Summary: | ASTERISK-27880: [patch] pjproject_bundled: Repair ./configure --with-ssl=PATH. | ||
Reporter: | Alexander Traud (traud) | Labels: | patch pjsip |
Date Opened: | 2018-05-29 09:25:30 | Date Closed: | 2018-07-18 15:20:34 |
Priority: | Major | Regression? | |
Status: | Closed/Complete | Components: | Third-Party/pjproject |
Versions: | 13.21.0 15.4.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ( 0) with-ssl_pjproject.patch | |
Description: | With the upcoming [TLS 1.3|https://tools.ietf.org/html/draft-ietf-tls-tls13] and 3DES being [disabled|https://www.openssl.org/blog/blog/2016/08/24/sweet32/] in OpenSSL 1.1.x, using a custom build OpenSSL library for SIP-over-TLS might be interesting.
This is sequel 3 of a larger fix, which started in ASTERISK-27865. Asterisk uses PJProject for many things like ICE in chan_sip and even for its own new SIP channel driver chan_pjsip. Although PJProject (can) use a lot of external libraries, Asterisk does not use _any_ of them except for OpenSSL, to enable SIP-over-TLS. Consequently, Asterisk comes with a bundled PJProject and disables _all_ its external features except OpenSSL. However, when Asterisk is told to use a different OpenSSL than the one provided by the underlying platform, this is not told to the bundled PJProject. The attached patch fixes this. *Steps to Reproduce* (Ubuntu 18.04 LTS) {code}sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev sudo apt remove libssl-dev cd ~/Downloads wget www.openssl.org/source/openssl-1.1.1-pre6.tar.gz tar -zxf ./openssl-*.tar.gz cd ./openssl-* ./config shared enable-weak-ssl-ciphers make mkdir ./lib cp --verbose ./lib*.so ./lib export SSL_HOME=$PWD cd ~/Downloads wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz tar -zxf ./asterisk-*.tar.gz cd ./asterisk-* LDFLAGS="-Wl,-rpath $SSL_HOME" ./configure --with-pjproject-bundled --enable-dev-mode=noisy --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME{code}*Expected Result* SIP-over-TLS can be used in chan_pjsip. *Actual Result* {{** OpenSSL libraries not found, disabling SSL support **}} is printed by the configure script of PJProject already. SIP-over-TLS cannot be used in chan_pjsip, only in chan_sip. *Workaround* Install OpenSSL in the system, for example in Ubuntu via {{sudo apt install libssl-dev}} but do not expect any additional feature of your custom build of OpenSSL. *Notes* Asterisk allows the shared libraries ({{.so}}) in the root of the specified path and in a subfolder called {{lib}}. Currently (2.7.2), PJProject is expecting libraries only in that subfolder {{lib}}. Consequently as additional workaround, I had to move the libraries in the example above. To fix this, I submitted a patch to Teluu already. Currently (2.7.2), PJProject is going to print {{checking openssl/ssl.h presence... no}}. This is because Teluu puts the inclusion headers ({{-I}}) not in CPPFLAGS but CFLAGS. To avoid this warning—which is just cosmetic—I submitted a patch to Teluu already as well. The attached patch was tested without and with OpenSSL, inside the system and outside of the system. | ||
Comments: | By: Asterisk Team (asteriskteam) 2018-05-29 09:25:31.893-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Friendly Automation (friendly-automation) 2018-07-18 15:20:35.226-0500 Change 9064 merged by George Joseph: pjproject_bundled: Repair ./configure --with-ssl=PATH. [https://gerrit.asterisk.org/9064|https://gerrit.asterisk.org/9064] By: Friendly Automation (friendly-automation) 2018-07-18 15:20:48.147-0500 Change 9065 merged by George Joseph: pjproject_bundled: Repair ./configure --with-ssl=PATH. [https://gerrit.asterisk.org/9065|https://gerrit.asterisk.org/9065] By: Friendly Automation (friendly-automation) 2018-07-18 15:21:00.204-0500 Change 9063 merged by George Joseph: pjproject_bundled: Repair ./configure --with-ssl=PATH. [https://gerrit.asterisk.org/9063|https://gerrit.asterisk.org/9063] |