[asterisk-bugs] [JIRA] (ASTERISK-27876) [patch] tcptls: Allow OpenSSL configured with no-dh.
Friendly Automation (JIRA)
noreply at issues.asterisk.org
Wed Jun 6 04:37:54 CDT 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-27876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=243713#comment-243713 ]
Friendly Automation commented on ASTERISK-27876:
------------------------------------------------
Change 9056 merged by Joshua Colp:
tcptls: Allow OpenSSL configured with no-dh.
[https://gerrit.asterisk.org/9056|https://gerrit.asterisk.org/9056]
> [patch] tcptls: Allow OpenSSL configured with no-dh.
> ----------------------------------------------------
>
> Key: ASTERISK-27876
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27876
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Core/General
> Affects Versions: 13.21.0, 15.4.0
> Reporter: Alexander Traud
> Assignee: Alexander Traud
> Labels: patch
> Attachments: no-dh.patch
>
>
> Fixing my own code, I introduced in commit [eaee921|https://github.com/asterisk/asterisk/commit/eaee92198d89f7feb4206b412104f439bc80754f] (ASTERISK-23905). OpenSSL can be configured (and then built) in various combinations. The _easiest_ (?) way to find the relevant configuration, is to look-up each used symbol and check the surrounding Defines in the header file of OpenSSL. If one of the guards is missing (or is a combination of several ones) and OpenSSL was built with that, Asterisk is not going to compile.
> Asterisk does not build, if a OpenSSL was built via {code}./config no-dh
> make{code}The attached patch fixes this. Additionally, the patch undos commit [758b138|https://github.com/asterisk/asterisk/commit/758b13858b79256104c0f81a9adf1924df7d2da9] (no issue report!), because that guard was too broad (included DH and EC related code) and was done via the script {{./configure}} instead directly via the OpenSSL configuration. Instead, the patch guards only that part which must be guarded, when OpenSSL was configured with no-ec or no-ecdh. Finally, that patch enables the named-curves X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1), because {{SSL_CTRL_SET_ECDH_AUTO}} got enabled on default, that symbol got removed and {{SSL_CTX_ctrl}} returns an error now. Because of that, just the named-curve P-256 was set, which disabled X25519 (and X448).
> This is just about TLS (HTTPs, SIP-over-TLS, ...). In the file {{res/res_rtp_asterisk.c}}, the code for DTLS needs a similar treatment. However, this is out of scope of the attached patch.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list