<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
my plan is to look at it as I get back to office (being few days
off).<br>
<br>
But, isn't tcp_max_connections applied to tls connections? If not,
adding such limit will be good anyhow.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<br>
On 12/7/11 8:57 PM, Jijo wrote:
<blockquote
cite="mid:CAOYmDE-UQGqzoH3QP2ojDK-dEr8z4uCMxJOO6AaKLDk=4eKkig@mail.gmail.com"
type="cite">
<div>Hi All..</div>
<div> </div>
<div>Any comments/suggestions on this issue?</div>
<div><br>
Thanks</div>
<div>Jijo<br>
<br>
</div>
<div class="gmail_quote">On Mon, Dec 5, 2011 at 6:56 PM, Jijo <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:realjijo@gmail.com">realjijo@gmail.com</a>></span>
wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px
0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hello<br>
<br>
I tested using 3.2 and i got the same error. I couldn't get
the memlog, when i enable , the system doesn't come up. <br>
<br>
The latest update from <a moz-do-not-send="true"
href="http://www.thc.org/thc-ssl-dos/" target="_blank">http://www.thc.org/thc-ssl-dos/</a>
says that<br>
<br>
"2011-OCT-24 UPDATE:<br>
SSL-DOS released. Some organizations already found out about
this release a while ago and mistakenly identified it as an
SSL-RENEGOTIATION BUG. This is not true. The tool can be
modified to work without SSL-RENEGOTIATION by just
establishing a new TCP connection for every new handshake. "<br>
<br>
So this issue could happen if we do TCP connection for every
new TLS connection with renegotiation. I believe this could be
fixed if we could block based on max active TLS connections,
probably a similar flag for max TLS connections like
"tcp_max_connections"<br>
<br>
<br>
<div dir="ltr" align="left"><span><font color="#0000ff"
face="Arial" size="2">Core was generated by
`/usr/sbin/kamailio -u swrun -g sw -m 160 -f
/etc/kamailio/kamailio.cfg'.
<div class="im"><br>
Program terminated with signal 11, Segmentation fault.<br>
</div>
#0 0xb61cc2e3 in ?? () from
/usr/lib/kamailio/modules/tls.so </font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff"
face="Arial" size="2">(gdb) bt<br>
#0 0xb61cc2e3 in ?? () from
/usr/lib/kamailio/modules/tls.so<br>
#1 0xb65199fd in CRYPTO_lock () from
/lib/libcrypto.so.1.0.0<br>
#2 0xb658c133 in ?? () from /lib/libcrypto.so.1.0.0<br>
#3 0xb658d240 in RAND_add () from
/lib/libcrypto.so.1.0.0<br>
#4 0xb6690d50 in ssl3_accept () from
/lib/libssl.so.1.0.0<br>
#5 0xb669bd2f in ssl3_read_bytes () from
/lib/libssl.so.1.0.0<br>
#6 0xb66989b9 in ?? () from /lib/libssl.so.1.0.0<br>
#7 0xb66ae499 in SSL_read () from /lib/libssl.so.1.0.0<br>
#8 0xb61e1e33 in tls_read_f () from
/usr/lib/kamailio/modules/tls.so<br>
#9 0x08177036 in tcp_read_headers ()<br>
#10 0x081771f6 in tcp_read_req ()<br>
#11 0x08178480 in ?? ()<br>
#12 0x0817af77 in tcp_receive_loop ()<br>
#13 0x08173597 in tcp_init_children ()<br>
#14 0x080b20bf in main_loop ()<br>
#15 0x080b38c3 in main ()<br>
(gdb)<br>
</font></span></div>
<div>
<div class="h5"><br>
<br>
<br>
<div class="gmail_quote">On Wed, Nov 23, 2011 at 10:35 AM,
Daniel-Constantin Mierla <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>></span>
wrote:<br>
<blockquote style="BORDER-LEFT: rgb(204,204,204) 1px
solid; MARGIN: 0pt 0pt 0pt 0.8ex; PADDING-LEFT: 1ex"
class="gmail_quote">
<div text="#000000" bgcolor="#FFFFFF">Hello,<br>
<br>
3.1.0 is not the right choice in 3.1 series, there
were many fixes that were added to that release
series branch. The latest stable version there is
3.1.5. Try with it (even better, try with latest
version from git branch 3.1 -- see <a
moz-do-not-send="true"
href="http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.1.x-from-git"
target="_blank">http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.1.x-from-git</a>)<br>
<br>
In this way we are sure it is not a bug that was
fixed after the time of releasing 3.1.0 -- config
file and database is the same as for 3.1.0.<br>
<br>
Cheers,<br>
<font color="#888888">Daniel</font>
<div>
<div><br>
<br>
On 11/23/11 4:01 PM, Jijo wrote:
<blockquote type="cite">Thanks I will attach the
logs soon..meanwhile here is the kamailio and
openssl version<br>
<br>
OB151:~ # /usr/sbin/kamailio -V<br>
version: kamailio 3.1.0 (i386/linux) 21a375<br>
flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS,
TLS_HOOKS, USE_RAW_SOCKS, USE_MCAST,
DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
DBG_QM_MALLOC, USE_FUTEX,
FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
USE_DNS_FAILOVER, USE_NAPTR,
USE_DST_BLACKLIST, HAVE_RESOLV_RES<br>
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE
262144, MAX_LISTEN 16, MAX_URI_SIZE 1024,
BUF_SIZE 65535, PKG_SIZE 15MB<br>
poll method support: poll, epoll_lt, epoll_et,
sigio_rt, select.<br>
id: 21a375<br>
compiled on 09:22:51 Nov 4 2011 with gcc
4.5.0<br>
<br>
<br>
OB151:~ # openssl version -a<br>
OpenSSL 1.0.0 29 Mar 2010<br>
built on: 2011-05-31 07:52:17.000000000 +0000<br>
platform: linux-elf<br>
options: bn(64,32) rc4(4x,int)
des(ptr,risc1,16,long) blowfish(idx)<br>
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H <br>
-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer
-Wall -fomit-frame-pointer -fmessage-length=0
-O2 -Wall <br>
-D_FORTIFY_SOURCE=2 -fstack-protector
-funwind-tables -fasynchronous-unwind-tables
-g -Wa,--noexecstack -fomit-frame-pointer
-fno-strict-aliasing <br>
-DTERMIO -Wall -fstack-protector
-DOPENSSL_BN_ASM_PART_WORDS
-DOPENSSL_IA32_SSE2 <br>
-DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
-DWHIRLPOOL_ASM<br>
OPENSSLDIR: "/etc/ssl"<br>
<br>
<br>
<div class="gmail_quote">On Wed, Nov 23, 2011
at 4:44 AM, Daniel-Constantin Mierla <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:miconda@gmail.com"
target="_blank">miconda@gmail.com</a>></span>
wrote:<br>
<blockquote style="BORDER-LEFT:
rgb(204,204,204) 1px solid; MARGIN: 0pt
0pt 0pt 0.8ex; PADDING-LEFT: 1ex"
class="gmail_quote">
<div text="#000000" bgcolor="#FFFFFF">Hello,<br>
<br>
(discussion kept only on sr-dev as it is
very likely going to require mostly
devel interaction).<br>
<br>
What is the version of kamailio (-V
command line option). Also, send the
verision of openssl library -- there
were many bugs in various lib versions
that had to be workarounded in the
module, maybe this is a new one that has
to be fixed.<br>
<br>
Do you get any error message in the
syslog at the moment of the crash?<br>
<br>
What would be useful is to get the
memory operations log, you can get it by
setting:<br>
<br>
memdbg=1<br>
memlog=1<br>
<br>
in config file.<br>
<br>
Then repeat the test and make the log
available for download somehow (if it is
too big), from start to the moment of
the crash.<br>
<br>
Cheers,<br>
Daniel
<div>
<div><br>
<br>
On 11/22/11 11:30 PM, Jijo wrote: </div>
</div>
<blockquote type="cite">
<div>
<div>Hi All,<br>
<br>
Kamailio is resetting when we do
TLS renegotiation dos attack using
the tool available at <a
moz-do-not-send="true"
href="http://www.thc.org/thc-ssl-dos/"
target="_blank">http://www.thc.org/thc-ssl-dos/</a>.
<br>
<br>
Anybody looked at this issue? How
we could resolve it. Any idea?<br>
<br>
The core generated for 3 pid's as
below<br>
<br>
Pid 1:<br>
<br>
Core was generated by
`/usr/sbin/kamailio -u swrun -g sw
-m 120 -f
/etc/kamailio/kamailio.cfg'.<br>
Program terminated with signal 11,
Segmentation fault.<br>
#0 atomic_inc_int () at
atomic/atomic_x86.h:225<br>
(gdb) bt<br>
#0 atomic_inc_int () at
atomic/atomic_x86.h:225<br>
#1 cfg_update_local () at
cfg/cfg_struct.h:228<br>
#2 timer_main () at timer.c:994<br>
#3 0x080b0579 in main_loop () at
main.c:1632<br>
#4 0x080b1be4 in main (argc=9,
argv=0xbfd61e54) at main.c:2446<br>
<br>
<br>
Pid 2:<br>
<br>
Core was generated by
`/usr/sbin/kamailio -u swrun -g sw
-m 120 -f
/etc/kamailio/kamailio.cfg'.<br>
Program terminated with signal 11,
Segmentation fault.<br>
#0 0x0819bfe8 in qm_insert_free
(qm=0xaf6c5000, p=0xb05eec30,
file=0xb6fb4140 "tls: tls_init.c",
func=0xb6fb4ce0 "ser_free",
line=296)<br>
at mem/q_malloc.c:184<br>
184 if
(frag->size <= f->size)
break;<br>
(gdb) bt<br>
#0 0x0819bfe8 in qm_insert_free
(qm=0xaf6c5000, p=0xb05eec30,
file=0xb6fb4140 "tls: tls_init.c",
func=0xb6fb4ce0 "ser_free",
line=296)<br>
at mem/q_malloc.c:184<br>
#1 qm_free (qm=0xaf6c5000,
p=0xb05eec30, file=0xb6fb4140
"tls: tls_init.c", func=0xb6fb4ce0
"ser_free", line=296) at
mem/q_malloc.c:518<br>
#2 0xb6f95404 in ser_free
(ptr=0xb05eec30) at tls_init.c:296<br>
#3 0xb732e9ba in CRYPTO_free
(str=0xb05eec30) at mem.c:391<br>
#4 0xb7330bee in int_new_ex_data
(class_index=5, obj=0xbfd414f4,
ad=0xbfd41574) at ex_data.c:440<br>
#5 0xb7330443 in
CRYPTO_new_ex_data (class_index=5,
obj=0xbfd414f4, ad=0xbfd41574) at
ex_data.c:575<br>
#6 0xb73dfde3 in
X509_STORE_CTX_init
(ctx=0xbfd414f4, store=0xafd8b3d0,
x509=0xafe08ff0, chain=0x0) at
x509_vfy.c:2114<br>
#7 0xb74b0f31 in
ssl3_output_cert_chain
(s=0xb0553a10, x=0xafe08ff0) at
s3_both.c:349<br>
#8 0xb74a4728 in
ssl3_send_server_certificate
(s=0xb0553a10) at s3_srvr.c:3034<br>
#9 0xb74a5879 in ssl3_accept
(s=0xb0553a10) at s3_srvr.c:353<br>
#10 0xb74afa8f in ssl3_read_bytes
(s=0xb0553a10, type=23,
buf=0xb0ad44ec "", len=4095,
peek=0) at s3_pkt.c:1266<br>
#11 0xb74ac9c9 in
ssl3_read_internal (s=0xb0553a10,
buf=0xb0ad44ec, len=4095, peek=0)
at s3_lib.c:3265<br>
#12 0xb74c24a9 in SSL_read
(s=0xb0553a10, buf=0xb0ad44ec,
num=4095) at ssl_lib.c:954<br>
#13 0xb6fad1c3 in tls_read_f
(c=0xb0ad431c, flags=0xbfd619c4)
at tls_server.c:1058<br>
#14 0x08171c0e in tcp_read_headers
(c=0xb0ad431c,
read_flags=0xbfd619c4) at
tcp_read.c:406<br>
#15 0x08171db8 in tcp_read_req
(con=0xb0ad431c,
bytes_read=0xbfd619cc,
read_flags=0xbfd619c4) at
tcp_read.c:885<br>
#16 0x08172f67 in handle_io
(fm=<value optimized out>,
events=1, idx=<value optimized
out>) at tcp_read.c:1234<br>
#17 0x0817583b in
io_wait_loop_epoll (unix_sock=89)
at io_wait.h:1092<br>
#18 tcp_receive_loop
(unix_sock=89) at tcp_read.c:1345<br>
#19 0x0816e2e9 in
tcp_init_children () at
tcp_main.c:4867<br>
#20 0x080affb1 in main_loop () at
main.c:1646<br>
#21 0x080b1be4 in main (argc=9,
argv=0xbfd61e54) at main.c:2446<br>
<br>
Pid 3:<br>
<br>
Core was generated by
`/usr/sbin/kamailio -u swrun -g sw
-m 120 -f
/etc/kamailio/kamailio.cfg'.<br>
Program terminated with signal 11,
Segmentation fault.<br>
#0 0xb76c9e7c in memmove () from
/lib/libc.so.6<br>
(gdb) bt<br>
#0 0xb76c9e7c in memmove () from
/lib/libc.so.6<br>
#1 0x081724e7 in tcp_read_req
(con=0xb022c8f0,
bytes_read=0xbfd619cc,
read_flags=0xbfd619c4) at
tcp_read.c:1026<br>
#2 0x08172f67 in handle_io
(fm=<value optimized out>,
events=1, idx=<value optimized
out>) at tcp_read.c:1234<br>
#3 0x0817583b in
io_wait_loop_epoll (unix_sock=93)
at io_wait.h:1092<br>
#4 tcp_receive_loop
(unix_sock=93) at tcp_read.c:1345<br>
#5 0x0816e2e9 in
tcp_init_children () at
tcp_main.c:4867<br>
#6 0x080affb1 in main_loop () at
main.c:1646<br>
#7 0x080b1be4 in main (argc=9,
argv=0xbfd61e54) at main.c:2446<br>
<br>
<br>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
sr-dev mailing list
<a moz-do-not-send="true" href="mailto:sr-dev@lists.sip-router.org" target="_blank">sr-dev@lists.sip-router.org</a>
<a moz-do-not-send="true" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev</a>
</pre>
</blockquote>
<font color="#888888"><br>
<pre cols="72">--
Daniel-Constantin Mierla -- <a moz-do-not-send="true" href="http://www.asipto.com/" target="_blank">http://www.asipto.com</a>
Kamailio Advanced Training, Dec 5-8, Berlin: <a moz-do-not-send="true" href="http://asipto.com/u/kat" target="_blank">http://asipto.com/u/kat</a>
<a moz-do-not-send="true" href="http://linkedin.com/in/miconda" target="_blank">http://linkedin.com/in/miconda</a> -- <a moz-do-not-send="true" href="http://twitter.com/miconda" target="_blank">http://twitter.com/miconda</a></pre>
</font></div>
</blockquote>
</div>
<br>
</blockquote>
<br>
<pre cols="72">--
Daniel-Constantin Mierla -- <a moz-do-not-send="true" href="http://www.asipto.com/" target="_blank">http://www.asipto.com</a>
Kamailio Advanced Training, Dec 5-8, Berlin: <a moz-do-not-send="true" href="http://asipto.com/u/kat" target="_blank">http://asipto.com/u/kat</a>
<a moz-do-not-send="true" href="http://linkedin.com/in/miconda" target="_blank">http://linkedin.com/in/miconda</a> -- <a moz-do-not-send="true" href="http://twitter.com/miconda" target="_blank">http://twitter.com/miconda</a></pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
<a class="moz-txt-link-freetext" href="http://linkedin.com/in/miconda">http://linkedin.com/in/miconda</a> -- <a class="moz-txt-link-freetext" href="http://twitter.com/miconda">http://twitter.com/miconda</a></pre>
</body>
</html>