<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Can you actually explain better what is the relation between your
message and the issue discussed on this email thread? Maybe I
didn't get it right, but the bug that didn't allow setting a
memory manager has nothing to do with how good or bad a memory
manager implementation is from security and safety points of view.
Your suggestion to use jemalloc or whatever else memory manager is
not possible in that version of libssl, because that version
simply doesn't allow setting a memory manager.<br>
</p>
<p>The bug was fixed in libssl, but some distros distributed the
broken version, that's the reason it is required to use an older
or newer version than the affected ones.<br>
</p>
Cheers,<br>
Daniel<br>
<br>
<div class="moz-cite-prefix">On 12.12.17 18:01, <a class="moz-txt-link-abbreviated" href="mailto:otron2016@gmail.com">otron2016@gmail.com</a>
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:rmapubmxqlbnr93dw0ijdmd4.1513097643204@email.android.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div><br>
</div>
<div>Broken is in the eyes of the beholder: well designed
cryptographic code wants to ensure that information (keys,
cleartext) doesn't leak via unsanitized memory (there are many
ways, both within and beyond calling programs); the easy and
more foolproof way to do that for the cryptography programmer is
often to use a memory manager that takes care of that, such as
jemalloc (with appropriate configuration parameters).</div>
<div><br>
</div>
<div>If you make security representations (and the certificate is
reasonably construed to make a security representation) you
shouldn't bypass this unless you verify that you prevent all
possible information leaks. </div>
<div><br>
</div>
<div>From armslength, you might just try to use jemalloc as
kamailio's mm library, but even there it would be necessary to
be really careful about kamailio freeing sensitive memory
immediately after use--everywhere that happens. That's why
it's probably easier to just let a properly implemented crypto
library do what it's designed to do. </div>
<div><br>
</div>
<div><br>
</div>
<div>
<div style="font-size:75%;color:#575757">Sent from Samsung
Mobile</div>
</div>
<br>
<br>
<br>
-------- Original message --------<br>
From: Daniel-Constantin Mierla <a class="moz-txt-link-rfc2396E" href="mailto:miconda@gmail.com"><miconda@gmail.com></a> <br>
Date: 12/12/2017 2:26 AM (GMT-06:00) <br>
To: "Kamailio (SER) - Users Mailing List"
<a class="moz-txt-link-rfc2396E" href="mailto:sr-users@lists.kamailio.org"><sr-users@lists.kamailio.org></a>,Tomi Hakkarainen
<a class="moz-txt-link-rfc2396E" href="mailto:tpaivaa@gmail.com"><tpaivaa@gmail.com></a> <br>
Subject: Re: [SR-Users] Unable to enable TLS on Kamailio <br>
<br>
<br>
<p>Hello,</p>
<p>there were some broken versions of openssl that didn't allow
anymore to set custom memory manager. The only option is to
upgrade libssl to a version that doesn't expose the issue. If
you search on kamailio issues tracker on gihub.com, there should
be one closed about this topic.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<br>
<div class="moz-cite-prefix">On 11.12.17 22:20, Tomi Hakkarainen
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:E76998E9-827E-423B-B93E-D681D9F2A26B@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
Hi,
<div class=""> </div>
<div class="">
<div class="">I have problem to enable TLS on just installed
Kamailio server </div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">openSUSE 42.3 (x86_64)</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">VERSION = 42.3</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">CODENAME = Malachite</span></div>
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">version: kamailio 5.0.4
(x86_64/linux) </span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">flags: STATS: Off,
USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, DISABLE_NAGLE,
USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY,
USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST,
HAVE_RESOLV_RES</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">ADAPTIVE_WAIT_LOOPS=1024,
MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE
1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">poll method support:
poll, epoll_lt, epoll_et, sigio_rt, select.</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">id: unknown </span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">compiled on 18:06:25 Dec
3 2017 with gcc 4.8.5</span></div>
</div>
<div class=""><br class="">
</div>
<div class="">I get this on debug log:</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/cfg.y:1642]: yyparse(): loading
modules under /usr/lib64/kamailio/modules/</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">loading modules under
config path: /usr/lib64/kamailio/modules/</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/cfg.y:1623]: yyparse(): loading
module tls.so</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/sr_module.c:575]: load_module():
trying to load
</usr/lib64/kamailio/modules/tls.so></span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/mem/q_malloc.c:189]:
qm_malloc_init(): qm_malloc_init: QM_OPTIMIZE=16384,
/ROUNDTO=2048</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/mem/q_malloc.c:191]:
qm_malloc_init(): qm_malloc_init: QM_HASH_SIZE=2099,
qm_block size=235152</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/mem/q_malloc.c:193]:
qm_malloc_init(): qm_malloc_init(0x7f6e001cb000,
67108864), start=0x7f6e001cb000</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/mem/q_malloc.c:202]:
qm_malloc_init(): qm_malloc_init: size= 67108864,
init_overhead=235256</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) ERROR: tls
[tls_init.c:595]: tls_pre_init(): Unable to set the
memory allocation functions</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) ERROR: tls
[tls_init.c:597]: tls_pre_init(): libssl current mem
functions - m: 0x7f6e055b33d0 r: 0x7f6e055b3a30 f:
0x7f6e055b39a0</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) ERROR: tls
[tls_init.c:599]: tls_pre_init(): Be sure tls module is
loaded before any other module using libssl (can be
loaded first to be safe)</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color:
rgb(40, 254, 20); background-color: rgba(0, 0, 0,
0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) ERROR:
<core> [core/sr_module.c:607]: load_module():
/usr/lib64/kamailio/modules/tls.so: mod_register failed</span></div>
</div>
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""> 0(11336) CRITICAL:
<core> [core/cfg.y:3411]: yyerror_at(): parse error
in config file /etc/kamailio/kamailio.cfg, line 150,
column 12-19: failed to load module</span></div>
</div>
<div class=""><br class="">
</div>
<div class="">for resolving have compiled openssl from
1.0.2j-fips to</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">openssl version</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">OpenSSL 1.0.2n 7 Dec 2017</span></div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Is this information enough to see what we are
missing </div>
<div class="">Will provide more info if needed.</div>
<div class="">Any help and suggestions are appreciated.</div>
<div class=""><br class="">
</div>
<div class="">Regards, </div>
<div class="">T</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org" moz-do-not-send="true">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" moz-do-not-send="true">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com" moz-do-not-send="true">www.asipto.com</a>
Kamailio World Conference - May 14-16, 2018 - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com" moz-do-not-send="true">www.kamailioworld.com</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
Kamailio World Conference - May 14-16, 2018 - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>