[asterisk-bugs] [JIRA] (ASTERISK-27876) [patch] tcptls: Allow OpenSSL configured with no-dh.

Asterisk Team (JIRA) noreply at issues.asterisk.org
Tue Jul 3 11:15:00 CDT 2018 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-27876?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-27876:
-------------------------------------

    Target Release Version/s: 15.5.0

> [patch] tcptls: Allow OpenSSL configured with no-dh.
> ----------------------------------------------------
>
>                 Key: ASTERISK-27876
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27876
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/General
>    Affects Versions: 13.21.0, 15.4.0
>            Reporter: Alexander Traud
>            Assignee: Alexander Traud
>              Labels: patch
>      Target Release: 13.22.0, 15.5.0
>
>         Attachments: no-dh.patch
>
>
> Fixing my own code, I introduced in commit [eaee921|https://github.com/asterisk/asterisk/commit/eaee92198d89f7feb4206b412104f439bc80754f] (ASTERISK-23905). OpenSSL can be configured (and then built) in various combinations. The _easiest_ (?) way to find the relevant configuration, is to look-up each used symbol and check the surrounding Defines in the header file of OpenSSL. If one of the guards is missing (or is a combination of several ones) and OpenSSL was built with that, Asterisk is not going to compile.
> Asterisk does not build, if a OpenSSL was built via {code}./config no-dh
> make{code}The attached patch fixes this. Additionally, the patch undos commit [758b138|https://github.com/asterisk/asterisk/commit/758b13858b79256104c0f81a9adf1924df7d2da9] (no issue report!), because that guard was too broad (included DH and EC related code) and was done via the script {{./configure}} instead directly via the OpenSSL configuration. Instead, the patch guards only that part which must be guarded, when OpenSSL was configured with no-ec or no-ecdh. Finally, that patch enables the named-curves X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1), because {{SSL_CTRL_SET_ECDH_AUTO}} got enabled on default, that symbol got removed and {{SSL_CTX_ctrl}} returns an error now. Because of that, just the named-curve P-256 was set, which disabled X25519 (and X448).
> This is just about TLS (HTTPs, SIP-over-TLS, ...). In the file {{res/res_rtp_asterisk.c}}, the code for DTLS needs a similar treatment. However, this is out of scope of the attached patch.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list