| Summary: | ASTERISK-27665: [patch] BuildSystem: Allow fetch of PJProject without trust anchors. | ||
| Reporter: | Alexander Traud (traud) | Labels: | patch |
| Date Opened: | 2018-02-10 07:20:45.000-0600 | Date Closed: | |
| Priority: | Minor | Regression? | |
| Status: | Open/New | Components: | Core/BuildSystem |
| Versions: | 13.19.0 15.2.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | FreeBSD 10 FreeBSD 11 NetBSD 7.1.1 | Attachments: | ( 0) FreeBSD_fetch.patch |
| Description: | Asterisk leverages the built-in tool {{fetch}} to download the bundled PJProject while {{./configure}} is running.
Commit [b2fd7e5|https://github.com/asterisk/asterisk/commit/b2fd7e50695b64826cbfcd65aa6e5c06532b3e5e] changed the download URL for the PJProject from Teluu to GitHub servers. By this, the protocol changed from HTTP to HTTPs. Furthermore, GitHub redirects all HTTP requests to HTTPs first. That server does not support SSL 3.0 or the cipher suite RC4, one needs at least TLS 1.0 and 3DES|AES. The TLS client must support TLS-SAN, wildcards, and a trust anchor which got introduced in the year 2007 ([DigiCert High Assurance EV Root CA|https://bugzilla.mozilla.org/show_bug.cgi?id=364568]). As of today, GitHub does not send the cross-signing certificate to the trust anchor "Baltimore CyberTrust" which was introduced in the year 2000. Although I love that everything gets encrypted on the Internet nowadays, GitHub does not give the user a choice. At least, I am not aware how to get that resource without HTTPs. Beside the above requirements, some platforms do not ship with trust anchors out of the box at all. One such example is FreeBSD 10 and 11. On the Internet, recommendations [exist|https://blather.michaelwlucas.com/archives/2247] which explain how to add the trust anchors of Mozilla NSS to FreeBSD. However, {{fetch}} is based on OpenSSL. OpenSSL uses a complete different logic to resolve trust anchors than Mozilla NSS. This allows a plethora of new issues like described in [The FreeBSD Forums|https://forums.freebsd.org/threads/58057/] and explained in the [SSL-Labs Community|https://community.qualys.com/thread/13848] already. *Worarounds* A) (short-term) {{pkg install wget}} B) (short-term) {{./configure --without-pjproject-bundled}} and use an externally build PJProject C) (mid-term) disable SSL/TLS verification while downloading PJProject, see attached patch D) (long-term) The Asterisk tarball includes checksums/hashes/signatures for all externally loaded resources like the PJProject and sound files. This can be done, because Asterisk does not go for the latest available version but for a specific version. Therefore, the hashes are known while releasing Asterisk and does not change in the lifetime of a release. That way, HTTPs is not needed anymore. | ||
| Comments: | By: Asterisk Team (asteriskteam) 2018-02-10 07:20:46.726-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Alexander Traud (traud) 2018-03-09 04:14:17.084-0600 In NetBSD, the situation is even more complex because * on default only the tool {{ftp}} exists, which does HTTP as well. * even wget does not have any default trust anchors. Therefore, the (short-term) workaround for NetBSD needs one step more: {code}pkg_add wget mozilla-rootcerts mozilla-rootcerts install{code} | ||