[asterisk-bugs] [JIRA] (ASTERISK-27665) [patch] BuildSystem: Allow fetch of PJProject without trust anchors.
Alexander Traud (JIRA)
noreply at issues.asterisk.org
Sat Feb 10 07:22:13 CST 2018
Alexander Traud created ASTERISK-27665:
------------------------------------------
Summary: [patch] BuildSystem: Allow fetch of PJProject without trust anchors.
Key: ASTERISK-27665
URL: https://issues.asterisk.org/jira/browse/ASTERISK-27665
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Core/BuildSystem
Affects Versions: 15.2.0, 13.19.0
Environment: FreeBSD 10
FreeBSD 11
Reporter: Alexander Traud
Severity: Minor
Attachments: FreeBSD_fetch.patch
Asterisk leverages the built-in tool {{fetch}} to download the bundled PJProject while {{./configure}} is running.
Commit [b2fd7e5|https://github.com/asterisk/asterisk/commit/b2fd7e50695b64826cbfcd65aa6e5c06532b3e5e] changed the download URL for the PJProject from Teluu to GitHub servers. By this, the protocol changed from HTTP to HTTPs. Furthermore, GitHub redirects all HTTP requests to HTTPs first. That server does not support SSL 3.0 or the cipher suite RC4, one needs at least TLS 1.0 and 3DES|AES. The TLS client must support TLS-SAN, wildcards, and a trust anchor which got introduced in the year 2007 ([DigiCert High Assurance EV Root CA|https://bugzilla.mozilla.org/show_bug.cgi?id=364568]). As of today, GitHub does not send the cross-signing certificate to the trust anchor "Baltimore CyberTrust" which was introduced in the year 2000.
Although I love that everything gets encrypted on the Internet nowadays, GitHub does not give the user a choice. At least, I am not aware how to get that resource without HTTPs. Beside the above requirements, some platforms do not ship with trust anchors out of the box at all. One such example is FreeBSD 10 and 11.
On the Internet, recommendations [exist|https://blather.michaelwlucas.com/archives/2247] which explain how to add the trust anchors of Mozilla NSS to FreeBSD. However, {{fetch}} is based on OpenSSL. OpenSSL uses a complete different logic to resolve trust anchors than Mozilla NSS. This allows a plethora of new issues like described in [The FreeBSD Forums|https://forums.freebsd.org/threads/58057/] and explained in the [SSL-Labs Community|https://community.qualys.com/thread/13848] already.
*Worarounds*
A) (short-term) {{pkg install wget}}
B) (short-term) {{./configure --without-pjproject-bundled}} and use an externally build PJProject
C) (mid-term) disable SSL/TLS verification while downloading PJProject, see attached patch
D) (long-term) The Asterisk tarball includes checksums/hashes/signatures for all externally loaded resources like the PJProject and sound files. This can be done, because Asterisk does not go for the latest available version but for a specific version. Therefore, the hashes are known while releasing Asterisk and does not change in the lifetime of a release. That way, HTTPs is not needed anymore.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list