How to enable TLS compression

List overview All Threads
Download

newer

older

Asterisk-Kamailio set up

Dispatcher question

刘日新

6 May 2014 6 May '14

5:36 a.m.

Hi, all.

I has configure kamailio.cfg as below:

#!ifdef WITH_TLS

modparam("tls", "session_id", "vic22")

modparam("tls", "session_cache",1)

modparam("tls", "tls_disable_compression",0)

modparam("tls", "config", "/usr/cfg/tls.cfg")

#!endif

I was sure that this configure segment was included , in case that I set a wrong path to

modparam("tls", "config", "/wrong paths/tls.cfg")

the kamailio can`t boost and raised error.

But, when I debug this configure with gdb, I found that, within method : init_tls_compression(),

Line 384 of tls_init.c

384 } else if (cfg_get(tls, tls_cfg, disable_compression)){

385 LOG(L_INFO, "tls: init_tls: disabling compression...\n");

386 sk_SSL_COMP_zero(comp_methods);

The param value from cfg was always 1, namely:

* print ((struct cfg_group_tls *)tls_cfg)->disable_compression

Why that? Are there something wrong?

B.R.

Rixin liu

Attachments:

attachment.html (text/html — 10.0 KB)

Show replies by date

Daniel-Constantin Mierla

6 May 6 May

10:38 a.m.

Hello,

what libssl version do you have? Some of them have bugs related to compression and the feature is disabled if such case is discovered.

You can set debug=3 and send over the log messages from startup.

Cheers, Daniel

On 06/05/14 11:36, 刘日新 wrote:

...

Hi, all.

I has configure kamailio.cfg as below:

#!ifdef WITH_TLS

modparam("tls", "session_id", "vic22")

modparam("tls", "session_cache",1)

modparam("tls", "tls_disable_compression",0)

modparam("tls", "config", "/usr/cfg/tls.cfg")

#!endif

I was sure that this configure segment was included , in case that I set a wrong path to

modparam("tls", "config", "/wrong paths/tls.cfg")

the kamailio can`t boost and raised error.

But, when I debug this configure with gdb, I found that, within method : init_tls_compression(),

Line 384 of tls_init.c

384 } else if (cfg_get(tls, tls_cfg, disable_compression)){

385 LOG(L_INFO, "tls: init_tls: disabling compression...\n");

386 sk_SSL_COMP_zero(comp_methods);

The param value from cfg was always 1, namely:

Øprint ((struct cfg_group_tls *)tls_cfg)->disable_compression

1

Why that? Are there something wrong?

B.R.

Rixin liu

SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda

Olle E. Johansson

10:58 a.m.

The general recommendation from TLS security experts is to never ever use TLS compression.

On 06 May 2014, at 16:38, Daniel-Constantin Mierla miconda@gmail.com wrote:

...

Hello,

what libssl version do you have? Some of them have bugs related to compression and the feature is disabled if such case is discovered.

You can set debug=3 and send over the log messages from startup.

Cheers, Daniel

On 06/05/14 11:36, 刘日新 wrote:

...
Hi, all.

I has configure kamailio.cfg as below:

#!ifdef WITH_TLS modparam("tls", "session_id", "vic22") modparam("tls", "session_cache",1) modparam("tls", "tls_disable_compression",0) modparam("tls", "config", "/usr/cfg/tls.cfg") #!endif

I was sure that this configure segment was included , in case that I set a wrong path to modparam("tls", "config", "/wrong paths/tls.cfg") the kamailio can`t boost and raised error.

But, when I debug this configure with gdb, I found that, within method : init_tls_compression(), Line 384 of tls_init.c

384 } else if (cfg_get(tls, tls_cfg, disable_compression)){ 385 LOG(L_INFO, "tls: init_tls: disabling compression...\n"); 386 sk_SSL_COMP_zero(comp_methods);

The param value from cfg was always 1, namely:

Ø print ((struct cfg_group_tls *)tls_cfg)->disable_compression 1

Why that? Are there something wrong?

B.R.

Rixin liu

SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

liu rixin

11:48 a.m.

hi, all.

After study the source code of kamailio, I found that: If a more higher openssl was adopted,

#if OPENSSL_VERSION_NUMBER >= 0x00908000L

then, within function init_tls_compression(), it (kamailio) will read conf parameter :

cfg_get(tls, tls_cfg, disable_compression)

but, this method was called with mod_register --> tls_pre_init --> init_tls_compression, when , the mod_init() was not invoked, and , the invocation: cfg_get(tls, tls_cfg, disable_compression) always return 1 , what was the default value. thus, if a new brand openssl was adopted, the compression was always disabled. It sound like a bug?

btw: I know TLS with compression was not a good idea, but i had to try this solution for some business cause.

thanks all very much.

rixin liu

------------------ Original ------------------ From: "Olle E. Johansson"oej@edvina.net; Date: Tue, May 6, 2014 10:58 PM To: "Daniel Constantin Mierla"miconda@gmail.com; "Kamailio (SER) - Users Mailing List"sr-users@lists.sip-router.org;

Subject: Re: [SR-Users] How to enable TLS compression

The general recommendation from TLS security experts is to never ever use TLS compression.

On 06 May 2014, at 16:38, Daniel-Constantin Mierla miconda@gmail.com wrote:

Hello,

what libssl version do you have? Some of them have bugs related to compression and the feature is disabled if such case is discovered.

You can set debug=3 and send over the log messages from startup.

Cheers, Daniel

On 06/05/14 11:36, 刘日新 wrote:

Hi, all.

I has configure kamailio.cfg as below:

#!ifdef WITH_TLS modparam("tls", "session_id", "vic22") modparam("tls", "session_cache",1) modparam("tls", "tls_disable_compression",0) modparam("tls", "config", "/usr/cfg/tls.cfg") #!endif

I was sure that this configure segment was included , in case that I set a wrong path to modparam("tls", "config", "/wrong paths/tls.cfg") the kamailio can`t boost and raised error.

But, when I debug this configure with gdb, I found that, within method : init_tls_compression(), Line 384 of tls_init.c

384 } else if (cfg_get(tls, tls_cfg, disable_compression)){ 385 LOG(L_INFO, "tls: init_tls: disabling compression...\n"); 386 sk_SSL_COMP_zero(comp_methods);

The param value from cfg was always 1, namely:

Ø print ((struct cfg_group_tls *)tls_cfg)->disable_compression 1

Why that? Are there something wrong?

B.R.

Rixin liu

_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda__________________________________________... SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

3951

Age (days ago)

3951

Last active (days ago)

sr-users@lists.kamailio.org

3 comments

4 participants

tags (0)

participants (4)

Daniel-Constantin Mierla
liu rixin
Olle E. Johansson
刘日新