[asterisk-bugs] [JIRA] (ASTERISK-27880) [patch] pjproject_bundled: Repair ./configure --with-ssl=PATH.
Alexander Traud (JIRA)
noreply at issues.asterisk.org
Fri Jun 8 01:42:54 CDT 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-27880?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexander Traud updated ASTERISK-27880:
---------------------------------------
Description:
With the upcoming [TLS 1.3|https://tools.ietf.org/html/draft-ietf-tls-tls13] and 3DES being [disabled|https://www.openssl.org/blog/blog/2016/08/24/sweet32/] in OpenSSL 1.1.x, using a custom build OpenSSL library for SIP-over-TLS might be interesting.
This is sequel 3 of a larger fix, which started in ASTERISK-27865. Asterisk uses PJProject for many things like ICE in chan_sip and even for its own new SIP channel driver chan_pjsip. Although PJProject (can) use a lot of external libraries, Asterisk does not use _any_ of them except for OpenSSL, to enable SIP-over-TLS. Consequently, Asterisk comes with a bundled PJProject and disables _all_ its external features except OpenSSL.
However, when Asterisk is told to use a different OpenSSL than the one provided by the underlying platform, this is not told to the bundled PJProject. The attached patch fixes this.
*Steps to Reproduce* (Ubuntu 18.04 LTS)
{code}sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev
sudo apt remove libssl-dev
cd ~/Downloads
wget www.openssl.org/source/openssl-1.1.1-pre6.tar.gz
tar -zxf ./openssl-*.tar.gz
cd ./openssl-*
./config shared enable-weak-ssl-ciphers
make
mkdir ./lib
cp --verbose ./lib*.so ./lib
export SSL_HOME=$PWD
cd ~/Downloads
wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar -zxf ./asterisk-*.tar.gz
cd ./asterisk-*
LDFLAGS="-Wl,-rpath $SSL_HOME" ./configure --with-pjproject-bundled --enable-dev-mode=noisy --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME{code}*Expected Result*
SIP-over-TLS can be used in chan_pjsip.
*Actual Result*
{{** OpenSSL libraries not found, disabling SSL support **}}
is printed by the configure script of PJProject already. SIP-over-TLS cannot be used in chan_pjsip, only in chan_sip.
*Workaround*
Install OpenSSL in the system, for example in Ubuntu via
{{sudo apt install libssl-dev}}
but do not expect any additional feature of your custom build of OpenSSL.
*Notes*
Asterisk allows the shared libraries ({{.so}}) in the root of the specified path and in a subfolder called {{lib}}. Currently (2.7.2), PJProject is expecting libraries only in that subfolder {{lib}}. Consequently as additional workaround, I had to move the libraries in the example above. To fix this, I submitted a patch to Teluu already. Currently (2.7.2), PJProject is going to print {{checking openssl/ssl.h presence... no}}. This is because Teluu puts the inclusion headers ({{-I}}) not in CPPFLAGS but CFLAGS. To avoid this warning—which is just cosmetic—I submitted a patch to Teluu already as well.
The attached patch was tested without and with OpenSSL, inside the system and outside of the system.
was:
With the upcoming [TLS 1.3|https://tools.ietf.org/html/draft-ietf-tls-tls13] and 3DES being [disabled|https://www.openssl.org/blog/blog/2016/08/24/sweet32/] in OpenSSL 1.1.x, using a custom build OpenSSL library for SIP-over-TLS might be interesting.
This is sequel 3 of a larger fix, which started in ASTERISK-27865. Asterisk uses PJProject for many things like ICE in chan_sip and even for its own new SIP channel driver chan_pjsip. Although PJProject (can) use a lot of external libraries, Asterisk does not use _any_ of them except for OpenSSL, to enable SIP-over-TLS. Consequently, Asterisk comes with a bundled PJProject and disables _all_ its external features except OpenSSL.
However, when Asterisk is told to use a different OpenSSL than the one provided by the underlying platform, this is not told to the bundled PJProject. The attached patch fixes this.
*Steps to Reproduce* (Ubuntu 18.04 LTS)
{code}sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev
sudo apt remove libssl-dev
cd ~/Downloads
wget www.openssl.org/source/openssl-1.1.1-pre6.tar.gz
tar -zxf ./openssl-*.tar.gz
cd ./openssl-*
./config shared enable-weak-ssl-ciphers
make
mkdir ./lib
cp --verbose ./lib*.so ./lib
export SSL_HOME=$PWD
cd ~/Downloads
wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar -zxf ./asterisk-*.tar.gz
cd ./asterisk-*
LDFLAGS="Wl,-rpath $SSL_HOME" ./configure --with-pjproject-bundled --enable-dev-mode=noisy --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME{code}*Expected Result*
SIP-over-TLS can be used in chan_pjsip.
*Actual Result*
{{** OpenSSL libraries not found, disabling SSL support **}}
is printed by the configure script of PJProject already. SIP-over-TLS cannot be used in chan_pjsip, only in chan_sip.
*Workaround*
Install OpenSSL in the system, for example in Ubuntu via
{{sudo apt install libssl-dev}}
but do not expect any additional feature of your custom build of OpenSSL.
*Notes*
Asterisk allows the shared libraries ({{.so}}) in the root of the specified path and in a subfolder called {{lib}}. Currently (2.7.2), PJProject is expecting libraries only in that subfolder {{lib}}. Consequently as additional workaround, I had to move the libraries in the example above. To fix this, I submitted a patch to Teluu already. Currently (2.7.2), PJProject is going to print {{checking openssl/ssl.h presence... no}}. This is because Teluu puts the inclusion headers ({{-I}}) not in CPPFLAGS but CFLAGS. To avoid this warning—which is just cosmetic—I submitted a patch to Teluu already as well.
The attached patch was tested without and with OpenSSL, inside the system and outside of the system.
> [patch] pjproject_bundled: Repair ./configure --with-ssl=PATH.
> --------------------------------------------------------------
>
> Key: ASTERISK-27880
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27880
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Third-Party/pjproject
> Affects Versions: 13.21.0, 15.4.0
> Reporter: Alexander Traud
> Assignee: Alexander Traud
> Labels: patch, pjsip
> Attachments: with-ssl_pjproject.patch
>
>
> With the upcoming [TLS 1.3|https://tools.ietf.org/html/draft-ietf-tls-tls13] and 3DES being [disabled|https://www.openssl.org/blog/blog/2016/08/24/sweet32/] in OpenSSL 1.1.x, using a custom build OpenSSL library for SIP-over-TLS might be interesting.
> This is sequel 3 of a larger fix, which started in ASTERISK-27865. Asterisk uses PJProject for many things like ICE in chan_sip and even for its own new SIP channel driver chan_pjsip. Although PJProject (can) use a lot of external libraries, Asterisk does not use _any_ of them except for OpenSSL, to enable SIP-over-TLS. Consequently, Asterisk comes with a bundled PJProject and disables _all_ its external features except OpenSSL.
> However, when Asterisk is told to use a different OpenSSL than the one provided by the underlying platform, this is not told to the bundled PJProject. The attached patch fixes this.
> *Steps to Reproduce* (Ubuntu 18.04 LTS)
> {code}sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev
> sudo apt remove libssl-dev
> cd ~/Downloads
> wget www.openssl.org/source/openssl-1.1.1-pre6.tar.gz
> tar -zxf ./openssl-*.tar.gz
> cd ./openssl-*
> ./config shared enable-weak-ssl-ciphers
> make
> mkdir ./lib
> cp --verbose ./lib*.so ./lib
> export SSL_HOME=$PWD
> cd ~/Downloads
> wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
> tar -zxf ./asterisk-*.tar.gz
> cd ./asterisk-*
> LDFLAGS="-Wl,-rpath $SSL_HOME" ./configure --with-pjproject-bundled --enable-dev-mode=noisy --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME{code}*Expected Result*
> SIP-over-TLS can be used in chan_pjsip.
> *Actual Result*
> {{** OpenSSL libraries not found, disabling SSL support **}}
> is printed by the configure script of PJProject already. SIP-over-TLS cannot be used in chan_pjsip, only in chan_sip.
> *Workaround*
> Install OpenSSL in the system, for example in Ubuntu via
> {{sudo apt install libssl-dev}}
> but do not expect any additional feature of your custom build of OpenSSL.
> *Notes*
> Asterisk allows the shared libraries ({{.so}}) in the root of the specified path and in a subfolder called {{lib}}. Currently (2.7.2), PJProject is expecting libraries only in that subfolder {{lib}}. Consequently as additional workaround, I had to move the libraries in the example above. To fix this, I submitted a patch to Teluu already. Currently (2.7.2), PJProject is going to print {{checking openssl/ssl.h presence... no}}. This is because Teluu puts the inclusion headers ({{-I}}) not in CPPFLAGS but CFLAGS. To avoid this warning—which is just cosmetic—I submitted a patch to Teluu already as well.
> The attached patch was tested without and with OpenSSL, inside the system and outside of the system.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list