Summary: | ASTERISK-27876: [patch] tcptls: Allow OpenSSL configured with no-dh. | ||
Reporter: | Alexander Traud (traud) | Labels: | patch |
Date Opened: | 2018-05-25 09:44:44 | Date Closed: | 2018-06-05 14:23:39 |
Priority: | Major | Regression? | |
Status: | Closed/Complete | Components: | Core/General |
Versions: | 13.21.0 15.4.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ( 0) no-dh.patch | |
Description: | Fixing my own code, I introduced in commit [eaee921|https://github.com/asterisk/asterisk/commit/eaee92198d89f7feb4206b412104f439bc80754f] (ASTERISK-23905). OpenSSL can be configured (and then built) in various combinations. The _easiest_ (?) way to find the relevant configuration, is to look-up each used symbol and check the surrounding Defines in the header file of OpenSSL. If one of the guards is missing (or is a combination of several ones) and OpenSSL was built with that, Asterisk is not going to compile.
Asterisk does not build, if a OpenSSL was built via {code}./config no-dh make{code}The attached patch fixes this. Additionally, the patch undos commit [758b138|https://github.com/asterisk/asterisk/commit/758b13858b79256104c0f81a9adf1924df7d2da9] (no issue report!), because that guard was too broad (included DH and EC related code) and was done via the script {{./configure}} instead directly via the OpenSSL configuration. Instead, the patch guards only that part which must be guarded, when OpenSSL was configured with no-ec or no-ecdh. Finally, that patch enables the named-curves X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1), because {{SSL_CTRL_SET_ECDH_AUTO}} got enabled on default, that symbol got removed and {{SSL_CTX_ctrl}} returns an error now. Because of that, just the named-curve P-256 was set, which disabled X25519 (and X448). This is just about TLS (HTTPs, SIP-over-TLS, ...). In the file {{res/res_rtp_asterisk.c}}, the code for DTLS needs a similar treatment. However, this is out of scope of the attached patch. | ||
Comments: | By: Asterisk Team (asteriskteam) 2018-05-25 09:44:45.704-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Friendly Automation (friendly-automation) 2018-06-05 14:23:39.857-0500 Change 9055 merged by George Joseph: tcptls: Allow OpenSSL configured with no-dh. [https://gerrit.asterisk.org/9055|https://gerrit.asterisk.org/9055] By: Friendly Automation (friendly-automation) 2018-06-06 04:37:17.718-0500 Change 9054 merged by Joshua Colp: tcptls: Allow OpenSSL configured with no-dh. [https://gerrit.asterisk.org/9054|https://gerrit.asterisk.org/9054] By: Friendly Automation (friendly-automation) 2018-06-06 04:37:29.214-0500 Change 9056 merged by Joshua Colp: tcptls: Allow OpenSSL configured with no-dh. [https://gerrit.asterisk.org/9056|https://gerrit.asterisk.org/9056] |