<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 22, 2015 at 2:47 AM, Olle E. Johansson <span dir="ltr"><<a href="mailto:oej@edvina.net" target="_blank">oej@edvina.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class=""><br>
On 21 Jan 2015, at 21:52, Juha Heinanen <<a href="mailto:jh@tutpro.com">jh@tutpro.com</a>> wrote:<br>
<br>
> Juha Heinanen writes:<br>
><br>
>> when [group] thing didn't work, i added<br>
>><br>
>> ssl-ca=/etc/mysql/cacert.pem<br>
>><br>
>> to [client] section of my.cfg that kamailio according to db_mysql/README<br>
>> is reading.<br>
>><br>
>> after that, kamailio started ok, but didn't use ssl for mysql queries.<br>
>><br>
>> what is it that i'm missing? has anyone succeeded in making kamailio to<br>
>> query mysql server over ssl?<br>
><br>
> based on zero responses, i guess the answer is "no". if so, that pretty<br>
> much prevents using kamailio in an environment where mysql service is<br>
> provided by a cloud service, such as amazon ec2.<br>
><br>
> should i put a note in db_mysql module README telling that we don't<br>
> currently know, which [client] params of my.cfg the module supports?<br>
<br>
</span>We've seen reports of issues with Postgresql with TLS too, I don't know<br>
what happened, but I think we need to focus on both and fix this.<br>
<br>
There is a known geneal problem with libraries using OpenSSL - I don't know if<br>
this has been looked at in Kamailio, but we did a fix in Asterisk a while ago.<br>
If you have modules using libraries that use OpenSSL - like we have in<br>
Curl, Mysql, Postgres and possibly other modules - as well as our own use in<br>
the TLS module - there's a risk that OpenSSL gets initialized too many<br>
times and bad things happen. ("Bad things" need to be defined here).<br>
<br>
I think Kevin did a library trick with the linker so that Asterisk<br>
catch these initialization calls first and use just one. Asterisk is<br>
multithreaded and Kamailio is multiprocess, so I don't know how this<br>
affects Kamailio or if we can get some inspiration by this fix.<br>
<br>
Rambling a bit, but trying to point in some sort of general direction. :-)<br>
<br>
I will put on my list to set up a lab with Mysql TLS connections and try.<br>
<span class=""><font color="#888888"></font></span><br></blockquote></div><br></div><div class="gmail_extra">Just chiming in to point out the magic module Olle is referring to:<br><br><a href="http://svn.asterisk.org/svn/asterisk/trunk/main/libasteriskssl.c">http://svn.asterisk.org/svn/asterisk/trunk/main/libasteriskssl.c</a><br><br></div><div class="gmail_extra">For context, the peer review for the patch that fixed this issue is here:<br><br><a href="https://reviewboard.asterisk.org/r/1006/">https://reviewboard.asterisk.org/r/1006/</a><br><br></div><div class="gmail_extra">Although due to some issues in review board, part of the patch doesn't show up (hence the link to the actual source).<br><br></div><div class="gmail_extra">Matt<br></div><div class="gmail_extra"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Matthew Jordan<br></div><div>Digium, Inc. | Engineering Manager</div><div>445 Jan Davis Drive NW - Huntsville, AL 35806 - USA</div><div>Check us out at: <a href="http://digium.com" target="_blank">http://digium.com</a> & <a href="http://asterisk.org" target="_blank">http://asterisk.org</a></div></div></div>
</div></div>