Alex Villacís Lasso
2014-Mar-27 16:59 UTC
[asterisk-users] Asterisk SSL support broken with update from openssl-1.0.0 to 1.0.1e, recompiling does *not* help
I am having an issue that prevents WebSockets over SSL/TLS (or any kind of encrypted HTTP traffic to Asterisk) from working after an openssl library update. My setup is CentOS 6 x86_64, and initially, with openssl[-devel]-1.0.0-20.el6_2.5.x86_64 . With this openssl versions, https over TCP port 8089 initializes correctly with asterisk-11.7.0. After an upgrade to openssl[-devel]-1.0.1e-16.el6_5.4.x86_64 , I compiled asterisk-11.8.1 . When testing the exact same configuration, I noticed that TCP port 8089 was no longer listening, even though TCP port 8088 (standard unencrypted HTTP) was. After a patch coaxing some error message to be shown in the logs, I got the following: [Mar 27 10:25:47] DEBUG[10516] config.c: Parsing /etc/asterisk/acl.conf [Mar 27 10:25:47] VERBOSE[10516] config.c: == Parsing '/etc/asterisk/acl.conf': Found [Mar 27 10:25:47] DEBUG[10516] config.c: Parsing /etc/asterisk/http.conf [Mar 27 10:25:47] VERBOSE[10516] config.c: == Parsing '/etc/asterisk/http.conf': Found [Mar 27 10:25:47] DEBUG[10516] netsock2.c: Splitting '0.0.0.0' into... [Mar 27 10:25:47] DEBUG[10516] netsock2.c: ...host '0.0.0.0' and port ''. [Mar 27 10:25:47] DEBUG[10516] config.c: extract uint from [8088] in [0, 65535] gives [8088](0) [Mar 27 10:25:47] DEBUG[10516] netsock2.c: Splitting '0.0.0.0:8089' into... [Mar 27 10:25:47] DEBUG[10516] netsock2.c: ...host '0.0.0.0' and port '8089'. [Mar 27 10:25:47] DEBUG[10516] config.c: extract addr from 0.0.0.0:8089 gives 0.0.0.0:8089(0) [Mar 27 10:25:47] VERBOSE[10516] http.c: Bound HTTP server to address 0.0.0.0:0 [Mar 27 10:25:47] DEBUG[10516] tcptls.c: Sorry, SSL_CTX_new call returned null... (sslerror=336236705 sslstring="error:140A90A1:lib(20):func(169):reason(161)") [Mar 27 10:25:47] VERBOSE[10516] manager.c: == Manager registered action Ping From googling around, I see that reason(161) means that somehow, there are no loaded cyphers for SSL (source: http://marc.info/?l=openssl-users&m=99129794725716&w=2). This source also claims that the most common cause is that SSL_library_init() was not called. However, I do not see anything in the Asterisk changelog that could possibly cause the call to be skipped. I see nothing out of the ordinary when configuring Asterisk using the updated openssl: checking sqlite3.h usability... yes checking sqlite3.h presence... yes checking for sqlite3.h... yes checking for AES_encrypt in -lcrypto... yes checking openssl/aes.h usability... yes checking openssl/aes.h presence... yes checking for openssl/aes.h... yes checking for SSL_connect in -lssl... yes checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking osp/osp.h usability... no checking osp/osp.h presence... no checking for osp/osp.h... no checking for SSL_CTX_set_tlsext_use_srtp in -lssl... yes checking for openssl/ssl.h... (cached) yes checking for srtp_init in -lsrtp... yes checking srtp/srtp.h usability... yes checking srtp/srtp.h presence... yes checking for srtp/srtp.h... yes checking for the ability of -lsrtp to be linked in a shared object... yes checking for srtp_shutdown in -lsrtp... yes checking for srtp/srtp.h... (cached) yes checking for malloc in -lhoard... no checking for dbinit in -lsybdb... yes checking sybdb.h usability... yes checking sybdb.h presence... yes What else could I check? I have checked issues.asterisk.org and there is no mention of a situation similar to mine, so I believe this is somehow related to the build environment.
Alex Villacís Lasso
2014-Mar-27 23:01 UTC
[asterisk-users] SOLVED: Re: Asterisk SSL support broken with update from openssl-1.0.0 to 1.0.1e, recompiling does *not* help
El 27/03/14 11:59, Alex Villac??s Lasso escribi?:> I am having an issue that prevents WebSockets over SSL/TLS (or any kind of encrypted HTTP traffic to Asterisk) from working after an openssl library update. > > My setup is CentOS 6 x86_64, and initially, with openssl[-devel]-1.0.0-20.el6_2.5.x86_64 . With this openssl versions, https over TCP port 8089 initializes correctly with asterisk-11.7.0. After an upgrade to openssl[-devel]-1.0.1e-16.el6_5.4.x86_64 , I > compiled asterisk-11.8.1 . When testing the exact same configuration, I noticed that TCP port 8089 was no longer listening, even though TCP port 8088 (standard unencrypted HTTP) was. After a patch coaxing some error message to be shown in the logs, I got > the following:Sorry about the noise. Turns out, a coworker was testing an experimental patch to asterisk and compiled on a machine without openssl-devel installed, then left a stray dummy /usr/lib/libasteriskssl.so.1 that was overriding the one at /usr/lib64 until just a minute ago.