ASTERISK-26744: Asterisk fails to start up when using OpenSSL 1.1.0

[Home]

Summary: ASTERISK-26744: Asterisk fails to start up when using OpenSSL 1.1.0

Reporter: Bernhard (schlimmchen) Labels:

Date Opened: 2017-01-23 11:44:53.000-0600 Date Closed: 2017-10-23 18:28:12

Priority: Major Regression? No

Status: Closed/Complete Components: Core/General

Versions: 14.2.1 GIT Frequency of
Occurrence Constant

Related
Issues:

Environment: Debian testing (stretch) using libssl-dev 1.1.0c-2 Attachments:

Description: After manually applying https://gerrit.asterisk.org/#/c/4753/1 (currently pending review), compilation of asterisk succeeds (gerrit git master). Compilation fails for 14.2.1, also see ASTERISK-26109

However, asterisk fails to start up issuing message: "SSL initialization failed" on the console.

It turns out that {{ast_ssl_init}} returns -1 since {{SSL_library_init}} is now a macro, so {{get_OpenSSL_function}} using the dynamic linker fails to lookup the real {{SSL_library_init}} function.

As far as my research went, all the initialization done in {{ast_ssl_init}} is obsolete as of OpenSSL 1.1.0, so IMHO the compiler directive testing for {{HAVE_OPENSSL}} should be extended to hide the code for OpenSSL >= 1.1.0.

Comments: By: Asterisk Team (asteriskteam) 2017-01-23 11:44:54.330-0600

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
By: Bernhard (schlimmchen) 2017-01-23 11:55:27.072-0600

I understand that you make contributors sign a license agreement. However, I don't feel comfortable signing it for a one-liner.

Here is some letters and symbols that I do not care for at all now or in the future, but might help you understand what I meant with avoiding initialization altogether in {{ast_ssl_init}}:

{noformat}
-#ifdef HAVE_OPENSSL
+ /**
+ * none of these initializations are required for OpenSSL >= 1.1.0
+ */
+#if defined(HAVE_OPENSSL) && (!defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L)
{noformat}

This fixes the issue for me.
By: Rusty Newton (rnewton) 2017-01-30 16:26:06.411-0600

[~schlimmchen], I'm thinking this is a situation where you should really provide feedback on the Gerrit review https://gerrit.asterisk.org/#/c/4753/1

That way the author of the patch that introduced the problem gets immediate feedback and can fix it before it gets merged.

Are you unable to comment/reply on the Gerrit issue?
By: Bernhard (schlimmchen) 2017-01-30 17:34:02.250-0600

[~rnewton], you have a point. However, it seems that I do indeed have no permissions to comment on the commit review. My asterisk.org account is not accepted at asterisk gerrit instance and other than that (and missing a registration link) I don't see how I can gain access.
By: Richard Mudgett (rmudgett) 2017-01-30 17:58:42.225-0600

You can only sign into gerrit if you have signed a contributor license agreement. If you have a confirmed signed agreement you login with the same username and password as with JIRA.
By: Bernhard (schlimmchen) 2017-01-30 18:21:32.689-0600

Understood. But please accept that I am not motivated to go through the license agreement hassle. Maybe someone with gerrit access can link to this issue. The information about the problem at hand is documented here for everyone to look up, which was my primary goal.
By: George Joseph (gjoseph) 2017-01-31 08:27:09.438-0600

[~rmudgett] added a link to this issue on the gerrit review.

By: Rusty Newton (rnewton) 2017-01-31 14:26:35.617-0600

[~schlimmchen], Ah I see. I had forgot that CLA was needed for Gerrit as well. Thanks for filing the issue here, where you were able.
By: Tzafrir Cohen (tzafrir) 2017-02-03 02:34:35.688-0600

See https://gerrit.asterisk.org/4884 .