[asterisk-bugs] [JIRA] (ASTERISK-27880) [patch] pjproject_bundled: Repair ./configure --with-ssl=PATH.

Alexander Traud (JIRA) noreply at issues.asterisk.org
Tue May 29 09:25:54 CDT 2018


Alexander Traud created ASTERISK-27880:
------------------------------------------

             Summary: [patch] pjproject_bundled: Repair ./configure --with-ssl=PATH.
                 Key: ASTERISK-27880
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27880
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Third-Party/pjproject
    Affects Versions: 15.4.0, 13.21.0
            Reporter: Alexander Traud


With the upcoming [TLS 1.3|https://tools.ietf.org/html/draft-ietf-tls-tls13] and 3DES being [disabled|https://www.openssl.org/blog/blog/2016/08/24/sweet32/] in OpenSSL 1.1.x, using a custom build OpenSSL library for SIP-over-TLS might be interesting.

This is sequel 3 of a larger fix, which started in ASTERISK-27865. Asterisk uses PJProject for many things like ICE in chan_sip and even for its own new SIP channel driver chan_pjsip. Although PJProject (can) use a lot of external libraries, Asterisk does not use _any_ of them except for OpenSSL, to enable SIP-over-TLS. Consequently, Asterisk comes with a bundled PJProject and disables _all_ its external features except OpenSSL.

However, when Asterisk is told to use a different OpenSSL than the one provided by the underlying platform, this is not told to the bundled PJProject. The attached patch fixes this.

*Steps to Reproduce* (Ubuntu 18.04 LTS)
{code}sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev
sudo apt remove libssl-dev
cd ~/Downloads
wget www.openssl.org/source/openssl-1.1.1-pre6.tar.gz
tar -zxf ./openssl-*.tar.gz
cd ./openssl-*
./config shared enable-weak-ssl-ciphers
make
mkdir ./lib
cp --verbose ./lib*.so ./lib
export SSL_HOME=$PWD
cd ~/Downloads
wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar -zxf ./asterisk-*.tar.gz
cd ./asterisk-*
LDFLAGS="Wl,-rpath $SSL_HOME" ./configure --with-pjproject-bundled --enable-dev-mode=noisy --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME{code}*Expected Result*
SIP-over-TLS can be used in chan_pjsip.

*Actual Result*
{{** OpenSSL libraries not found, disabling SSL support **}}
is printed by the configure script of PJProject already. SIP-over-TLS cannot be used in chan_pjsip, only in chan_sip.

*Workaround*
Install OpenSSL in the system, for example in Ubuntu via
{{sudo apt install libssl-dev}}
but do not expect any additional feature of your custom build of OpenSSL.

*Notes*
Asterisk allows the shared libraries ({{.so}}) in the root of the specified path and in a subfolder called {{lib}}. Currently (2.7.2), PJProject is expecting libraries only in that subfolder {{lib}}. Consequently as additional workaround, I had to move the libraries in the example above. To fix this, I submitted a patch to Teluu already. Currently (2.7.2), PJProject is going to print {{checking openssl/ssl.h presence... no}}. This is because Teluu puts the inclusion headers ({{-I}}) not in CPPFLAGS but CFLAGS. To avoid this warning—which is just cosmetic—I submitted a patch to Teluu already as well.

The attached patch was tested without and with OpenSSL, inside the system and outside of the system.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list