asterisk users - Dec 2014 - Problems linking asterisk against self-compiled openssl on CentOS 5

I am trying to enable full WebRTC support on asterisk-11.15 for installation on
a CentOS 5 machine. Currently the distro cannot be upgraded to any later CentOS
series. This CentOS series ships with openssl-0.9.8e, which lacks DTLS-SRTP
support required for
WebRTC. So I decided to build a parallel install of openssl. I chose the Fedora
21 package, openssl-1.0.1j, and built it on CentOS 5. The libraries now reside
at /opt/openssl101/usr/lib with header files at
/opt/openssl101/usr/include/openssl/ . There are
symbolic links at /usr/lib64/libssl.so.10 and /usr/lib64/libcrypto.so.10
pointing into my upgraded openssl.

Now I am trying to compile asterisk and link it with my openssl. My configure
invocation is as follows:

./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu
--target=x86_64-redhat-linux-gnu --program-prefix= --prefix=/usr
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share
--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec
--localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man
--infodir=/usr/share/info --with-misdn --with-sounds-cache=no --with-srtp
--with-ssl=/opt/openssl101/usr
--with-crypto=/opt/openssl101/usr

Note the --with-ssl and --with-crypto options at the end, pointing to my openssl
directory.

After this I compile, but I am getting these messages when compilation reaches
res/res_rtp_asterisk.c:

a - output/pjlib-x86_64-redhat-linux-gnu/sock_qos_bsd.o
a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_common.o
a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_ossl.o
a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_dump.o
a - output/pjlib-x86_64-redhat-linux-gnu/string.o
a - output/pjlib-x86_64-redhat-linux-gnu/timer.o
a - output/pjlib-x86_64-redhat-linux-gnu/types.o
    [CC] res_rtp_asterisk.c -> res_rtp_asterisk.o
res_rtp_asterisk.c: In function 'ast_rtp_dtls_set_configuration':
res_rtp_asterisk.c:1278: warning: implicit declaration of function
'SSL_CTX_set_tlsext_use_srtp'
res_rtp_asterisk.c: In function 'dtls_srtp_handle_timeout':
res_rtp_asterisk.c:1765: warning: implicit declaration of function
'DTLSv1_handle_timeout'
res_rtp_asterisk.c: In function 'dtls_srtp_check_pending':
res_rtp_asterisk.c:1817: warning: implicit declaration of function
'DTLSv1_get_timeout'
res_rtp_asterisk.c: In function 'dtls_srtp_setup':
res_rtp_asterisk.c:1904: warning: implicit declaration of function
'SSL_export_keying_material'
    [LD] res_rtp_asterisk.o -> res_rtp_asterisk.so
    [CC] res_rtp_multicast.c -> res_rtp_multicast.o
    [LD] res_rtp_multicast.o -> res_rtp_multicast.so

After this, res_rtp_asterisk.so cannot be loaded because it is linked to the
system openssl but requests the symbols from the upgraded openssl:

[2014-12-22 20:19:41] WARNING[25901] loader.c: Error loading module
'res_rtp_asterisk.so': /usr/lib64/asterisk/modules/res_rtp_asterisk.so:
undefined symbol: DTLSv1_handle_timeout

[root at rpmbuild64-2 ~]# ldd /usr/lib64/asterisk/modules/res_rtp_asterisk.so
     linux-vdso.so.1 =>  (0x00007fff431fd000)
     libuuid.so.1 => /lib64/libuuid.so.1 (0x00002b3f92461000)
     libm.so.6 => /lib64/libm.so.6 (0x00002b3f92665000)
     libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b3f928e9000)
     librt.so.1 => /lib64/librt.so.1 (0x00002b3f92b01000)
     libpthread.so.0 => /lib64/libpthread.so.0 (0x00002b3f92d0a000)
     libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b3f92f27000)
     libssl.so.6 => /lib64/libssl.so.6 (0x00002b3f93278000)
     libc.so.6 => /lib64/libc.so.6 (0x00002b3f934c6000)
     /lib64/ld-linux-x86-64.so.2 (0x00000037c2400000)
     libdl.so.2 => /lib64/libdl.so.2 (0x00002b3f93820000)
     libz.so.1 => /lib64/libz.so.1 (0x00002b3f93a24000)
     libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x00002b3f93c38000)
     libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b3f93e67000)
     libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b3f940fc000)
     libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b3f942fe000)
     libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
(0x00002b3f94524000)
     libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b3f9472c000)
     libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b3f9492e000)
     libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b3f94b44000)
     libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b3f94d5c000)
(using libcrypto.so.6 and libssl.so.6 from system openssl)

However, libasteriskssl.so is correctly linked against my upgraded openssl:

[root at rpmbuild64-2 ~]# ldd /usr/lib64/libasteriskssl.so.1
     linux-vdso.so.1 =>  (0x00007fffac390000)
     libssl.so.10 => /usr/lib64/libssl.so.10 (0x00002aef0cfb4000)
     libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00002aef0d21d000)
     libpthread.so.0 => /lib64/libpthread.so.0 (0x00002aef0d5f2000)
     libc.so.6 => /lib64/libc.so.6 (0x00002aef0d80e000)
     libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x00002aef0db67000)
     libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aef0dd96000)
     libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aef0e02b000)
     libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aef0e22d000)
     libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aef0e453000)
     libdl.so.2 => /lib64/libdl.so.2 (0x00002aef0e668000)
     libz.so.1 => /lib64/libz.so.1 (0x00002aef0e86c000)
     /lib64/ld-linux-x86-64.so.2 (0x00000037c2400000)
     libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
(0x00002aef0ea81000)
     libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aef0ec89000)
     libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aef0ee8c000)
     libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aef0f0a4000)
[root at rpmbuild64-2 ~]# ls -l /usr/lib64/libcrypto.so.10
/usr/lib64/libssl.so.10
lrwxrwxrwx 1 root root 45 dic 22 19:15 /usr/lib64/libcrypto.so.10 ->
../..//opt/openssl101/usr/lib/libcrypto.so.10
lrwxrwxrwx 1 root root 42 dic 22 19:15 /usr/lib64/libssl.so.10 ->
../..//opt/openssl101/usr/lib/libssl.so.10

(using libcrypto.so.10 and libssl.so.10 from upgraded openssl)

I have searched in Google, but I cannot find any mention of this issue before,
nor any attempt to compile asterisk against a non-system openssl.

How can I proceed to solve the linking issue? My guess is that include and link
flags are not being correctly set when compiling res_rtp_asterisk.c , but I
could be wrong. What else should I check?

If this message should be sent to asterisk-devel instead, please tell me.

El 23/12/14 a las 12:19, Alex Villac??s Lasso escribi?:
> I am trying to enable full WebRTC support on asterisk-11.15 for
installation on a CentOS 5 machine. Currently the distro cannot be upgraded to
any later CentOS series. This CentOS series ships with openssl-0.9.8e, which
lacks DTLS-SRTP support required
> for WebRTC. So I decided to build a parallel install of openssl. I chose
the Fedora 21 package, openssl-1.0.1j, and built it on CentOS 5. The libraries
now reside at /opt/openssl101/usr/lib with header files at
/opt/openssl101/usr/include/openssl/ .
> There are symbolic links at /usr/lib64/libssl.so.10 and
/usr/lib64/libcrypto.so.10 pointing into my upgraded openssl.
>
> Now I am trying to compile asterisk and link it with my openssl. My
configure invocation is as follows:
>
> ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu
--target=x86_64-redhat-linux-gnu --program-prefix= --prefix=/usr
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share
> --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec
--localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man
--infodir=/usr/share/info --with-misdn --with-sounds-cache=no --with-srtp
--with-ssl=/opt/openssl101/usr
> --with-crypto=/opt/openssl101/usr
>
> Note the --with-ssl and --with-crypto options at the end, pointing to my
openssl directory.
>
> After this I compile, but I am getting these messages when compilation
reaches res/res_rtp_asterisk.c:
>
> a - output/pjlib-x86_64-redhat-linux-gnu/sock_qos_bsd.o
> a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_common.o
> a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_ossl.o
> a - output/pjlib-x86_64-redhat-linux-gnu/ssl_sock_dump.o
> a - output/pjlib-x86_64-redhat-linux-gnu/string.o
> a - output/pjlib-x86_64-redhat-linux-gnu/timer.o
> a - output/pjlib-x86_64-redhat-linux-gnu/types.o
>    [CC] res_rtp_asterisk.c -> res_rtp_asterisk.o
> res_rtp_asterisk.c: In function 'ast_rtp_dtls_set_configuration':
> res_rtp_asterisk.c:1278: warning: implicit declaration of function
'SSL_CTX_set_tlsext_use_srtp'
> res_rtp_asterisk.c: In function 'dtls_srtp_handle_timeout':
> res_rtp_asterisk.c:1765: warning: implicit declaration of function
'DTLSv1_handle_timeout'
> res_rtp_asterisk.c: In function 'dtls_srtp_check_pending':
> res_rtp_asterisk.c:1817: warning: implicit declaration of function
'DTLSv1_get_timeout'
> res_rtp_asterisk.c: In function 'dtls_srtp_setup':
> res_rtp_asterisk.c:1904: warning: implicit declaration of function
'SSL_export_keying_material'
>    [LD] res_rtp_asterisk.o -> res_rtp_asterisk.so
>    [CC] res_rtp_multicast.c -> res_rtp_multicast.o
>    [LD] res_rtp_multicast.o -> res_rtp_multicast.so
>
> After this, res_rtp_asterisk.so cannot be loaded because it is linked to
the system openssl but requests the symbols from the upgraded openssl:
>
> [2014-12-22 20:19:41] WARNING[25901] loader.c: Error loading module
'res_rtp_asterisk.so': /usr/lib64/asterisk/modules/res_rtp_asterisk.so:
undefined symbol: DTLSv1_handle_timeout
>
> [root at rpmbuild64-2 ~]# ldd
/usr/lib64/asterisk/modules/res_rtp_asterisk.so
>     linux-vdso.so.1 =>  (0x00007fff431fd000)
>     libuuid.so.1 => /lib64/libuuid.so.1 (0x00002b3f92461000)
>     libm.so.6 => /lib64/libm.so.6 (0x00002b3f92665000)
>     libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b3f928e9000)
>     librt.so.1 => /lib64/librt.so.1 (0x00002b3f92b01000)
>     libpthread.so.0 => /lib64/libpthread.so.0 (0x00002b3f92d0a000)
>     libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b3f92f27000)
>     libssl.so.6 => /lib64/libssl.so.6 (0x00002b3f93278000)
>     libc.so.6 => /lib64/libc.so.6 (0x00002b3f934c6000)
>     /lib64/ld-linux-x86-64.so.2 (0x00000037c2400000)
>     libdl.so.2 => /lib64/libdl.so.2 (0x00002b3f93820000)
>     libz.so.1 => /lib64/libz.so.1 (0x00002b3f93a24000)
>     libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x00002b3f93c38000)
>     libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b3f93e67000)
>     libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b3f940fc000)
>     libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b3f942fe000)
>     libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
(0x00002b3f94524000)
>     libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b3f9472c000)
>     libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b3f9492e000)
>     libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b3f94b44000)
>     libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b3f94d5c000)
> (using libcrypto.so.6 and libssl.so.6 from system openssl)
>
> However, libasteriskssl.so is correctly linked against my upgraded openssl:
>
> [root at rpmbuild64-2 ~]# ldd /usr/lib64/libasteriskssl.so.1
>     linux-vdso.so.1 =>  (0x00007fffac390000)
>     libssl.so.10 => /usr/lib64/libssl.so.10 (0x00002aef0cfb4000)
>     libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00002aef0d21d000)
>     libpthread.so.0 => /lib64/libpthread.so.0 (0x00002aef0d5f2000)
>     libc.so.6 => /lib64/libc.so.6 (0x00002aef0d80e000)
>     libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x00002aef0db67000)
>     libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aef0dd96000)
>     libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aef0e02b000)
>     libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aef0e22d000)
>     libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aef0e453000)
>     libdl.so.2 => /lib64/libdl.so.2 (0x00002aef0e668000)
>     libz.so.1 => /lib64/libz.so.1 (0x00002aef0e86c000)
>     /lib64/ld-linux-x86-64.so.2 (0x00000037c2400000)
>     libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
(0x00002aef0ea81000)
>     libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aef0ec89000)
>     libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aef0ee8c000)
>     libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aef0f0a4000)
> [root at rpmbuild64-2 ~]# ls -l /usr/lib64/libcrypto.so.10
/usr/lib64/libssl.so.10
> lrwxrwxrwx 1 root root 45 dic 22 19:15 /usr/lib64/libcrypto.so.10 ->
../..//opt/openssl101/usr/lib/libcrypto.so.10
> lrwxrwxrwx 1 root root 42 dic 22 19:15 /usr/lib64/libssl.so.10 ->
../..//opt/openssl101/usr/lib/libssl.so.10
>
> (using libcrypto.so.10 and libssl.so.10 from upgraded openssl)
>
> I have searched in Google, but I cannot find any mention of this issue
before, nor any attempt to compile asterisk against a non-system openssl.
>
> How can I proceed to solve the linking issue? My guess is that include and
link flags are not being correctly set when compiling res_rtp_asterisk.c , but I
could be wrong. What else should I check?
>
> If this message should be sent to asterisk-devel instead, please tell me.
>
I managed to work around this by patching res/Makefile as follows:

diff -ur asterisk-11.15.0-bak/res/Makefile asterisk-11.15.0/res/Makefile
--- asterisk-11.15.0-bak/res/Makefile    2014-12-23 14:57:49.000000000 -0500
+++ asterisk-11.15.0/res/Makefile    2014-12-23 14:59:19.000000000 -0500
@@ -75,7 +75,7 @@
      rm -f pjproject/build.mak

  pjproject/build.mak: pjproject/aconfigure
-    (cd pjproject && CFLAGS="-fPIC" ./configure
--build=$(BUILD_PLATFORM) --host=$(HOST_PLATFORM) --disable-floating-point
--disable-sound --disable-oss --disable-speex-aec --disable-l16-codec
--disable-gsm-codec --disable-g722-codec --disable-g7221-codec
--disable-speex-codec --disable-ilbc-codec --disable-g711-codec)
+    (cd pjproject && CFLAGS="-fPIC $(OPENSSL_INCLUDE)"
LDFLAGS="$(OPENSSL_LIB)" ./configure --build=$(BUILD_PLATFORM)
--host=$(HOST_PLATFORM) --disable-floating-point --disable-sound --disable-oss
--disable-speex-aec --disable-l16-codec
--disable-gsm-codec --disable-g722-codec --disable-g7221-codec
--disable-speex-codec --disable-ilbc-codec --disable-g711-codec)

  ifneq ($(findstring $(MAKECMDGOALS),all),)
  -include pjproject/build.mak

With this, I can load res_rtp_asterisk.so normally.

However, a potential issue remains. There are some modules that still load the
system-supplied openssl, since they are linked to system libraries that in turn
link to system openssl:

res/res_curl.so
res/res_config_curl.so
res/res_snmp.so
addons/app_mysql.so
addons/res_config_mysql.so
addons/cdr_mysql.so
funcs/func_curl.so
apps/app_cbmysql.so

So far my test asterisk runs without crashes or other issues. Is there a
potential problem that could arise from loading both the system openssl and the
upgraded openssl on the same process? What should I look out for?