Can you actually explain better what is the relation between your message and the issue discussed on this email thread? Maybe I didn't get it right, but the bug that didn't allow setting a memory manager has nothing to do with how good or bad a memory manager implementation is from security and safety points of view. Your suggestion to use jemalloc or whatever else memory manager is not possible in that version of libssl, because that version simply doesn't allow setting a memory manager.

The bug was fixed in libssl, but some distros distributed the broken version, that's the reason it is required to use an older or newer version than the affected ones.

Cheers,
Daniel

On 12.12.17 18:01, otron2016@gmail.com wrote:

Broken is in the eyes of the beholder:  well designed cryptographic code wants to ensure that information (keys, cleartext) doesn't leak via unsanitized memory (there are many ways, both within and beyond calling programs); the easy and more foolproof way to do that for the cryptography programmer is often to use a memory manager that takes care of that, such as jemalloc (with appropriate configuration parameters).

If you make security representations (and the certificate is reasonably construed to make a security representation) you shouldn't bypass this unless you verify that you prevent all possible information leaks. 

From armslength, you might just try to use jemalloc as kamailio's mm library, but even there it would be necessary to be really careful about kamailio freeing sensitive memory immediately after use--everywhere that happens.   That's why it's probably easier to just let a properly implemented crypto library do what it's designed to do. 


Sent from Samsung Mobile



-------- Original message --------
From: Daniel-Constantin Mierla <miconda@gmail.com>
Date: 12/12/2017 2:26 AM (GMT-06:00)
To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>,Tomi Hakkarainen <tpaivaa@gmail.com>
Subject: Re: [SR-Users] Unable to enable TLS on Kamailio


Hello,

there were some broken versions of openssl that didn't allow anymore to set custom memory manager. The only option is to upgrade libssl to a version that doesn't expose the issue. If you search on kamailio issues tracker on gihub.com, there should be one closed about this topic.

Cheers,
Daniel


On 11.12.17 22:20, Tomi Hakkarainen wrote:
Hi,
  
I have problem to enable TLS on just installed Kamailio server 
openSUSE 42.3 (x86_64)
VERSION = 42.3
CODENAME = Malachite

version: kamailio 5.0.4 (x86_64/linux) 
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown 
compiled on 18:06:25 Dec  3 2017 with gcc 4.8.5

I get this on debug log:

 0(11336) DEBUG: <core> [core/cfg.y:1642]: yyparse(): loading modules under /usr/lib64/kamailio/modules/
loading modules under config path: /usr/lib64/kamailio/modules/
 0(11336) DEBUG: <core> [core/cfg.y:1623]: yyparse(): loading module tls.so
 0(11336) DEBUG: <core> [core/sr_module.c:575]: load_module(): trying to load </usr/lib64/kamailio/modules/tls.so>
 0(11336) DEBUG: <core> [core/mem/q_malloc.c:189]: qm_malloc_init(): qm_malloc_init: QM_OPTIMIZE=16384, /ROUNDTO=2048
 0(11336) DEBUG: <core> [core/mem/q_malloc.c:191]: qm_malloc_init(): qm_malloc_init: QM_HASH_SIZE=2099, qm_block size=235152
 0(11336) DEBUG: <core> [core/mem/q_malloc.c:193]: qm_malloc_init(): qm_malloc_init(0x7f6e001cb000, 67108864), start=0x7f6e001cb000
 0(11336) DEBUG: <core> [core/mem/q_malloc.c:202]: qm_malloc_init(): qm_malloc_init: size= 67108864, init_overhead=235256
 0(11336) ERROR: tls [tls_init.c:595]: tls_pre_init(): Unable to set the memory allocation functions
 0(11336) ERROR: tls [tls_init.c:597]: tls_pre_init(): libssl current mem functions - m: 0x7f6e055b33d0 r: 0x7f6e055b3a30 f: 0x7f6e055b39a0
 0(11336) ERROR: tls [tls_init.c:599]: tls_pre_init(): Be sure tls module is loaded before any other module using libssl (can be loaded first to be safe)
 0(11336) ERROR: <core> [core/sr_module.c:607]: load_module(): /usr/lib64/kamailio/modules/tls.so: mod_register failed
 0(11336) CRITICAL: <core> [core/cfg.y:3411]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 150, column 12-19: failed to load module

for resolving have compiled openssl from 1.0.2j-fips to

openssl version
OpenSSL 1.0.2n  7 Dec 2017




Is this information enough to see what we are missing 
Will provide more info if needed.
Any help and suggestions are appreciated.

Regards, 
T












_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com