[asterisk-bugs] [JIRA] (ASTERISK-27878) [patch] tcptls.h: Repair ./configure --with-ssl=PATH.

[Alexander Traud (JIRA)]

     [ https://issues.asterisk.org/jira/browse/ASTERISK-27878?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexander Traud updated ASTERISK-27878:
---------------------------------------

    Description: 
With the upcoming [TLS 1.3|https://tools.ietf.org/html/draft-ietf-tls-tls13] and 3DES being [disabled|https://www.openssl.org/blog/blog/2016/08/24/sweet32/] in OpenSSL 1.1.x, using a custom build OpenSSL library for SIP-over-TLS might be interesting.

This is sequel 2 of a larger fix, which started in ASTERISK-27865. The underlying issue started with Commit [6a147ed|https://github.com/asterisk/asterisk/commit/6a147ed134fb434fb70b670d5e32c72216ba82e8] and got bigger over the years. When a source file includes a header from an optional package (for example OpenSSL), one has to specify either

A) {{xyz.o: _ASTCFLAGS+=$(OPENSSL_INCLUDE)}} in its Makefile, or
B) {{<depend>openssl</depend>}} in its {{MODULEINFO}}, or
C) {{<use type="external">openssl</use>}} in its {{MODULEINFO}}.

The latter two alternatives work only for modules. Every source file which includes such a header explicitly, implicitly, or transitively needs one of those alternatives. Otherwise, the path of {{--with-ssl}} is not honored and those headers are searched within the system only.

*Steps to Reproduce* (Ubuntu 18.04 LTS)
{code}sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev
sudo apt remove libssl-dev
cd ~/Downloads
wget www.openssl.org/source/openssl-1.1.1-pre6.tar.gz
tar -zxf ./openssl-*.tar.gz
cd ./openssl-*
./config shared enable-weak-ssl-ciphers
make
export SSL_HOME=$PWD
cd ~/Downloads
wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar -zxf ./asterisk-*.tar.gz
cd ./asterisk-*
LDFLAGS="-Wl,-rpath $SSL_HOME" ./configure --enable-dev-mode=noisy --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME
make{code}*Expected Result*
Should build without any problem.

*Actual Result*
{{fatal error: 'openssl/ssl.h' file not found}}

*Workaround*
Install headers of OpenSSL in the system, for example in Ubuntu via
{{sudo apt install libssl-dev}}

*Notes*
Thanks to the 'noisy' developer mode (see the configure option), the cause was found quite fast.

Although one could go for one of the alternatives above, for each source file, those files do not use/need OpenSSL actually. They access OpenSSL only via pointers and do not need the definition of the underlying structs. Consequently, the solution is to remove the inclusion of any headers from external/optional packages. In this case here, remove any {{#include <openssl/....h}} from the header file {{asterisk/tcptls.h}}. The attached patch does this.

That is not the complete solution because similar happened for {{asterisk/crypto.h}}. As this is a sequel of fixes, this one here concentrates on {{asterisk/tcptls.h}}. However, on a first glance, I found no other headers affected than those two (even for other optional packages), except {{asterisk/xmpp.h}}. With that, nothing must be changed because all its source files went for alternative C.

The attached patch was tested with and without OpenSSL.

  was:
With the upcoming [TLS 1.3|https://tools.ietf.org/html/draft-ietf-tls-tls13] and 3DES being [disabled|https://www.openssl.org/blog/blog/2016/08/24/sweet32/] in OpenSSL 1.1.x, using a custom build OpenSSL library for SIP-over-TLS might be interesting.

This is sequel 2 of a larger fix, which started in ASTERISK-27865. The underlying issue started with Commit [6a147ed|https://github.com/asterisk/asterisk/commit/6a147ed134fb434fb70b670d5e32c72216ba82e8] and got bigger over the years. When a source file includes a header from an optional package (for example OpenSSL), one has to specify either

A) {{xyz.o: _ASTCFLAGS+=$(OPENSSL_INCLUDE)}} in its Makefile, or
B) {{<depend>openssl</depend>}} in its {{MODULEINFO}}, or
C) {{<use type="external">openssl</use>}} in its {{MODULEINFO}}.

The latter two alternatives work only for modules. Every source file which includes such a header explicitly, implicitly, or transitively needs one of those alternatives. Otherwise, the path of {{--with-ssl}} is not honored and those headers are searched within the system only.

*Steps to Reproduce* (Ubuntu 18.04 LTS)
{code}sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev
sudo apt remove libssl-dev
cd ~/Downloads
wget www.openssl.org/source/openssl-1.1.1-pre6.tar.gz
tar -zxf ./openssl-*.tar.gz
cd ./openssl-*
./config shared enable-weak-ssl-ciphers
make
export SSL_HOME=$PWD
cd ~/Downloads
wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar -zxf ./asterisk-*.tar.gz
cd ./asterisk-*
LDFLAGS="Wl,-rpath $SSL_HOME" ./configure --enable-dev-mode=noisy --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME
make{code}*Expected Result*
Should build without any problem.

*Actual Result*
{{fatal error: 'openssl/ssl.h' file not found}}

*Workaround*
Install headers of OpenSSL in the system, for example in Ubuntu via
{{sudo apt install libssl-dev}}

*Notes*
Thanks to the 'noisy' developer mode (see the configure option), the cause was found quite fast.

Although one could go for one of the alternatives above, for each source file, those files do not use/need OpenSSL actually. They access OpenSSL only via pointers and do not need the definition of the underlying structs. Consequently, the solution is to remove the inclusion of any headers from external/optional packages. In this case here, remove any {{#include <openssl/....h}} from the header file {{asterisk/tcptls.h}}. The attached patch does this.

That is not the complete solution because similar happened for {{asterisk/crypto.h}}. As this is a sequel of fixes, this one here concentrates on {{asterisk/tcptls.h}}. However, on a first glance, I found no other headers affected than those two (even for other optional packages), except {{asterisk/xmpp.h}}. With that, nothing must be changed because all its source files went for alternative C.

The attached patch was tested with and without OpenSSL.


> [patch] tcptls.h: Repair ./configure --with-ssl=PATH.
> -----------------------------------------------------
>
>                 Key: ASTERISK-27878
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27878
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: . I did not set the category correctly.
>    Affects Versions: 13.21.0, 15.4.0
>            Reporter: Alexander Traud
>            Assignee: Alexander Traud
>              Labels: patch
>         Attachments: with-ssl_13.patch, with-ssl_15.patch
>
>
> With the upcoming [TLS 1.3|https://tools.ietf.org/html/draft-ietf-tls-tls13] and 3DES being [disabled|https://www.openssl.org/blog/blog/2016/08/24/sweet32/] in OpenSSL 1.1.x, using a custom build OpenSSL library for SIP-over-TLS might be interesting.
> This is sequel 2 of a larger fix, which started in ASTERISK-27865. The underlying issue started with Commit [6a147ed|https://github.com/asterisk/asterisk/commit/6a147ed134fb434fb70b670d5e32c72216ba82e8] and got bigger over the years. When a source file includes a header from an optional package (for example OpenSSL), one has to specify either
> A) {{xyz.o: _ASTCFLAGS+=$(OPENSSL_INCLUDE)}} in its Makefile, or
> B) {{<depend>openssl</depend>}} in its {{MODULEINFO}}, or
> C) {{<use type="external">openssl</use>}} in its {{MODULEINFO}}.
> The latter two alternatives work only for modules. Every source file which includes such a header explicitly, implicitly, or transitively needs one of those alternatives. Otherwise, the path of {{--with-ssl}} is not honored and those headers are searched within the system only.
> *Steps to Reproduce* (Ubuntu 18.04 LTS)
> {code}sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev
> sudo apt remove libssl-dev
> cd ~/Downloads
> wget www.openssl.org/source/openssl-1.1.1-pre6.tar.gz
> tar -zxf ./openssl-*.tar.gz
> cd ./openssl-*
> ./config shared enable-weak-ssl-ciphers
> make
> export SSL_HOME=$PWD
> cd ~/Downloads
> wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
> tar -zxf ./asterisk-*.tar.gz
> cd ./asterisk-*
> LDFLAGS="-Wl,-rpath $SSL_HOME" ./configure --enable-dev-mode=noisy --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME
> make{code}*Expected Result*
> Should build without any problem.
> *Actual Result*
> {{fatal error: 'openssl/ssl.h' file not found}}
> *Workaround*
> Install headers of OpenSSL in the system, for example in Ubuntu via
> {{sudo apt install libssl-dev}}
> *Notes*
> Thanks to the 'noisy' developer mode (see the configure option), the cause was found quite fast.
> Although one could go for one of the alternatives above, for each source file, those files do not use/need OpenSSL actually. They access OpenSSL only via pointers and do not need the definition of the underlying structs. Consequently, the solution is to remove the inclusion of any headers from external/optional packages. In this case here, remove any {{#include <openssl/....h}} from the header file {{asterisk/tcptls.h}}. The attached patch does this.
> That is not the complete solution because similar happened for {{asterisk/crypto.h}}. As this is a sequel of fixes, this one here concentrates on {{asterisk/tcptls.h}}. However, on a first glance, I found no other headers affected than those two (even for other optional packages), except {{asterisk/xmpp.h}}. With that, nothing must be changed because all its source files went for alternative C.
> The attached patch was tested with and without OpenSSL.



--
This message was sent by Atlassian JIRA
(v6.2#6252)