[SR-Users] Testers wanted for new TLS transport based on wolfSSL

[Richard Chan]

Hello Kamailio users,

I would like testers to try out a new module tls_wolfssl,
an alternate TLS transport based on wolfSSL.

Why another TLS transport implementation?

The travails of using OpenSSL >= 1.1.1 in Kamailio’s multi-process
paradigm has been documented by OpenSIPS (and that sister
project has implemented tls_wolfssl). Essentially, OpenSSL makes
no concessions to the multi-process use case and in fact has implementation
details that work against global shared memory structures.

As a result Kamailio contains some tricky code
* a pthread polyfill in core
* duplicated SSL_CTX per worker
* atexit workaround

How to test?

The code is currently in master and can be built in the usual way.
Debian has 5.2.0 libwolfssl-dev needed; for some RPM distros (el8, el9,
fc36) I have created a Copr repository
https://copr.fedorainfracloud.org/coprs/beaveryoga/wolfSSL/

Known limitations
The current state can be considered as identical to tls+OpenSSL 1.1.1/3.0.x.

Old TLS protocols < 1.2 and cipher list configuration don’t work, i.e., only
TLS 1.2 and 1.3 work with the default cipher list.

In your configuration just replace
loadmodule “tls.so”
with
loadmodule “tls_wolfssl.so”

The rest of the TLS configuration can remain unchanged unless
you are using a funky protocol version/cipher list combination.

Thanks!

S-P
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20220617/2bab2b8f/attachment.htm>