[OpenSIPS-Users] opensips 1.7+tls problems

[yufei.tao]

Need to clarify my previous message on opensips TLS problems:

* The problems I described were with 1.6.4
* for 1.7 I didn't manage to get one registration through before the TCP connection was dropped

So may be worth keeping an eye on your syslog for 'bad record mac' error, esp if you have many users on TLS. As once this error has occurred, opensips will be dragging on with reduced TCP handling capacity until it is completely unusable on TCP but seemed still OK for UDP.

Yufei


----------------------------------------------------------------------

Message: 1
Date: Thu, 13 Oct 2011 17:20:03 +0200
From: "Jarle Lervik" <jarle.lervik at sipcom.no>
Subject: [OpenSIPS-Users] opensips 1.7+tls problems
To: <users at lists.opensips.org>
Message-ID: <01b301cc89bb$95778730$c0669590$@sipcom.no>
Content-Type: text/plain;	charset="us-ascii"

Haven't tested Kamailio, but my solution was to downgrade to 1.6.4. It
worked well there.
Thanks for the info.

BR,
Jarle



> > Message: 2
> > Date: Thu, 13 Oct 2011 10:38:24 +0100
> > From: "yufei.tao" <yufei.tao at redembedded.com>
> > Subject: Re: [OpenSIPS-Users] opensips 1.7+tls problems
> > To: users at lists.opensips.org
> > Message-ID: <4E96B190.8040605 at redembedded.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> > 
> > Hi
> > 
> > As I've got no help on this since I posted this problem, I've been
assuming
> > that opensips users are mostly on UDP and TLS problems are known but not
> > shared by many.
> > 
> > For your information, I've been looking at Kamailio (3.1.5), which is
supposed
> > to have better TLS support (non-blocking TCP). Initial stress tests did
suggest
> > that it is far better in handling TLS connections, especially when you
have
> > many of them coming in at the same time, which could get opensips into the
> > unrecoverable 'bad record mac' errors easily, while Kamailio had no
problem
> > at all. So we are moving to Kamailio. By the way, this 'bad record mac'
> > problem has made me to write a script that looks out for this error and
> > restart opensips automatically when that happens. But after a restart,
> > opensips may get into the errors again. So we've seen that it's been
> > restarted non-stop when we had many sip clients. So we had to turn off
> > some of them so the restarting cycle could eventually stop.
> > 
> > As far as my very limited experience on Kamailio is concerned, it has a
better
> > organized config file supporting 'defines' which I like very much. You
don't
> > need to compile the TLS support as the debian packages already have it in,
> > which is very convenient as TLS is a 'must' for us. I do realize its
dialog module
> > is not as advanced as opensips's in terms of calculating call durations
etc, so
> > you'll have to use the mysql procedure to handle this as what you used to
do
> > with opensips.
> > 
> > That's what I've been doing to 'solve' this problem. But I'd very much
> > appreciate it if you could share your experience, or any good/bad things
you
> > know about Kamailio, or any other open source sip servers.
> > 
> > Yufei
> >