Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated, and want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2 package installed.
Does anyone know how we can tell Kamailio to use the openssl library in /opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
Hello,
I would try something like this:
https://stackoverflow.com/questions/426230/what-is-the-ld-preload-trick
Kamailio will output the version of the library on startup:
/var/log/kamailio.log.1:Jul 31 20:09:04 kama01 /usr/sbin/kamailio[31049]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: David Cunningham via sr-users sr-users@lists.kamailio.org Sent: Donnerstag, 1. August 2024 07:06 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: David Cunningham dcunningham@voisonics.com Subject: [SR-Users] Using a different OpenSSL
Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated, and want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2 package installed.
Does anyone know how we can tell Kamailio to use the openssl library in /opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Yes, you can use the LD_LIBRARY_PATH, and `ldd` to verify.
On Aug 1, 2024, at 1:05 AM, David Cunningham via sr-users sr-users@lists.kamailio.org wrote:
Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated, and want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2 package installed.
Does anyone know how we can tell Kamailio to use the openssl library in /opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Henning and Alex,
Thanks very much for the answers. I added the following line to /etc/systemd/system/kamailio.service, reloaded the systemd configuration, and restarted Kamailio. However the "OpenSSL version" logged by Kamailio is the same as before. I also tried using libcrypto.so instead of libssl.so with the same result. I was able to verify that the LD_PRELOAD environment variable was the correct value inside the startup script that's run by systemd. Have you any suggestions on what I could be doing wrong? Thanks again.
Environment="LD_PRELOAD=/opt/openssl/lib64/libssl.so"
On Thu, 1 Aug 2024 at 22:24, Alex Balashov via sr-users < sr-users@lists.kamailio.org> wrote:
Yes, you can use the LD_LIBRARY_PATH, and `ldd` to verify.
On Aug 1, 2024, at 1:05 AM, David Cunningham via sr-users <
sr-users@lists.kamailio.org> wrote:
Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated,
and want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2 package installed.
Does anyone know how we can tell Kamailio to use the openssl library in
/opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com Tel: +1-706-510-6800
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hello David,
I have not tried it, but it might be the problem that you need to specify library name and library paths independently, e.g. refer to this discussion: https://stackoverflow.com/questions/72862714/systemd-ignores-ld-preload-vari...
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: David Cunningham via sr-users sr-users@lists.kamailio.org Sent: Freitag, 16. August 2024 02:08 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: David Cunningham dcunningham@voisonics.com Subject: [SR-Users] Re: Using a different OpenSSL
Hi Henning and Alex,
Thanks very much for the answers. I added the following line to /etc/systemd/system/kamailio.service, reloaded the systemd configuration, and restarted Kamailio. However the "OpenSSL version" logged by Kamailio is the same as before. I also tried using libcrypto.so instead of libssl.so with the same result. I was able to verify that the LD_PRELOAD environment variable was the correct value inside the startup script that's run by systemd. Have you any suggestions on what I could be doing wrong? Thanks again.
Environment="LD_PRELOAD=/opt/openssl/lib64/libssl.so"
On Thu, 1 Aug 2024 at 22:24, Alex Balashov via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote: Yes, you can use the LD_LIBRARY_PATH, and `ldd` to verify.
On Aug 1, 2024, at 1:05 AM, David Cunningham via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote:
Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated, and want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2 package installed.
Does anyone know how we can tell Kamailio to use the openssl library in /opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com Tel: +1-706-510-6800
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Hi Henning,
I've tried that but with no difference. Even when the environment variables are set directly in the script which runs the Kamailio binary, it still logs the same OpenSSL version as the Ubuntu one, not the FIPS version that we compiled into /opt.
Would anyone have any suggestions on where to go from here?
Thank you very much!
On Fri, 16 Aug 2024 at 19:20, Henning Westerholt hw@gilawa.com wrote:
Hello David,
I have not tried it, but it might be the problem that you need to specify library name and library paths independently, e.g. refer to this discussion: https://stackoverflow.com/questions/72862714/systemd-ignores-ld-preload-vari...
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* David Cunningham via sr-users sr-users@lists.kamailio.org *Sent:* Freitag, 16. August 2024 02:08 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc:* David Cunningham dcunningham@voisonics.com *Subject:* [SR-Users] Re: Using a different OpenSSL
Hi Henning and Alex,
Thanks very much for the answers. I added the following line to /etc/systemd/system/kamailio.service, reloaded the systemd configuration, and restarted Kamailio. However the "OpenSSL version" logged by Kamailio is the same as before. I also tried using libcrypto.so instead of libssl.so with the same result. I was able to verify that the LD_PRELOAD environment variable was the correct value inside the startup script that's run by systemd. Have you any suggestions on what I could be doing wrong? Thanks again.
Environment="LD_PRELOAD=/opt/openssl/lib64/libssl.so"
On Thu, 1 Aug 2024 at 22:24, Alex Balashov via sr-users < sr-users@lists.kamailio.org> wrote:
Yes, you can use the LD_LIBRARY_PATH, and `ldd` to verify.
On Aug 1, 2024, at 1:05 AM, David Cunningham via sr-users <
sr-users@lists.kamailio.org> wrote:
Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated,
and want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2 package installed.
Does anyone know how we can tell Kamailio to use the openssl library in
/opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com Tel: +1-706-510-6800
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
--
David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Hello David,
does it work when you start the kamailio manually on the command line, not with systemd?
Cheers,
Henning
From: David Cunningham dcunningham@voisonics.com Sent: Dienstag, 20. August 2024 02:32 To: Henning Westerholt hw@gilawa.com Cc: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Re: Using a different OpenSSL
Hi Henning,
I've tried that but with no difference. Even when the environment variables are set directly in the script which runs the Kamailio binary, it still logs the same OpenSSL version as the Ubuntu one, not the FIPS version that we compiled into /opt.
Would anyone have any suggestions on where to go from here?
Thank you very much!
On Fri, 16 Aug 2024 at 19:20, Henning Westerholt <hw@gilawa.commailto:hw@gilawa.com> wrote: Hello David,
I have not tried it, but it might be the problem that you need to specify library name and library paths independently, e.g. refer to this discussion: https://stackoverflow.com/questions/72862714/systemd-ignores-ld-preload-vari...
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: David Cunningham via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Sent: Freitag, 16. August 2024 02:08 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Cc: David Cunningham <dcunningham@voisonics.commailto:dcunningham@voisonics.com> Subject: [SR-Users] Re: Using a different OpenSSL
Hi Henning and Alex,
Thanks very much for the answers. I added the following line to /etc/systemd/system/kamailio.service, reloaded the systemd configuration, and restarted Kamailio. However the "OpenSSL version" logged by Kamailio is the same as before. I also tried using libcrypto.so instead of libssl.so with the same result. I was able to verify that the LD_PRELOAD environment variable was the correct value inside the startup script that's run by systemd. Have you any suggestions on what I could be doing wrong? Thanks again.
Environment="LD_PRELOAD=/opt/openssl/lib64/libssl.so"
On Thu, 1 Aug 2024 at 22:24, Alex Balashov via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote: Yes, you can use the LD_LIBRARY_PATH, and `ldd` to verify.
On Aug 1, 2024, at 1:05 AM, David Cunningham via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote:
Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated, and want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2 package installed.
Does anyone know how we can tell Kamailio to use the openssl library in /opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com Tel: +1-706-510-6800
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Hi Henning,
It's the same unfortunately, and reports the Ubuntu OpenSSL version rather than the OpenSSL version specified in the environment variables. For example:
# ls /opt/openssl/lib64/libssl.so /opt/openssl/lib64/libssl.so
# env | egrep 'LD_PRELOAD|LD_LIBRARY' LD_PRELOAD=libssl.so LD_LIBRARY_PATH=/opt/openssl/lib64
# /sbin/kamailio -m 512 -M 8 -P /var/run/enswitch/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060
# grep 'OpenSSL version' /var/log/syslog | tail -n 1 Aug 22 16:53:50 caes8 /sbin/kamailio[769472]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020
But the OpenSSL in /opt/openssl/lib64 is version 3.0.9. BTW, it tried using libcrypto.so instead of libssl.so but it didn't work either.
Is it possible to pass a specific version of OpenSSL to Kamailio at compile time, or something like that?
Thanks again.
On Thu, 22 Aug 2024 at 00:49, Henning Westerholt hw@gilawa.com wrote:
Hello David,
does it work when you start the kamailio manually on the command line, not with systemd?
Cheers,
Henning
*From:* David Cunningham dcunningham@voisonics.com *Sent:* Dienstag, 20. August 2024 02:32 *To:* Henning Westerholt hw@gilawa.com *Cc:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* Re: [SR-Users] Re: Using a different OpenSSL
Hi Henning,
I've tried that but with no difference. Even when the environment variables are set directly in the script which runs the Kamailio binary, it still logs the same OpenSSL version as the Ubuntu one, not the FIPS version that we compiled into /opt.
Would anyone have any suggestions on where to go from here?
Thank you very much!
On Fri, 16 Aug 2024 at 19:20, Henning Westerholt hw@gilawa.com wrote:
Hello David,
I have not tried it, but it might be the problem that you need to specify library name and library paths independently, e.g. refer to this discussion: https://stackoverflow.com/questions/72862714/systemd-ignores-ld-preload-vari...
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* David Cunningham via sr-users sr-users@lists.kamailio.org *Sent:* Freitag, 16. August 2024 02:08 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc:* David Cunningham dcunningham@voisonics.com *Subject:* [SR-Users] Re: Using a different OpenSSL
Hi Henning and Alex,
Thanks very much for the answers. I added the following line to /etc/systemd/system/kamailio.service, reloaded the systemd configuration, and restarted Kamailio. However the "OpenSSL version" logged by Kamailio is the same as before. I also tried using libcrypto.so instead of libssl.so with the same result. I was able to verify that the LD_PRELOAD environment variable was the correct value inside the startup script that's run by systemd. Have you any suggestions on what I could be doing wrong? Thanks again.
Environment="LD_PRELOAD=/opt/openssl/lib64/libssl.so"
On Thu, 1 Aug 2024 at 22:24, Alex Balashov via sr-users < sr-users@lists.kamailio.org> wrote:
Yes, you can use the LD_LIBRARY_PATH, and `ldd` to verify.
On Aug 1, 2024, at 1:05 AM, David Cunningham via sr-users <
sr-users@lists.kamailio.org> wrote:
Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated,
and want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2 package installed.
Does anyone know how we can tell Kamailio to use the openssl library in
/opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com Tel: +1-706-510-6800
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
--
David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
--
David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Hello David,
that log message shows compiled in OpenSSL version number [1]. Check mapped library file e.g. via sudo lsof -p $(pgrep -P1 kamailio) | grep libssl
Regards, Bastian
[1] https://github.com/kamailio/kamailio/blob/master/src/modules/tls/tls_mod.c#L...
On Fri, Aug 23, 2024 at 2:47 AM David Cunningham via sr-users sr-users@lists.kamailio.org wrote:
Hi Henning,
It's the same unfortunately, and reports the Ubuntu OpenSSL version rather than the OpenSSL version specified in the environment variables. For example:
# ls /opt/openssl/lib64/libssl.so /opt/openssl/lib64/libssl.so
# env | egrep 'LD_PRELOAD|LD_LIBRARY' LD_PRELOAD=libssl.so LD_LIBRARY_PATH=/opt/openssl/lib64
# /sbin/kamailio -m 512 -M 8 -P /var/run/enswitch/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060
# grep 'OpenSSL version' /var/log/syslog | tail -n 1 Aug 22 16:53:50 caes8 /sbin/kamailio[769472]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020
But the OpenSSL in /opt/openssl/lib64 is version 3.0.9. BTW, it tried using libcrypto.so instead of libssl.so but it didn't work either.
Is it possible to pass a specific version of OpenSSL to Kamailio at compile time, or something like that?
Thanks again.
On Thu, 22 Aug 2024 at 00:49, Henning Westerholt hw@gilawa.com wrote:
Hello David,
does it work when you start the kamailio manually on the command line, not with systemd?
Cheers,
Henning
From: David Cunningham dcunningham@voisonics.com Sent: Dienstag, 20. August 2024 02:32 To: Henning Westerholt hw@gilawa.com Cc: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Re: Using a different OpenSSL
Hi Henning,
I've tried that but with no difference. Even when the environment variables are set directly in the script which runs the Kamailio binary, it still logs the same OpenSSL version as the Ubuntu one, not the FIPS version that we compiled into /opt.
Would anyone have any suggestions on where to go from here?
Thank you very much!
On Fri, 16 Aug 2024 at 19:20, Henning Westerholt hw@gilawa.com wrote:
Hello David,
I have not tried it, but it might be the problem that you need to specify library name and library paths independently, e.g. refer to this discussion: https://stackoverflow.com/questions/72862714/systemd-ignores-ld-preload-vari...
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
From: David Cunningham via sr-users sr-users@lists.kamailio.org Sent: Freitag, 16. August 2024 02:08 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: David Cunningham dcunningham@voisonics.com Subject: [SR-Users] Re: Using a different OpenSSL
Hi Henning and Alex,
Thanks very much for the answers. I added the following line to /etc/systemd/system/kamailio.service, reloaded the systemd configuration, and restarted Kamailio. However the "OpenSSL version" logged by Kamailio is the same as before. I also tried using libcrypto.so instead of libssl.so with the same result. I was able to verify that the LD_PRELOAD environment variable was the correct value inside the startup script that's run by systemd. Have you any suggestions on what I could be doing wrong? Thanks again.
Environment="LD_PRELOAD=/opt/openssl/lib64/libssl.so"
On Thu, 1 Aug 2024 at 22:24, Alex Balashov via sr-users sr-users@lists.kamailio.org wrote:
Yes, you can use the LD_LIBRARY_PATH, and `ldd` to verify.
On Aug 1, 2024, at 1:05 AM, David Cunningham via sr-users sr-users@lists.kamailio.org wrote:
Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated, and want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2 package installed.
Does anyone know how we can tell Kamailio to use the openssl library in /opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com Tel: +1-706-510-6800
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
--
David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
--
David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hello David,
the version output is indeed the compiled version, sorry for the mistake.
Check with the lsof command given earlier for the actually linked version.
Otherwise, you could compile a custom kamailio specifically with a local OpenSSL by adapting the library paths, I think.
But maybe its not needed, if you can confirm with the lsof command that its using the custom library already.
Cheers,
Henning
From: David Cunningham dcunningham@voisonics.com Sent: Freitag, 23. August 2024 02:02 To: Henning Westerholt hw@gilawa.com Cc: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Re: Using a different OpenSSL
Hi Henning,
It's the same unfortunately, and reports the Ubuntu OpenSSL version rather than the OpenSSL version specified in the environment variables. For example:
# ls /opt/openssl/lib64/libssl.so /opt/openssl/lib64/libssl.so
# env | egrep 'LD_PRELOAD|LD_LIBRARY' LD_PRELOAD=libssl.so LD_LIBRARY_PATH=/opt/openssl/lib64
# /sbin/kamailio -m 512 -M 8 -P /var/run/enswitch/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060
# grep 'OpenSSL version' /var/log/syslog | tail -n 1 Aug 22 16:53:50 caes8 /sbin/kamailio[769472]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020
But the OpenSSL in /opt/openssl/lib64 is version 3.0.9. BTW, it tried using libcrypto.so instead of libssl.so but it didn't work either.
Is it possible to pass a specific version of OpenSSL to Kamailio at compile time, or something like that?
Thanks again.
On Thu, 22 Aug 2024 at 00:49, Henning Westerholt <hw@gilawa.commailto:hw@gilawa.com> wrote: Hello David,
does it work when you start the kamailio manually on the command line, not with systemd?
Cheers,
Henning
From: David Cunningham <dcunningham@voisonics.commailto:dcunningham@voisonics.com> Sent: Dienstag, 20. August 2024 02:32 To: Henning Westerholt <hw@gilawa.commailto:hw@gilawa.com> Cc: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Subject: Re: [SR-Users] Re: Using a different OpenSSL
Hi Henning,
I've tried that but with no difference. Even when the environment variables are set directly in the script which runs the Kamailio binary, it still logs the same OpenSSL version as the Ubuntu one, not the FIPS version that we compiled into /opt.
Would anyone have any suggestions on where to go from here?
Thank you very much!
On Fri, 16 Aug 2024 at 19:20, Henning Westerholt <hw@gilawa.commailto:hw@gilawa.com> wrote: Hello David,
I have not tried it, but it might be the problem that you need to specify library name and library paths independently, e.g. refer to this discussion: https://stackoverflow.com/questions/72862714/systemd-ignores-ld-preload-vari...
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: David Cunningham via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Sent: Freitag, 16. August 2024 02:08 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Cc: David Cunningham <dcunningham@voisonics.commailto:dcunningham@voisonics.com> Subject: [SR-Users] Re: Using a different OpenSSL
Hi Henning and Alex,
Thanks very much for the answers. I added the following line to /etc/systemd/system/kamailio.service, reloaded the systemd configuration, and restarted Kamailio. However the "OpenSSL version" logged by Kamailio is the same as before. I also tried using libcrypto.so instead of libssl.so with the same result. I was able to verify that the LD_PRELOAD environment variable was the correct value inside the startup script that's run by systemd. Have you any suggestions on what I could be doing wrong? Thanks again.
Environment="LD_PRELOAD=/opt/openssl/lib64/libssl.so"
On Thu, 1 Aug 2024 at 22:24, Alex Balashov via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote: Yes, you can use the LD_LIBRARY_PATH, and `ldd` to verify.
On Aug 1, 2024, at 1:05 AM, David Cunningham via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote:
Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated, and want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2 package installed.
Does anyone know how we can tell Kamailio to use the openssl library in /opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com Tel: +1-706-510-6800
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Hello David,
Can you present your launcher script here?
LD_LIBRARY_PATH is the correct way to use an ABI compatible(same SONAME) alternative to a system library.
The boilerplate looks like this:
#!/bin/bash # IMPORTANT: intended replacements must have the same SONAME as what # tls.so was built with, i.e., libssl.so.3, libcrypto.so.3 # Your local artifacts libssl.so.3 libcrypto.so.3 installed to /opt/openssl3/lib64 # EITHER export LD_LIBRARY_PATH=/opt/openssl3/lib64 #export is required /usr/sbin/kamailio <args .....>
# OR - same line - LD_LIBRARY_PATH=/opt/openssl3/lib64 /usr/sbin/kamailio <args .....>
Cheers Richard
Hi Henning,
The issue happens even if I run Kamailio directly from the command line, having set LD_LIBRARY_PATH in the environment first. Please see the commands below. OpenSSL 3.0.2 is installed with Ubuntu, and OpenSSL 3.0.9 with FIPS compiled in /opt/openssl.
Setting LD_LIBRARY_PATH does seem to work for Apache, although Apache was compiled with the "--with-ssl=/opt/openssl" option. Would there by any chance be an equivalent for Kamailio? Thanks again for your help.
root@caes8:~# ls /opt/openssl/lib64/ engines-3 libcrypto.a libcrypto.so libcrypto.so.3 libssl.a libssl.so libssl.so.3 ossl-modules pkgconfig
root@caes8:~# export LD_LIBRARY_PATH=/opt/openssl/lib64
root@caes8:~# /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060 tls: xx.xx.xx.xx:5061 Aliases:
root@caes8:~# ps -ef | grep kamailio | head product 2905052 1 9 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905078 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905079 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905080 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905081 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905082 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905083 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905084 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905085 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905087 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid
root@caes8:~# grep -i 'OpenSSL version' /var/log/syslog | tail Aug 26 16:55:28 caes8 /sbin/kamailio[2905052]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020
On Sun, 25 Aug 2024 at 18:34, Richard Chan via sr-users < sr-users@lists.kamailio.org> wrote:
Hello David,
Can you present your launcher script here?
LD_LIBRARY_PATH is the correct way to use an ABI compatible(same SONAME) alternative to a system library.
The boilerplate looks like this:
#!/bin/bash # IMPORTANT: intended replacements must have the same SONAME as what # tls.so was built with, i.e., libssl.so.3, libcrypto.so.3 # Your local artifacts libssl.so.3 libcrypto.so.3 installed to /opt/openssl3/lib64 # EITHER export LD_LIBRARY_PATH=/opt/openssl3/lib64 #export is required /usr/sbin/kamailio <args .....>
# OR - same line - LD_LIBRARY_PATH=/opt/openssl3/lib64 /usr/sbin/kamailio <args .....>
Cheers Richard
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi everyone,
Just sharing that the solution was to add these two lines to the [Service] section of the systemd unit file:
Environment=LD_LIBRARY_PATH=/opt/openssl/lib64 Environment=OPENSSL_CONF=/etc/ssl/fips.cnf
And also apply a patch to Kamailio in src/modules/tls/tls_mod.c so that it logs the OpenSSL library at run-time, as well as the default logging of the OpenSSL library at compilation:
448c448,461 < LM_INFO("use OpenSSL version: %08x\n", (uint32_t)(OPENSSL_VERSION_NUMBER)); ---
#if OPENSSL_VERSION_NUMBER < 0x030000000L LM_INFO("compiled with OpenSSL version: %08x\n",
(uint32_t)(OPENSSL_VERSION_NUMBER));
#elif OPENSSL_VERSION_NUMBER >= 0x030000000L LM_INFO("compiled with OpenSSL: %s\n", OPENSSL_VERSION_TEXT); LM_INFO("run-time OpenSSL library: %s\n",
OpenSSL_version(OPENSSL_VERSION));
if(EVP_default_properties_is_fips_enabled(NULL) == 1) { LM_INFO("FIPS mode enabled in OpenSSL library\n"); } else { LM_INFO("FIPS mode not enabled in OpenSSL library\n"); }#endif
Tested with Kamailio 5.8.2. Hope this helps.
On Tue, 27 Aug 2024 at 12:01, David Cunningham dcunningham@voisonics.com wrote:
Hi Henning,
The issue happens even if I run Kamailio directly from the command line, having set LD_LIBRARY_PATH in the environment first. Please see the commands below. OpenSSL 3.0.2 is installed with Ubuntu, and OpenSSL 3.0.9 with FIPS compiled in /opt/openssl.
Setting LD_LIBRARY_PATH does seem to work for Apache, although Apache was compiled with the "--with-ssl=/opt/openssl" option. Would there by any chance be an equivalent for Kamailio? Thanks again for your help.
root@caes8:~# ls /opt/openssl/lib64/ engines-3 libcrypto.a libcrypto.so libcrypto.so.3 libssl.a libssl.so libssl.so.3 ossl-modules pkgconfig
root@caes8:~# export LD_LIBRARY_PATH=/opt/openssl/lib64
root@caes8:~# /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060 tls: xx.xx.xx.xx:5061 Aliases:
root@caes8:~# ps -ef | grep kamailio | head product 2905052 1 9 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905078 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905079 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905080 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905081 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905082 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905083 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905084 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905085 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905087 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid
root@caes8:~# grep -i 'OpenSSL version' /var/log/syslog | tail Aug 26 16:55:28 caes8 /sbin/kamailio[2905052]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020
On Sun, 25 Aug 2024 at 18:34, Richard Chan via sr-users < sr-users@lists.kamailio.org> wrote:
Hello David,
Can you present your launcher script here?
LD_LIBRARY_PATH is the correct way to use an ABI compatible(same SONAME) alternative to a system library.
The boilerplate looks like this:
#!/bin/bash # IMPORTANT: intended replacements must have the same SONAME as what # tls.so was built with, i.e., libssl.so.3, libcrypto.so.3 # Your local artifacts libssl.so.3 libcrypto.so.3 installed to /opt/openssl3/lib64 # EITHER export LD_LIBRARY_PATH=/opt/openssl3/lib64 #export is required /usr/sbin/kamailio <args .....>
# OR - same line - LD_LIBRARY_PATH=/opt/openssl3/lib64 /usr/sbin/kamailio <args .....>
Cheers Richard
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Hello David,
thanks for reporting back. Just for the archives, the code change mentioned below was also integrated in git master.
Cheers,
Henning
From: David Cunningham via sr-users sr-users@lists.kamailio.org Sent: Mittwoch, 4. September 2024 01:41 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: David Cunningham dcunningham@voisonics.com Subject: [SR-Users] Re: Using a different OpenSSL
Hi everyone,
Just sharing that the solution was to add these two lines to the [Service] section of the systemd unit file:
Environment=LD_LIBRARY_PATH=/opt/openssl/lib64 Environment=OPENSSL_CONF=/etc/ssl/fips.cnf
And also apply a patch to Kamailio in src/modules/tls/tls_mod.c so that it logs the OpenSSL library at run-time, as well as the default logging of the OpenSSL library at compilation:
448c448,461 < LM_INFO("use OpenSSL version: %08x\n", (uint32_t)(OPENSSL_VERSION_NUMBER)); ---
#if OPENSSL_VERSION_NUMBER < 0x030000000L LM_INFO("compiled with OpenSSL version: %08x\n", (uint32_t)(OPENSSL_VERSION_NUMBER)); #elif OPENSSL_VERSION_NUMBER >= 0x030000000L LM_INFO("compiled with OpenSSL: %s\n", OPENSSL_VERSION_TEXT); LM_INFO("run-time OpenSSL library: %s\n", OpenSSL_version(OPENSSL_VERSION));
if(EVP_default_properties_is_fips_enabled(NULL) == 1) { LM_INFO("FIPS mode enabled in OpenSSL library\n"); } else { LM_INFO("FIPS mode not enabled in OpenSSL library\n"); }#endif
Tested with Kamailio 5.8.2. Hope this helps.
On Tue, 27 Aug 2024 at 12:01, David Cunningham <dcunningham@voisonics.commailto:dcunningham@voisonics.com> wrote: Hi Henning,
The issue happens even if I run Kamailio directly from the command line, having set LD_LIBRARY_PATH in the environment first. Please see the commands below. OpenSSL 3.0.2 is installed with Ubuntu, and OpenSSL 3.0.9 with FIPS compiled in /opt/openssl.
Setting LD_LIBRARY_PATH does seem to work for Apache, although Apache was compiled with the "--with-ssl=/opt/openssl" option. Would there by any chance be an equivalent for Kamailio? Thanks again for your help.
root@caes8:~# ls /opt/openssl/lib64/ engines-3 libcrypto.a libcrypto.so libcrypto.so.3 libssl.a libssl.so libssl.so.3 ossl-modules pkgconfig
root@caes8:~# export LD_LIBRARY_PATH=/opt/openssl/lib64
root@caes8:~# /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060 tls: xx.xx.xx.xx:5061 Aliases:
root@caes8:~# ps -ef | grep kamailio | head product 2905052 1 9 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905078 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905079 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905080 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905081 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905082 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905083 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905084 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905085 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905087 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid
root@caes8:~# grep -i 'OpenSSL version' /var/log/syslog | tail Aug 26 16:55:28 caes8 /sbin/kamailio[2905052]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020
On Sun, 25 Aug 2024 at 18:34, Richard Chan via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote: Hello David,
Can you present your launcher script here?
LD_LIBRARY_PATH is the correct way to use an ABI compatible(same SONAME) alternative to a system library.
The boilerplate looks like this:
#!/bin/bash # IMPORTANT: intended replacements must have the same SONAME as what # tls.so was built with, i.e., libssl.so.3, libcrypto.so.3 # Your local artifacts libssl.so.3 libcrypto.so.3 installed to /opt/openssl3/lib64 # EITHER export LD_LIBRARY_PATH=/opt/openssl3/lib64 #export is required /usr/sbin/kamailio <args .....>
# OR - same line - LD_LIBRARY_PATH=/opt/openssl3/lib64 /usr/sbin/kamailio <args .....>
Cheers Richard
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
-
Alex Balashov -
Bastian Triller -
David Cunningham -
Henning Westerholt -
Richard Chan