[SR-Users] Unable to enable TLS on Kamailio

Daniel-Constantin Mierla miconda at gmail.com
Tue Dec 12 18:46:31 CET 2017


Can you actually explain better what is the relation between your
message and the issue discussed on this email thread? Maybe I didn't get
it right, but the bug that didn't allow setting a memory manager has
nothing to do with how good or bad a memory manager implementation is
from security and safety points of view. Your suggestion to use jemalloc
or whatever else memory manager is not possible in that version of
libssl, because that version simply doesn't allow setting a memory manager.

The bug was fixed in libssl, but some distros distributed the broken
version, that's the reason it is required to use an older or newer
version than the affected ones.

Cheers,
Daniel

On 12.12.17 18:01, otron2016 at gmail.com wrote:
>
> Broken is in the eyes of the beholder:  well designed cryptographic
> code wants to ensure that information (keys, cleartext) doesn't leak
> via unsanitized memory (there are many ways, both within and beyond
> calling programs); the easy and more foolproof way to do that for the
> cryptography programmer is often to use a memory manager that takes
> care of that, such as jemalloc (with appropriate configuration
> parameters).
>
> If you make security representations (and the certificate is
> reasonably construed to make a security representation) you shouldn't
> bypass this unless you verify that you prevent all possible
> information leaks. 
>
> From armslength, you might just try to use jemalloc as kamailio's mm
> library, but even there it would be necessary to be really careful
> about kamailio freeing sensitive memory immediately after
> use--everywhere that happens.   That's why it's probably easier to
> just let a properly implemented crypto library do what it's designed
> to do. 
>
>
> Sent from Samsung Mobile
>
>
>
> -------- Original message --------
> From: Daniel-Constantin Mierla <miconda at gmail.com>
> Date: 12/12/2017 2:26 AM (GMT-06:00)
> To: "Kamailio (SER) - Users Mailing List"
> <sr-users at lists.kamailio.org>,Tomi Hakkarainen <tpaivaa at gmail.com>
> Subject: Re: [SR-Users] Unable to enable TLS on Kamailio
>
>
> Hello,
>
> there were some broken versions of openssl that didn't allow anymore
> to set custom memory manager. The only option is to upgrade libssl to
> a version that doesn't expose the issue. If you search on kamailio
> issues tracker on gihub.com, there should be one closed about this topic.
>
> Cheers,
> Daniel
>
>
> On 11.12.17 22:20, Tomi Hakkarainen wrote:
>> Hi,
>>   
>> I have problem to enable TLS on just installed Kamailio server 
>> openSUSE 42.3 (x86_64)
>> VERSION = 42.3
>> CODENAME = Malachite
>>
>> version: kamailio 5.0.4 (x86_64/linux) 
>> flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS,
>> DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
>> Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX,
>> FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR,
>> USE_DST_BLACKLIST, HAVE_RESOLV_RES
>> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
>> MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
>> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
>> id: unknown 
>> compiled on 18:06:25 Dec  3 2017 with gcc 4.8.5
>>
>> I get this on debug log:
>>
>>  0(11336) DEBUG: <core> [core/cfg.y:1642]: yyparse(): loading modules
>> under /usr/lib64/kamailio/modules/
>> loading modules under config path: /usr/lib64/kamailio/modules/
>>  0(11336) DEBUG: <core> [core/cfg.y:1623]: yyparse(): loading module
>> tls.so
>>  0(11336) DEBUG: <core> [core/sr_module.c:575]: load_module(): trying
>> to load </usr/lib64/kamailio/modules/tls.so>
>>  0(11336) DEBUG: <core> [core/mem/q_malloc.c:189]: qm_malloc_init():
>> qm_malloc_init: QM_OPTIMIZE=16384, /ROUNDTO=2048
>>  0(11336) DEBUG: <core> [core/mem/q_malloc.c:191]: qm_malloc_init():
>> qm_malloc_init: QM_HASH_SIZE=2099, qm_block size=235152
>>  0(11336) DEBUG: <core> [core/mem/q_malloc.c:193]: qm_malloc_init():
>> qm_malloc_init(0x7f6e001cb000, 67108864), start=0x7f6e001cb000
>>  0(11336) DEBUG: <core> [core/mem/q_malloc.c:202]: qm_malloc_init():
>> qm_malloc_init: size= 67108864, init_overhead=235256
>>  0(11336) ERROR: tls [tls_init.c:595]: tls_pre_init(): Unable to set
>> the memory allocation functions
>>  0(11336) ERROR: tls [tls_init.c:597]: tls_pre_init(): libssl current
>> mem functions - m: 0x7f6e055b33d0 r: 0x7f6e055b3a30 f: 0x7f6e055b39a0
>>  0(11336) ERROR: tls [tls_init.c:599]: tls_pre_init(): Be sure tls
>> module is loaded before any other module using libssl (can be loaded
>> first to be safe)
>>  0(11336) ERROR: <core> [core/sr_module.c:607]: load_module():
>> /usr/lib64/kamailio/modules/tls.so: mod_register failed
>>  0(11336) CRITICAL: <core> [core/cfg.y:3411]: yyerror_at(): parse
>> error in config file /etc/kamailio/kamailio.cfg, line 150, column
>> 12-19: failed to load module
>>
>> for resolving have compiled openssl from 1.0.2j-fips to
>>
>> openssl version
>> OpenSSL 1.0.2n  7 Dec 2017
>>
>>
>>
>>
>> Is this information enough to see what we are missing 
>> Will provide more info if needed.
>> Any help and suggestions are appreciated.
>>
>> Regards, 
>> T
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> -- 
> Daniel-Constantin Mierla
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio Advanced Training - www.asipto.com
> Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171212/2f905a56/attachment.html>


More information about the sr-users mailing list