Alex Villacís Lasso
2014-Dec-23 17:19 UTC
[asterisk-users] Problems linking asterisk against self-compiled openssl on CentOS 5
I am trying to enable full WebRTC support on asterisk-11.15 for installation on a CentOS 5 machine. Currently the distro cannot be upgraded to any later CentOS series. This CentOS series ships with openssl-0.9.8e, which lacks DTLS-SRTP support required for WebRTC. So I decided to build a parallel install of openssl. I chose the Fedora 21 package, openssl-1.0.1j, and built it on CentOS 5. The libraries now reside at /opt/openssl101/usr/lib with header files at /opt/openssl101/usr/include/openssl/ . There are symbolic links at /usr/lib64/libssl.so.10 and /usr/lib64/libcrypto.so.10 pointing into my upgraded openssl. Now I am trying to compile asterisk and link it with my openssl. My configure invocation is as follows: ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --with-misdn --with-sounds-cache=no --with-srtp --with-ssl=/opt/openssl101/usr --with-crypto=/opt/openssl101/usr Note the --with-ssl and --with-crypto options at the end, pointing to my openssl directory. After this I compile, but I am getting these messages when compilation reaches res/res_rtp_asterisk.c: a - output/pjlib-x86_64-redhat-linux-gnu/sock_qos_bsd.o a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_common.o a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_ossl.o a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_dump.o a - output/pjlib-x86_64-redhat-linux-gnu/string.o a - output/pjlib-x86_64-redhat-linux-gnu/timer.o a - output/pjlib-x86_64-redhat-linux-gnu/types.o [CC] res_rtp_asterisk.c -> res_rtp_asterisk.o res_rtp_asterisk.c: In function 'ast_rtp_dtls_set_configuration': res_rtp_asterisk.c:1278: warning: implicit declaration of function 'SSL_CTX_set_tlsext_use_srtp' res_rtp_asterisk.c: In function 'dtls_srtp_handle_timeout': res_rtp_asterisk.c:1765: warning: implicit declaration of function 'DTLSv1_handle_timeout' res_rtp_asterisk.c: In function 'dtls_srtp_check_pending': res_rtp_asterisk.c:1817: warning: implicit declaration of function 'DTLSv1_get_timeout' res_rtp_asterisk.c: In function 'dtls_srtp_setup': res_rtp_asterisk.c:1904: warning: implicit declaration of function 'SSL_export_keying_material' [LD] res_rtp_asterisk.o -> res_rtp_asterisk.so [CC] res_rtp_multicast.c -> res_rtp_multicast.o [LD] res_rtp_multicast.o -> res_rtp_multicast.so After this, res_rtp_asterisk.so cannot be loaded because it is linked to the system openssl but requests the symbols from the upgraded openssl: [2014-12-22 20:19:41] WARNING[25901] loader.c: Error loading module 'res_rtp_asterisk.so': /usr/lib64/asterisk/modules/res_rtp_asterisk.so: undefined symbol: DTLSv1_handle_timeout [root at rpmbuild64-2 ~]# ldd /usr/lib64/asterisk/modules/res_rtp_asterisk.so linux-vdso.so.1 => (0x00007fff431fd000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00002b3f92461000) libm.so.6 => /lib64/libm.so.6 (0x00002b3f92665000) libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b3f928e9000) librt.so.1 => /lib64/librt.so.1 (0x00002b3f92b01000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00002b3f92d0a000) libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b3f92f27000) libssl.so.6 => /lib64/libssl.so.6 (0x00002b3f93278000) libc.so.6 => /lib64/libc.so.6 (0x00002b3f934c6000) /lib64/ld-linux-x86-64.so.2 (0x00000037c2400000) libdl.so.2 => /lib64/libdl.so.2 (0x00002b3f93820000) libz.so.1 => /lib64/libz.so.1 (0x00002b3f93a24000) libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002b3f93c38000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b3f93e67000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b3f940fc000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b3f942fe000) libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002b3f94524000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b3f9472c000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b3f9492e000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b3f94b44000) libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b3f94d5c000) (using libcrypto.so.6 and libssl.so.6 from system openssl) However, libasteriskssl.so is correctly linked against my upgraded openssl: [root at rpmbuild64-2 ~]# ldd /usr/lib64/libasteriskssl.so.1 linux-vdso.so.1 => (0x00007fffac390000) libssl.so.10 => /usr/lib64/libssl.so.10 (0x00002aef0cfb4000) libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00002aef0d21d000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00002aef0d5f2000) libc.so.6 => /lib64/libc.so.6 (0x00002aef0d80e000) libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aef0db67000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aef0dd96000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aef0e02b000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aef0e22d000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aef0e453000) libdl.so.2 => /lib64/libdl.so.2 (0x00002aef0e668000) libz.so.1 => /lib64/libz.so.1 (0x00002aef0e86c000) /lib64/ld-linux-x86-64.so.2 (0x00000037c2400000) libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aef0ea81000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aef0ec89000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aef0ee8c000) libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aef0f0a4000) [root at rpmbuild64-2 ~]# ls -l /usr/lib64/libcrypto.so.10 /usr/lib64/libssl.so.10 lrwxrwxrwx 1 root root 45 dic 22 19:15 /usr/lib64/libcrypto.so.10 -> ../..//opt/openssl101/usr/lib/libcrypto.so.10 lrwxrwxrwx 1 root root 42 dic 22 19:15 /usr/lib64/libssl.so.10 -> ../..//opt/openssl101/usr/lib/libssl.so.10 (using libcrypto.so.10 and libssl.so.10 from upgraded openssl) I have searched in Google, but I cannot find any mention of this issue before, nor any attempt to compile asterisk against a non-system openssl. How can I proceed to solve the linking issue? My guess is that include and link flags are not being correctly set when compiling res_rtp_asterisk.c , but I could be wrong. What else should I check? If this message should be sent to asterisk-devel instead, please tell me.
Alex Villacís Lasso
2014-Dec-23 21:37 UTC
[asterisk-users] Problems linking asterisk against self-compiled openssl on CentOS 5
El 23/12/14 a las 12:19, Alex Villac??s Lasso escribi?:> I am trying to enable full WebRTC support on asterisk-11.15 for installation on a CentOS 5 machine. Currently the distro cannot be upgraded to any later CentOS series. This CentOS series ships with openssl-0.9.8e, which lacks DTLS-SRTP support required > for WebRTC. So I decided to build a parallel install of openssl. I chose the Fedora 21 package, openssl-1.0.1j, and built it on CentOS 5. The libraries now reside at /opt/openssl101/usr/lib with header files at /opt/openssl101/usr/include/openssl/ . > There are symbolic links at /usr/lib64/libssl.so.10 and /usr/lib64/libcrypto.so.10 pointing into my upgraded openssl. > > Now I am trying to compile asterisk and link it with my openssl. My configure invocation is as follows: > > ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share > --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --with-misdn --with-sounds-cache=no --with-srtp --with-ssl=/opt/openssl101/usr > --with-crypto=/opt/openssl101/usr > > Note the --with-ssl and --with-crypto options at the end, pointing to my openssl directory. > > After this I compile, but I am getting these messages when compilation reaches res/res_rtp_asterisk.c: > > a - output/pjlib-x86_64-redhat-linux-gnu/sock_qos_bsd.o > a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_common.o > a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_ossl.o > a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_dump.o > a - output/pjlib-x86_64-redhat-linux-gnu/string.o > a - output/pjlib-x86_64-redhat-linux-gnu/timer.o > a - output/pjlib-x86_64-redhat-linux-gnu/types.o > [CC] res_rtp_asterisk.c -> res_rtp_asterisk.o > res_rtp_asterisk.c: In function 'ast_rtp_dtls_set_configuration': > res_rtp_asterisk.c:1278: warning: implicit declaration of function 'SSL_CTX_set_tlsext_use_srtp' > res_rtp_asterisk.c: In function 'dtls_srtp_handle_timeout': > res_rtp_asterisk.c:1765: warning: implicit declaration of function 'DTLSv1_handle_timeout' > res_rtp_asterisk.c: In function 'dtls_srtp_check_pending': > res_rtp_asterisk.c:1817: warning: implicit declaration of function 'DTLSv1_get_timeout' > res_rtp_asterisk.c: In function 'dtls_srtp_setup': > res_rtp_asterisk.c:1904: warning: implicit declaration of function 'SSL_export_keying_material' > [LD] res_rtp_asterisk.o -> res_rtp_asterisk.so > [CC] res_rtp_multicast.c -> res_rtp_multicast.o > [LD] res_rtp_multicast.o -> res_rtp_multicast.so > > After this, res_rtp_asterisk.so cannot be loaded because it is linked to the system openssl but requests the symbols from the upgraded openssl: > > [2014-12-22 20:19:41] WARNING[25901] loader.c: Error loading module 'res_rtp_asterisk.so': /usr/lib64/asterisk/modules/res_rtp_asterisk.so: undefined symbol: DTLSv1_handle_timeout > > [root at rpmbuild64-2 ~]# ldd /usr/lib64/asterisk/modules/res_rtp_asterisk.so > linux-vdso.so.1 => (0x00007fff431fd000) > libuuid.so.1 => /lib64/libuuid.so.1 (0x00002b3f92461000) > libm.so.6 => /lib64/libm.so.6 (0x00002b3f92665000) > libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b3f928e9000) > librt.so.1 => /lib64/librt.so.1 (0x00002b3f92b01000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00002b3f92d0a000) > libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b3f92f27000) > libssl.so.6 => /lib64/libssl.so.6 (0x00002b3f93278000) > libc.so.6 => /lib64/libc.so.6 (0x00002b3f934c6000) > /lib64/ld-linux-x86-64.so.2 (0x00000037c2400000) > libdl.so.2 => /lib64/libdl.so.2 (0x00002b3f93820000) > libz.so.1 => /lib64/libz.so.1 (0x00002b3f93a24000) > libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002b3f93c38000) > libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b3f93e67000) > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b3f940fc000) > libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b3f942fe000) > libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002b3f94524000) > libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b3f9472c000) > libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b3f9492e000) > libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b3f94b44000) > libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b3f94d5c000) > (using libcrypto.so.6 and libssl.so.6 from system openssl) > > However, libasteriskssl.so is correctly linked against my upgraded openssl: > > [root at rpmbuild64-2 ~]# ldd /usr/lib64/libasteriskssl.so.1 > linux-vdso.so.1 => (0x00007fffac390000) > libssl.so.10 => /usr/lib64/libssl.so.10 (0x00002aef0cfb4000) > libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00002aef0d21d000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00002aef0d5f2000) > libc.so.6 => /lib64/libc.so.6 (0x00002aef0d80e000) > libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aef0db67000) > libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aef0dd96000) > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aef0e02b000) > libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aef0e22d000) > libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aef0e453000) > libdl.so.2 => /lib64/libdl.so.2 (0x00002aef0e668000) > libz.so.1 => /lib64/libz.so.1 (0x00002aef0e86c000) > /lib64/ld-linux-x86-64.so.2 (0x00000037c2400000) > libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aef0ea81000) > libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aef0ec89000) > libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aef0ee8c000) > libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aef0f0a4000) > [root at rpmbuild64-2 ~]# ls -l /usr/lib64/libcrypto.so.10 /usr/lib64/libssl.so.10 > lrwxrwxrwx 1 root root 45 dic 22 19:15 /usr/lib64/libcrypto.so.10 -> ../..//opt/openssl101/usr/lib/libcrypto.so.10 > lrwxrwxrwx 1 root root 42 dic 22 19:15 /usr/lib64/libssl.so.10 -> ../..//opt/openssl101/usr/lib/libssl.so.10 > > (using libcrypto.so.10 and libssl.so.10 from upgraded openssl) > > I have searched in Google, but I cannot find any mention of this issue before, nor any attempt to compile asterisk against a non-system openssl. > > How can I proceed to solve the linking issue? My guess is that include and link flags are not being correctly set when compiling res_rtp_asterisk.c , but I could be wrong. What else should I check? > > If this message should be sent to asterisk-devel instead, please tell me. >I managed to work around this by patching res/Makefile as follows: diff -ur asterisk-11.15.0-bak/res/Makefile asterisk-11.15.0/res/Makefile --- asterisk-11.15.0-bak/res/Makefile 2014-12-23 14:57:49.000000000 -0500 +++ asterisk-11.15.0/res/Makefile 2014-12-23 14:59:19.000000000 -0500 @@ -75,7 +75,7 @@ rm -f pjproject/build.mak pjproject/build.mak: pjproject/aconfigure - (cd pjproject && CFLAGS="-fPIC" ./configure --build=$(BUILD_PLATFORM) --host=$(HOST_PLATFORM) --disable-floating-point --disable-sound --disable-oss --disable-speex-aec --disable-l16-codec --disable-gsm-codec --disable-g722-codec --disable-g7221-codec --disable-speex-codec --disable-ilbc-codec --disable-g711-codec) + (cd pjproject && CFLAGS="-fPIC $(OPENSSL_INCLUDE)" LDFLAGS="$(OPENSSL_LIB)" ./configure --build=$(BUILD_PLATFORM) --host=$(HOST_PLATFORM) --disable-floating-point --disable-sound --disable-oss --disable-speex-aec --disable-l16-codec --disable-gsm-codec --disable-g722-codec --disable-g7221-codec --disable-speex-codec --disable-ilbc-codec --disable-g711-codec) ifneq ($(findstring $(MAKECMDGOALS),all),) -include pjproject/build.mak With this, I can load res_rtp_asterisk.so normally. However, a potential issue remains. There are some modules that still load the system-supplied openssl, since they are linked to system libraries that in turn link to system openssl: res/res_curl.so res/res_config_curl.so res/res_snmp.so addons/app_mysql.so addons/res_config_mysql.so addons/cdr_mysql.so funcs/func_curl.so apps/app_cbmysql.so So far my test asterisk runs without crashes or other issues. Is there a potential problem that could arise from loading both the system openssl and the upgraded openssl on the same process? What should I look out for?