_routing("1");<br> prefix("+");<br> record_route_preset("$var(rrhdr)", "172.31.36.39:5060");<br> add_rr_param(";r2=on");<br> route(relay); <br> } else if (is_method("INVITE") && ! has_totag()) {<br> record_route();<br> xlog("Incoming call from MS: RURI=$ruri, SI=$si, M=$rm\n");<br> if(!avp_db_query("SELECT vpabx_domain FROM vpabx_routing WHERE phone_number='$(fU{s.escape.common})'","$avp(ddomain)")){<br> sl_send_reply("404", "User Not Found");<br> exit;<br> } <br> else {<br> $rd = $avp(ddomain);<br> route(relay);<br> }<br> }<br><br> if (!is_myself("$rd")) {<br> append_hf("P-hint: outbound\r\n"); <br> <br> route(relay);<br> }<br><br> # requests for my domain<br> <br> if (is_method("PUBLISH|SUBSCRIBE")) {<br> sl_send_reply("503", "Service Unavailable");<br> exit;<br> }<br><br> if ($rU==NULL) {<br> # request with no Username in RURI<br> sl_send_reply("484", "Address Incomplete");<br> exit;<br> }<br><br> # when routing via usrloc, log the missed calls also<br> #route(relay);<br>}<br><br><br>route[relay] {<br> # for INVITEs enable some additional helper routes<br> if (is_method("INVITE") && !has_totag() ) {<br> t_newtran();<br> t_on_reply("handle_nat");<br> }<br> xlog("Method=$rm, RURI=$ruri, SI=$si ,DU=$du\n");<br> if (!t_relay()) {<br> sl_send_reply("500", "Internal Error");<br> }<br> exit;<br>}<br><br><br><br><br>branch_route[per_branch_ops] {<br> xlog("new branch at $ru\n");<br>}<br><br><br>onreply_route[handle_nat] {<br> xlog("incoming reply: RR=$rr, RS=$rs, SI=$si\n");<br>}<br><br><br>failure_route[missed_call] {<br> if (t_was_cancelled()) {<br> exit;<br> }<br>}<br><br><br>local_route {<br> $var(dst) = "pstnhub.microsoft.com";<br> if (is_method("OPTIONS") && ($(ru{s.index, $var(dst)}) != NULL))<br> append_hf("Contact: <sip:x.x:5061;transport=tls>\r\n");<br>}<br><br></div></div></div></div><div class="ydp35db272bsignature"><div><div><font style="BACKGROUND-COLOR:#e6e6e6;"></font> </div><div dir="ltr" data-setdir="false"> Thank you <br></div><div dir="ltr" data-setdir="false">Pasan<br></div><div><font style="BACKGROUND-COLOR:#e6e6e6;">Distinguishing <font color="#0000ff"><strong>What</strong></font> && <font color="#ff007f"><strong>How</strong></font> !</font></div></div></div></div></div></body></html>