### Description
Kamailio 5.7 build on Debian Bookworm gave me the following build warnings. The only curl related build dependency that I have is libcurl4-openssl-dev and the only openssl build dependency is libssl-dev.
``` CC (gcc) [M http_client.so] functions.o functions.c: In function 'curL_request_url': functions.c:158:9: warning: 'CURLOPT_PROTOCOLS' is deprecated: since 7.85.0. Use CURLOPT_PROTOCOLS_STR [-Wdeprecated-declarations] 158 | res = curl_easy_setopt( | ^~~ In file included from http_client.h:36, from functions.c:45: /usr/include/x86_64-linux-gnu/curl/curl.h:1749:3: note: declared here 1749 | CURLOPTDEPRECATED(CURLOPT_PROTOCOLS, CURLOPTTYPE_LONG, 181, | ^~~~~~~~~~~~~~~~~ functions.c:160:9: warning: 'CURLOPT_REDIR_PROTOCOLS' is deprecated: since 7.85.0. Use CURLOPT_REDIR_PROTOCOLS_STR [-Wdeprecated-declarations] 160 | res = curl_easy_setopt( | ^~~ /usr/include/x86_64-linux-gnu/curl/curl.h:1755:3: note: declared here 1755 | CURLOPTDEPRECATED(CURLOPT_REDIR_PROTOCOLS, CURLOPTTYPE_LONG, 182, | ^~~~~~~~~~~~~~~~~ functions.c:387:17: warning: 'CURLINFO_SIZE_DOWNLOAD' is deprecated: since 7.55.0. Use CURLINFO_SIZE_DOWNLOAD_T [-Wdeprecated-declarations] 387 | curl_easy_getinfo(curl, CURLINFO_SIZE_DOWNLOAD, &download_size); | ^~~~~~~~~~~~~~~~~ /usr/include/x86_64-linux-gnu/curl/curl.h:2841:3: note: declared here 2841 | CURLINFO_SIZE_DOWNLOAD | ^~~~~~~~~~~~~~~~~~~~~~
CC (gcc) [M tls.so] tls_mod.o tls_mod.c: In function 'mod_child': tls_mod.c:455:25: warning: 'OPENSSL_fork_prepare' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 455 | OPENSSL_fork_prepare(); | ^~~~~~~~~~~~~~~~~~~~ In file included from /usr/include/openssl/comp.h:22, from /usr/include/openssl/ssl.h:28, from tls_init.h:30, from tls_mod.c:45: /usr/include/openssl/crypto.h:427:28: note: declared here 427 | OSSL_DEPRECATEDIN_3_0 void OPENSSL_fork_prepare(void); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c:467:25: warning: 'OPENSSL_fork_parent' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 467 | OPENSSL_fork_parent(); | ^~~~~~~~~~~~~~~~~~~ /usr/include/openssl/crypto.h:428:28: note: declared here 428 | OSSL_DEPRECATEDIN_3_0 void OPENSSL_fork_parent(void); | ^~~~~~~~~~~~~~~~~~~ tls_mod.c:471:25: warning: 'OPENSSL_fork_child' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 471 | OPENSSL_fork_child(); | ^~~~~~~~~~~~~~~~~~ /usr/include/openssl/crypto.h:429:28: note: declared here 429 | OSSL_DEPRECATEDIN_3_0 void OPENSSL_fork_child(void); | ^~~~~~~~~~~~~~~~~~ tls_mod.c: In function 'ksr_rand_engine_param': tls_mod.c:514:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 514 | RAND_set_rand_method(RAND_ksr_krand_method()); | ^~~~~~~~~~~~~~~~~~~~ In file included from tls_rand.h:26, from tls_mod.c:54: /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c:517:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 517 | RAND_set_rand_method(RAND_ksr_fastrand_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c:520:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 520 | RAND_set_rand_method(RAND_ksr_cryptorand_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c:523:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 523 | RAND_set_rand_method(RAND_ksr_kxlibssl_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c: In function 'mod_register': tls_mod.c:674:9: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 674 | RAND_set_rand_method(RAND_ksr_cryptorand_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c: In function 'tls_engine_init': tls_mod.c:708:9: warning: 'ENGINE_by_id' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 708 | e = ENGINE_by_id("dynamic"); | ^ In file included from tls_mod.c:153: /usr/include/openssl/engine.h:336:31: note: declared here 336 | OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id); | ^~~~~~~~~~~~ tls_mod.c:727:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 727 | if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", NCONF_get_string(config, engine_section, "dynamic_path"), 0)) { | ^~ /usr/include/openssl/engine.h:479:5: note: declared here 479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg, | ^~~~~~~~~~~~~~~~~~~~~~ tls_mod.c:731:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 731 | if (!ENGINE_ctrl_cmd_string(e, "ID", engine_id, 0)) { | ^~ /usr/include/openssl/engine.h:479:5: note: declared here 479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg, | ^~~~~~~~~~~~~~~~~~~~~~ tls_mod.c:735:9: warning: 'ENGINE_ctrl_cmd' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 735 | if (!ENGINE_ctrl_cmd(e, "LOAD", 1, NULL, NULL, 0)) { | ^~ /usr/include/openssl/engine.h:450:27: note: declared here 450 | OSSL_DEPRECATEDIN_3_0 int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name, | ^~~~~~~~~~~~~~~ tls_mod.c:742:17: warning: 'ENGINE_ctrl_cmd_string' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 742 | if (!ENGINE_ctrl_cmd_string(e, confval->name, confval->value, 0)) { | ^~ /usr/include/openssl/engine.h:479:5: note: declared here 479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg, | ^~~~~~~~~~~~~~~~~~~~~~ tls_mod.c:748:9: warning: 'ENGINE_init' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 748 | if (!ENGINE_init(e)) { | ^~ /usr/include/openssl/engine.h:620:27: note: declared here 620 | OSSL_DEPRECATEDIN_3_0 int ENGINE_init(ENGINE *e); | ^~~~~~~~~~~ tls_mod.c:753:17: warning: 'ENGINE_set_default_string' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 753 | rc = ENGINE_set_default_string(e, tls_engine_settings.engine_algorithms.s); | ^~ /usr/include/openssl/engine.h:685:27: note: declared here 685 | OSSL_DEPRECATEDIN_3_0 int ENGINE_set_default_string(ENGINE *e, | ^~~~~~~~~~~~~~~~~~~~~~~~~ tls_mod.c:759:9: warning: 'ENGINE_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 759 | ENGINE_free(e); | ^~~~~~~~~~~ /usr/include/openssl/engine.h:493:27: note: declared here 493 | OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e); | ^~~~~~~~~~~ tls_mod.c: In function 'tls_engine_private_key': tls_mod.c:768:9: warning: 'ENGINE_load_private_key' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 768 | return ENGINE_load_private_key(ksr_tls_engine, key_id, NULL, NULL); | ^~~~~~ /usr/include/openssl/engine.h:638:11: note: declared here 638 | EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, | ^~~~~~~~~~~~~~~~~~~~~~~ CC (gcc) [M tls.so] tls_rand.o tls_rand.c: In function 'ksr_kxlibssl_init': tls_rand.c:197:17: warning: 'RAND_get_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 197 | _ksr_kxlibssl_local_method = RAND_get_rand_method(); | ^~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from tls_rand.h:26, from tls_rand.c:30: /usr/include/openssl/rand.h:50:42: note: declared here 50 | OSSL_DEPRECATEDIN_3_0 const RAND_METHOD *RAND_get_rand_method(void); | ^~~~~~~~~~~~~~~~~~~~ ```
@juha-h can you please test https://github.com/kamailio/kamailio/pull/3482? At least the OPENSSL_fork_* warnings should be solved.
Victor Seva writes:
@juha-h can you please test https://github.com/kamailio/kamailio/pull/3482? At least the OPENSSL_fork_* warnings should be solved.
I gave the PR a try and now got the warnings below (no fork warnings anymore).
-- Juha
--------------------------------
tls_mod.c: In function 'ksr_rand_engine_param': tls_mod.c:520:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 520 | RAND_set_rand_method(RAND_ksr_krand_method()); | ^~~~~~~~~~~~~~~~~~~~ In file included from tls_rand.h:26, from tls_mod.c:54: /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c:523:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 523 | RAND_set_rand_method(RAND_ksr_fastrand_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c:526:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 526 | RAND_set_rand_method(RAND_ksr_cryptorand_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c:529:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 529 | RAND_set_rand_method(RAND_ksr_kxlibssl_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c: In function 'mod_register': tls_mod.c:680:9: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 680 | RAND_set_rand_method(RAND_ksr_cryptorand_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c: In function 'tls_engine_init': tls_mod.c:715:9: warning: 'ENGINE_by_id' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 715 | e = ENGINE_by_id("dynamic"); | ^ In file included from tls_mod.c:154: /usr/include/openssl/engine.h:336:31: note: declared here 336 | OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id); | ^~~~~~~~~~~~ tls_mod.c:734:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 734 | if(!ENGINE_ctrl_cmd_string(e, "SO_PATH", | ^~ /usr/include/openssl/engine.h:479:5: note: declared here 479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg, | ^~~~~~~~~~~~~~~~~~~~~~ tls_mod.c:739:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 739 | if(!ENGINE_ctrl_cmd_string(e, "ID", engine_id, 0)) { | ^~ /usr/include/openssl/engine.h:479:5: note: declared here 479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg, | ^~~~~~~~~~~~~~~~~~~~~~ tls_mod.c:743:9: warning: 'ENGINE_ctrl_cmd' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 743 | if(!ENGINE_ctrl_cmd(e, "LOAD", 1, NULL, NULL, 0)) { | ^~ /usr/include/openssl/engine.h:450:27: note: declared here 450 | OSSL_DEPRECATEDIN_3_0 int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name, | ^~~~~~~~~~~~~~~ tls_mod.c:752:17: warning: 'ENGINE_ctrl_cmd_string' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 752 | if(!ENGINE_ctrl_cmd_string(e, confval->name, confval->value, 0)) { | ^~ /usr/include/openssl/engine.h:479:5: note: declared here 479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg, | ^~~~~~~~~~~~~~~~~~~~~~ tls_mod.c:758:9: warning: 'ENGINE_init' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 758 | if(!ENGINE_init(e)) { | ^~ /usr/include/openssl/engine.h:620:27: note: declared here 620 | OSSL_DEPRECATEDIN_3_0 int ENGINE_init(ENGINE *e); | ^~~~~~~~~~~ tls_mod.c:763:17: warning: 'ENGINE_set_default_string' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 763 | rc = ENGINE_set_default_string( | ^~ /usr/include/openssl/engine.h:685:27: note: declared here 685 | OSSL_DEPRECATEDIN_3_0 int ENGINE_set_default_string(ENGINE *e, | ^~~~~~~~~~~~~~~~~~~~~~~~~ tls_mod.c:770:9: warning: 'ENGINE_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 770 | ENGINE_free(e); | ^~~~~~~~~~~ /usr/include/openssl/engine.h:493:27: note: declared here 493 | OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e); | ^~~~~~~~~~~ tls_mod.c: In function 'tls_engine_private_key': tls_mod.c:780:9: warning: 'ENGINE_load_private_key' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 780 | return ENGINE_load_private_key(ksr_tls_engine, key_id, NULL, NULL); | ^~~~~~ /usr/include/openssl/engine.h:638:11: note: declared here 638 | EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, | ^~~~~~~~~~~~~~~~~~~~~~~ CC (gcc) [M tls.so] tls_rand.o tls_rand.c: In function 'ksr_kxlibssl_init': tls_rand.c:179:17: warning: 'RAND_get_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 179 | _ksr_kxlibssl_local_method = RAND_get_rand_method(); | ^~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from tls_rand.h:26, from tls_rand.c:30: /usr/include/openssl/rand.h:50:42: note: declared here 50 | OSSL_DEPRECATEDIN_3_0 const RAND_METHOD *RAND_get_rand_method(void); | ^~~~~~~~~~~~~~~~~~~~
From https://www.openssl.org/docs/man3.0/man7/migration_guide.html
Engines and "METHOD" APIs The refactoring to support Providers conflicts internally with the APIs used to support engines, including the ENGINE API and any function that creates or modifies custom "METHODS" (for example [EVP_MD_meth_new(3)](http://man.he.net/man3/EVP_MD_meth_new), [EVP_CIPHER_meth_new(3)](http://man.he.net/man3/EVP_CIPHER_meth_new), [EVP_PKEY_meth_new(3)](http://man.he.net/man3/EVP_PKEY_meth_new), [RSA_meth_new(3)](http://man.he.net/man3/RSA_meth_new), [EC_KEY_METHOD_new(3)](http://man.he.net/man3/EC_KEY_METHOD_new), etc.). These functions are being deprecated in OpenSSL 3.0, and users of these APIs should know that their use can likely bypass provider selection and configuration, with unintended consequences. This is particularly relevant for applications written to use the OpenSSL 3.0 FIPS module, as detailed below. Authors and maintainers of external engines are strongly encouraged to refactor their code transforming engines into providers using the new Provider API and avoiding deprecated methods.
related to: https://github.com/kamailio/kamailio/commit/394878313770a3b8b57a346a0a323eff... all ENGINE_* warnings
From https://www.openssl.org/docs/man3.0/man7/migration_guide.html
Engines and "METHOD" APIs The refactoring to support Providers conflicts internally with the APIs used to support engines, including the ENGINE API and any function that creates or modifies custom "METHODS" (for example [EVP_MD_meth_new(3)](http://man.he.net/man3/EVP_MD_meth_new), [EVP_CIPHER_meth_new(3)](http://man.he.net/man3/EVP_CIPHER_meth_new), [EVP_PKEY_meth_new(3)](http://man.he.net/man3/EVP_PKEY_meth_new), [RSA_meth_new(3)](http://man.he.net/man3/RSA_meth_new), [EC_KEY_METHOD_new(3)](http://man.he.net/man3/EC_KEY_METHOD_new), etc.). These functions are being deprecated in OpenSSL 3.0, and users of these APIs should know that their use can likely bypass provider selection and configuration, with unintended consequences. This is particularly relevant for applications written to use the OpenSSL 3.0 FIPS module, as detailed below. Authors and maintainers of external engines are strongly encouraged to refactor their code transforming engines into providers using the new Provider API and avoiding deprecated methods.
related to: [3948783](https://github.com/kamailio/kamailio/commit/394878313770a3b8b57a346a0a323eff...) all ENGINE_* warnings
@aalba6675 maybe for openssl >= 3.0 an external implementation of [PKCS#11 provider](https://github.com/latchset/pkcs11-provider) is good enough or at least the way to move forward?
I would disable tls_engine by default for openssl >= 3.0
@juha-h with 9e0197ca3a130a559db08fcd4b352a03c5371f04 ( vseva/tls branch ) last warnings are:
``` tls_mod.c: In function 'ksr_rand_engine_param': tls_mod.c:523:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 523 | RAND_set_rand_method(RAND_ksr_krand_method()); | ^~~~~~~~~~~~~~~~~~~~ In file included from tls_rand.h:26, from tls_mod.c:54: /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c:526:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 526 | RAND_set_rand_method(RAND_ksr_fastrand_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c:529:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 529 | RAND_set_rand_method(RAND_ksr_cryptorand_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c:532:17: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 532 | RAND_set_rand_method(RAND_ksr_kxlibssl_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ tls_mod.c: In function 'mod_register': tls_mod.c:683:9: warning: 'RAND_set_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 683 | RAND_set_rand_method(RAND_ksr_cryptorand_method()); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rand.h:49:27: note: declared here 49 | OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); | ^~~~~~~~~~~~~~~~~~~~ CC (gcc) [M tls.so] tls_rand.o tls_rand.c: In function 'ksr_kxlibssl_init': tls_rand.c:179:17: warning: 'RAND_get_rand_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 179 | _ksr_kxlibssl_local_method = RAND_get_rand_method(); | ^~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from tls_rand.h:26, from tls_rand.c:30: /usr/include/openssl/rand.h:50:42: note: declared here 50 | OSSL_DEPRECATEDIN_3_0 const RAND_METHOD *RAND_get_rand_method(void); | ^~~~~~~~~~~~~~~~~~~~ ```
Yes, the external crypto engine support will not work anymore for OpenSSL 3.x, needs probably more analysis from the mentioned author. Even if we would do the refactoring to the new methods, without access to test devices its difficult to verify.
About the random number generator topics, they are also deprecated in the OpenSSL 3.x as shown above. But as they were added just to work around for some limitation/bugs in OpenSSL 1.x, it probably make sense to try to deactivate them as well. Maybe they are not needed anymore. If we still need them, we need probably refactor them to use the [RAND_set_DRBG_type(3)](https://www.openssl.org/docs/man3.1/man3/RAND_set_DRBG_type.html), [EVP_RAND(3)](https://www.openssl.org/docs/man3.1/man3/EVP_RAND.html) and [EVP_RAND(7)](https://www.openssl.org/docs/man3.1/man7/EVP_RAND.html) functions.
disabling tls_rand too at (vseva/tls https://github.com/kamailio/kamailio/pull/3482/commits/4cbe8241f59c3238472fa... )
No more warnings with openssl 3.0. Now we have to test it.
Closed #3484 as completed.
build warnings are fixed by #3482
Sorry, but the warnings have not been fixed in 5.7, which was the topic of this issue.
Reopened #3484.
@juha-h: backporting to 5.7 may take a while, because support for libssl 3.0 is not validated yet. Those are deprecating warnings, so normally things should still work fine with them, but as reported on other issues, there are crashes with libssl 3.0. Therefore it is expected there are other internal changes in libssl 3.0 that need to be handled.
Maybe you can help testing tls master branch and if proves stable, then can be backported. Just getting rid of changes in this case does not seem enough at this moment.
Daniel-Constantin Mierla writes:
@juha-h: backporting to 5.7 may take a while, because support for libssl 3.0 is not validated yet. Those are deprecating warnings, so normally things should still work fine with them, but as reported on other issues, there are crashes with libssl 3.0. Therefore it is expected there are other internal changes in libssl 3.0 that need to be handled.
Yes, I understand, but lots of warnings when building stable, production version of my SIP Proxy based on stable version of Kamailio, does not look good. So, lets keep this issue open until the backport is done to 5.7.
Maybe you can help testing tls master branch and if proves stable, then can be backported. Just getting rid of changes in this case does not seem enough at this moment.
I'm using master in my own test setup and will report if I find TLS related issues.
-- Juha
With this kind of tls.cfg ``` [client:default] verify_certificate = yes require_certificate = yes tls_method = TLSv1.2+ private_key = /etc/sip-proxy/certs/siika-key.pem certificate = /etc/sip-proxy/certs/siika-cert.pem ca_list = /etc/sip-proxy/certs/ca_list.pem
[server:default] verify_certificate = yes require_certificate = no server_name = test.tutpro.com tls_method = TLSv1.2+ private_key = /etc/sip-proxy/certs/siika-key.pem certificate = /etc/sip-proxy/certs/siika-cert.pem ca_list = /etc/sip-proxy/certs/ca_list.pem ``` SIP Proxy was able to verify client certificate and vice versa.
On a second thought, given that the patches to tls module are only related to macro checks (ifdefs) on libssl version >=3.0, no other relevant changes, I think they should be backported to 5.7 without waiting longer. There is no impact for older libssl versions and it may fix some of the libssl 3.0+ issues (or in other words, it cannot make it worse for libssl 3.0+).
@linuxmaniac: what do you think?
I also fixed the warnings for http_client with the commit referenced above.
Yes, It can't make things worse
I'll backport the changes
Thanks!
``` commit 23a121e5d8ffa172f71433c2ef74f323a54e8315 (HEAD -> 5.7, origin/5.7) Author: Daniel-Constantin Mierla miconda@gmail.com Date: Wed Jun 21 09:27:28 2023 +0200
http_client: fix depecration of CURLOPT_PROTOCOLS and CURLINFO_SIZE_DOWNLOAD
- GH #3484
(cherry picked from commit b7b3c67fc1205d114fadf360a594930ef69835a3)
commit 8cc9ec410ff359e3d93e994c210977a8baa578c4 Author: Victor Seva linuxmaniac@torreviejawireless.org Date: Mon Jun 19 20:12:17 2023 +0200
tls: disable tls_rand for openssl >= 3.0
From https://www.openssl.org/docs/man3.0/man3/RAND_set_rand_method.html
> All of the functions described on this page are deprecated. > Applications should instead use RAND_set_DRBG_type(3), EVP_RAND(3) and > EVP_RAND(7).
(cherry picked from commit c4b04696a6bfe31fdd65fa56529b0d46f2774067)
commit d4b7333ca126ae7c77ec8f095f8728234d0dfe43 Author: Victor Seva linuxmaniac@torreviejawireless.org Date: Mon Jun 19 13:36:53 2023 +0200
tls: disable engine for openssl >= 3.0
From https://www.openssl.org/docs/man3.0/man7/migration_guide.html
> The refactoring to support Providers conflicts internally with the APIs > used to support engines, including the ENGINE API and any function that > creates or modifies custom "METHODS"
From https://www.openssl.org/docs/man3.0/man3/ENGINE_init.html:
> All of the functions described on this page are deprecated. Applications > should instead use the provider APIs.
(cherry picked from commit a0a9373ccb3d3da3a1e9e1335d904fcf013d9ebd)
commit 6669c0befcd69f5d5e196c53188bed58a6a9e1c2 Author: Victor Seva linuxmaniac@torreviejawireless.org Date: Tue Jun 13 12:37:21 2023 +0200
tls: OPENSSL_fork_[prepare|parent|child] deprecated at openssl 3.0
From https://www.openssl.org/docs/man3.0/man3/OPENSSL_fork_prepare.html:
> OPENSSL_fork_prepare, OPENSSL_fork_parent, OPENSSL_fork_child have been > deprecated since OpenSSL 3.0. > > These methods are currently unused, and as such, no replacement methods > are required or planned. > > OpenSSL has state that should be reset when a process forks. For > example, the entropy pool used to generate random numbers (and therefore > encryption keys) should not be shared across multiple programs. The > OPENSSL_fork_prepare(), OPENSSL_fork_parent(), and OPENSSL_fork_child() > functions are used to reset this internal state. > > OPENSSL_init_crypto(3) will register these functions with the > appropriate handler, when the OPENSSL_INIT_ATFORK flag is used
(cherry picked from commit 9d6bfb96528c49e6aaa39aa47be877ca528c3537) ```
This one is still left: ``` C (gcc) [M http_client.so] functions.o functions.c: In function 'curL_request_url': functions.c:164:9: warning: 'CURLOPT_REDIR_PROTOCOLS' is deprecated: since 7.85.0. Use CURLOPT_REDIR_PROTOCOLS_STR [-Wdeprecated-declarations] 164 | res = curl_easy_setopt( | ^~~ In file included from http_client.h:36, from functions.c:45: /usr/include/x86_64-linux-gnu/curl/curl.h:1755:3: note: declared here 1755 | CURLOPTDEPRECATED(CURLOPT_REDIR_PROTOCOLS, CURLOPTTYPE_LONG, 182, | ^~~~~~~~~~~~~~~~~
```
Now we are getting build error in [stretch ](https://kamailio.sipwise.com/job/kamailiodev-nightly-binaries/architecture=a...) ``` 03:08:53 gcc -fPIC -DPIC -funroll-loops -Wcast-align -m64 -minline-all-stringops -falign-loops -ftree-vectorize -fno-strict-overflow -mtune=generic -pthread -DKSR_PTHREAD_MUTEX_SHARED -Wall -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/kamailio-5.8.0~dev0+bpo9.20230622005415.2462=. -fstack-protector-strong -Wformat -Werror=format-security -DVERSION_NODATE -DNAME='"kamailio"' -DVERSION='"5.8.0-dev0"' -DARCH='"x86_64"' -DOS='linux_' -DOS_QUOTED='"linux"' -DCOMPILER='"gcc 6.3.0"' -D__CPU_x86_64 -D__OS_linux -DVERSIONVAL=5008000 -DCFG_DIR='"/etc/kamailio/"' -DSHARE_DIR='"/usr/share/kamailio/"' -DRUN_DIR='"/var/run/kamailio/"' -DPKG_MALLOC -DSHM_MMAP -DDNS_IP_HACK -DUSE_MCAST -DUSE_TCP -DDISABLE_NAGLE -DHAVE_RESOLV_RES -DUSE_DNS_CACHE -DUSE_DNS_FAILOVER -DUSE_DST_BLOCKLIST -DUSE_NAPTR -DWITH_XAVP -DMEM_JOIN_FREE -DF_MALLOC -DQ_MALLOC -DTLSF_MALLOC -DDBG_SR_MEMORY -DUSE_TLS -DTLS_HOOKS -DUSE_CORE_STATS -DSTATISTICS -DMALLOC_STATS -DUSE_SCTP -DFAST_LOCK -DADAPTIVE_WAIT -DADAPTIVE_WAIT_LOOPS=1024 -DCC_GCC_LIKE_ASM -DHAVE_GETHOSTBYNAME2 -DHAVE_UNION_SEMUN -DHAVE_SCHED_YIELD -DHAVE_MSG_NOSIGNAL -DHAVE_MSGHDR_MSG_CONTROL -DHAVE_ALLOCA_H -DHAVE_TIMEGM -DHAVE_SCHED_SETSCHEDULER -DHAVE_IP_MREQN -DUSE_RAW_SOCKS -DHAVE_EPOLL -DHAVE_SIGIO_RT -DSIGINFO64_WORKAROUND -DUSE_FUTEX -DHAVE_SELECT -DMOD_NAME='"tls"' -DMOD_NAMEID='tls' -c tls_init.c -o tls_init.o -MMD -MP 03:08:53 tls_init.c: In function 'tls_h_mod_pre_init_f': 03:08:53 tls_init.c:752:19: error: 'OPENSSL_INIT_ATFORK' undeclared (first use in this function) 03:08:53 OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); 03:08:53 ^~~~~~~~~~~~~~~~~~~ 03:08:53 tls_init.c:752:19: note: each undeclared identifier is reported only once for each function it appears in 03:08:53 ../../Makefile.rules:100: recipe for target 'tls_init.o' failed ```
Seems 9d6bfb96528c49e6aaa39aa47be877ca528c3537 broke it
libssl-dev is 1.1.0l ``` 02:59:07 Setting up libssl-dev:amd64 (1.1.0l-1~deb9u6) ... ```
It seems it requires libssl 1.1.1:
- https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_fork_child.html
The ifdef is for 1.1.0, so I guess old variant has to be kept for 1.1.0 and the new one for >=1.1.1
Here is diff to get rid of the curl warning: ``` *** /usr/src/orig/kamailio/src/modules/http_client/functions.c 2023-06-21 13:15:29.682303834 +0300 --- src/opensipg-sip-proxy/src/modules/http_client/functions.c 2023-06-23 09:00:14.403813698 +0300 *************** *** 162,168 **** curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); #endif res = curl_easy_setopt( ! curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
if(_met != NULL) { /* Enforce method (GET, PUT, ...) */ --- 162,168 ---- curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); #endif res = curl_easy_setopt( ! curl, CURLOPT_REDIR_PROTOCOLS_STR, "http,https");
if(_met != NULL) { /* Enforce method (GET, PUT, ...) */ ```
@juha-h it should be fine now in master and 5.7
Yes, all warnings are now gone. Thanks.
Closed #3484 as completed.
-
Daniel-Constantin Mierla -
Henning Westerholt
-
Juha Heinanen -
juha-h
-
Victor Seva