[asterisk-users] Asterisk SSL support broken with update from openssl-1.0.0 to 1.0.1e, recompiling does *not* help
Alex Villacís Lasso
a_villacis at palosanto.com
Thu Mar 27 11:59:44 CDT 2014
I am having an issue that prevents WebSockets over SSL/TLS (or any kind of encrypted HTTP traffic to Asterisk) from working after an openssl library update.
My setup is CentOS 6 x86_64, and initially, with openssl[-devel]-1.0.0-20.el6_2.5.x86_64 . With this openssl versions, https over TCP port 8089 initializes correctly with asterisk-11.7.0. After an upgrade to openssl[-devel]-1.0.1e-16.el6_5.4.x86_64 , I
compiled asterisk-11.8.1 . When testing the exact same configuration, I noticed that TCP port 8089 was no longer listening, even though TCP port 8088 (standard unencrypted HTTP) was. After a patch coaxing some error message to be shown in the logs, I got
[Mar 27 10:25:47] DEBUG config.c: Parsing /etc/asterisk/acl.conf
[Mar 27 10:25:47] VERBOSE config.c: == Parsing '/etc/asterisk/acl.conf': Found
[Mar 27 10:25:47] DEBUG config.c: Parsing /etc/asterisk/http.conf
[Mar 27 10:25:47] VERBOSE config.c: == Parsing '/etc/asterisk/http.conf': Found
[Mar 27 10:25:47] DEBUG netsock2.c: Splitting '0.0.0.0' into...
[Mar 27 10:25:47] DEBUG netsock2.c: ...host '0.0.0.0' and port ''.
[Mar 27 10:25:47] DEBUG config.c: extract uint from  in [0, 65535] gives (0)
[Mar 27 10:25:47] DEBUG netsock2.c: Splitting '0.0.0.0:8089' into...
[Mar 27 10:25:47] DEBUG netsock2.c: ...host '0.0.0.0' and port '8089'.
[Mar 27 10:25:47] DEBUG config.c: extract addr from 0.0.0.0:8089 gives 0.0.0.0:8089(0)
[Mar 27 10:25:47] VERBOSE http.c: Bound HTTP server to address 0.0.0.0:0
[Mar 27 10:25:47] DEBUG tcptls.c: Sorry, SSL_CTX_new call returned null... (sslerror=336236705 sslstring="error:140A90A1:lib(20):func(169):reason(161)")
[Mar 27 10:25:47] VERBOSE manager.c: == Manager registered action Ping
From googling around, I see that reason(161) means that somehow, there are no loaded cyphers for SSL (source: http://marc.info/?l=openssl-users&m=99129794725716&w=2). This source also claims that the most common cause is that SSL_library_init() was not
called. However, I do not see anything in the Asterisk changelog that could possibly cause the call to be skipped.
I see nothing out of the ordinary when configuring Asterisk using the updated openssl:
checking sqlite3.h usability... yes
checking sqlite3.h presence... yes
checking for sqlite3.h... yes
checking for AES_encrypt in -lcrypto... yes
checking openssl/aes.h usability... yes
checking openssl/aes.h presence... yes
checking for openssl/aes.h... yes
checking for SSL_connect in -lssl... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking osp/osp.h usability... no
checking osp/osp.h presence... no
checking for osp/osp.h... no
checking for SSL_CTX_set_tlsext_use_srtp in -lssl... yes
checking for openssl/ssl.h... (cached) yes
checking for srtp_init in -lsrtp... yes
checking srtp/srtp.h usability... yes
checking srtp/srtp.h presence... yes
checking for srtp/srtp.h... yes
checking for the ability of -lsrtp to be linked in a shared object... yes
checking for srtp_shutdown in -lsrtp... yes
checking for srtp/srtp.h... (cached) yes
checking for malloc in -lhoard... no
checking for dbinit in -lsybdb... yes
checking sybdb.h usability... yes
checking sybdb.h presence... yes
What else could I check? I have checked issues.asterisk.org and there is no mention of a situation similar to mine, so I believe this is somehow related to the build environment.
More information about the asterisk-users