<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body ><div><br></div><div>Broken is in the eyes of the beholder: well designed cryptographic code wants to ensure that information (keys, cleartext) doesn't leak via unsanitized memory (there are many ways, both within and beyond calling programs); the easy and more foolproof way to do that for the cryptography programmer is often to use a memory manager that takes care of that, such as jemalloc (with appropriate configuration parameters).</div><div><br></div><div>If you make security representations (and the certificate is reasonably construed to make a security representation) you shouldn't bypass this unless you verify that you prevent all possible information leaks. </div><div><br></div><div>From armslength, you might just try to use jemalloc as kamailio's mm library, but even there it would be necessary to be really careful about kamailio freeing sensitive memory immediately after use--everywhere that happens. That's why it's probably easier to just let a properly implemented crypto library do what it's designed to do. </div><div><br></div><div><br></div><div><div style="font-size:75%;color:#575757">Sent from Samsung Mobile</div></div><br><br><br>-------- Original message --------<br>From: Daniel-Constantin Mierla <miconda@gmail.com> <br>Date: 12/12/2017 2:26 AM (GMT-06:00) <br>To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>,Tomi Hakkarainen <tpaivaa@gmail.com> <br>Subject: Re: [SR-Users] Unable to enable TLS on Kamailio <br> <br><br>
<p>Hello,</p>
<p>there were some broken versions of openssl that didn't allow
anymore to set custom memory manager. The only option is to
upgrade libssl to a version that doesn't expose the issue. If you
search on kamailio issues tracker on gihub.com, there should be
one closed about this topic.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<br>
<div class="moz-cite-prefix">On 11.12.17 22:20, Tomi Hakkarainen
wrote:<br>
</div>
<blockquote type="cite" cite="mid:E76998E9-827E-423B-B93E-D681D9F2A26B@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
Hi,
<div class=""> </div>
<div class="">
<div class="">I have problem to enable TLS on just installed
Kamailio server </div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">openSUSE 42.3 (x86_64)</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">VERSION = 42.3</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">CODENAME = Malachite</span></div>
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">version: kamailio 5.0.4
(x86_64/linux) </span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">flags: STATS: Off, USE_TCP,
USE_TLS, USE_SCTP, TLS_HOOKS, DISABLE_NAGLE, USE_MCAST,
DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC,
F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX,
FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER,
USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">ADAPTIVE_WAIT_LOOPS=1024,
MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE
1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">poll method support: poll,
epoll_lt, epoll_et, sigio_rt, select.</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">id: unknown </span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">compiled on 18:06:25 Dec 3
2017 with gcc 4.8.5</span></div>
</div>
<div class=""><br class="">
</div>
<div class="">I get this on debug log:</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/cfg.y:1642]: yyparse(): loading modules
under /usr/lib64/kamailio/modules/</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class="">loading modules under
config path: /usr/lib64/kamailio/modules/</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/cfg.y:1623]: yyparse(): loading module
tls.so</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/sr_module.c:575]: load_module(): trying
to load </usr/lib64/kamailio/modules/tls.so></span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/mem/q_malloc.c:189]: qm_malloc_init():
qm_malloc_init: QM_OPTIMIZE=16384, /ROUNDTO=2048</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/mem/q_malloc.c:191]: qm_malloc_init():
qm_malloc_init: QM_HASH_SIZE=2099, qm_block size=235152</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/mem/q_malloc.c:193]: qm_malloc_init():
qm_malloc_init(0x7f6e001cb000, 67108864),
start=0x7f6e001cb000</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) DEBUG:
<core> [core/mem/q_malloc.c:202]: qm_malloc_init():
qm_malloc_init: size= 67108864, init_overhead=235256</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) ERROR: tls
[tls_init.c:595]: tls_pre_init(): Unable to set the memory
allocation functions</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) ERROR: tls
[tls_init.c:597]: tls_pre_init(): libssl current mem
functions - m: 0x7f6e055b33d0 r: 0x7f6e055b3a30 f:
0x7f6e055b39a0</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) ERROR: tls
[tls_init.c:599]: tls_pre_init(): Be sure tls module is
loaded before any other module using libssl (can be loaded
first to be safe)</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""> 0(11336) ERROR:
<core> [core/sr_module.c:607]: load_module():
/usr/lib64/kamailio/modules/tls.so: mod_register failed</span></div>
</div>
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> 0(11336)
CRITICAL: <core> [core/cfg.y:3411]: yyerror_at():
parse error in config file /etc/kamailio/kamailio.cfg, line
150, column 12-19: failed to load module</span></div>
</div>
<div class=""><br class="">
</div>
<div class="">for resolving have compiled openssl from 1.0.2j-fips
to</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">openssl
version</span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal; font-family: "Andale Mono"; color: rgb(40,
254, 20); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">OpenSSL
1.0.2n 7 Dec 2017</span></div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Is this information enough to see what we are
missing </div>
<div class="">Will provide more info if needed.</div>
<div class="">Any help and suggestions are appreciated.</div>
<div class=""><br class="">
</div>
<div class="">Regards, </div>
<div class="">T</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
Kamailio World Conference - May 14-16, 2018 - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>