Hello, concerning OpenSSL https://kamailio.org/docs/modules/devel/modules/tls.html says:
> For OpenSSL (libssl) v1.1.x, it is required to preload > 'openssl_mutex_shared' library shipped by Kamailio. … This module includes > several workarounds for various Openssl bugs (like compression and Kerberos using the wrong memory allocations functions, low memory problems a.s.o). Compression over TLS is considered insecure because of the CRIME attack. Kerberos is probably used for the cipher suites: TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_IDEA_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_IDEA_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_MD5 all of which are insecure (because the use 3DES, RC4, DES, RC2), or weak, not supporting Pretty Forward Sercery, cf: https://ciphersuite.info/cs/TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA/ https://ciphersuite.info/cs/TLS_KRB5_WITH_3DES_EDE_CBC_SHA/ That said, neither TLS compression nor Kerberos TLS cipher suite shall be used. This leaves the question if there are problems, which are still solved by preloading openssl_mutex_shared.so (e.g. low memory problems). Greetings Дилян -----Original Message----- From: Дилян Палаузов <[email protected]> To: [email protected] Subject: Must openssl_mutex_shared.so be preloaded? Date: 12/11/2022 12:58:44 PM Hello, The documentation on using openssl_mutex_shared.so is contradicting. https://github.com/kamailio/kamailio/blob/master/src/modules/tls/README#L293 says: > For OpenSSL (libssl) v1.1.x, it is required to preload 'openssl_mutex_shared' > library shipped by Kamailio. For more details see 'src/modules/tls/openssl_mutex_shared/README.md'. https://github.com/kamailio/kamailio/blob/master/src/modules/tls/utils/openssl_mutex_shared/README.md says: > IMPORTANT: the workaround of using this preloaded shared library is no longer > needed starting with Kamailio v5.3.0-pre1 (git master branch after September 14, 2019). The code of this shared library has been included in the core of Kamailio and the same behaviour is now achieved by default. It is unclear, if openssl_mutex_shared.so must be preloaded. In case the library is not needed anymore, it shall not be compiled and installed. Kind regards Дилян __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
