Hello,
thanks for contributing to the project!
On 17.06.22 10:53, Richard Chan wrote:
Hello Kamailio users,
[...] As a result Kamailio contains some tricky code
- a pthread polyfill in core
- duplicated SSL_CTX per worker
- atexit workaround
Just some clarifications: the atexit is not libssl specific, it is from the libc, just that libssl makes use of it. It can happen with other libraries that do not need anything for multi-process.
Also, the duplicated context might be something that is needed because of the multi-process design, not necessary the specific to libssl. We have for example a connection to database per process as well.
The pthread locks init is indeed sort of workaround, although might worth trying to push a patch to the libssl to make the flags optional for setting them, it is just some initialization value (ie, to set PTHREAD_PROCESS_SHARED attribute).
But those do not reduce in anyway the value of having an alternative like tls_wolfssl.
How to test?
The code is currently in master and can be built in the usual way. Debian has 5.2.0 libwolfssl-dev needed;
For the moment just adding that Ubuntu 20.04 has libwolfssl-dev 4.30, so the module does not compile there.
Cheers, Daniel
for some RPM distros (el8, el9, fc36) I have created a Copr repository https://copr.fedorainfracloud.org/coprs/beaveryoga/wolfSSL/
Known limitations The current state can be considered as identical to tls+OpenSSL 1.1.1/3.0.x.
Old TLS protocols < 1.2 and cipher list configuration don’t work, i.e., only TLS 1.2 and 1.3 work with the default cipher list.
In your configuration just replace loadmodule “tls.so” with loadmodule “tls_wolfssl.so”
The rest of the TLS configuration can remain unchanged unless you are using a funky protocol version/cipher list combination.
Thanks!
S-P
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: