[SR-Users] Re: Using a different OpenSSL

David Cunningham via sr-users Tue, 03 Sep 2024 16:59:54 -0700

Hi everyone,

Just sharing that the solution was to add these two lines to the [Service]
section of the systemd unit file:


Environment=LD_LIBRARY_PATH=/opt/openssl/lib64
Environment=OPENSSL_CONF=/etc/ssl/fips.cnf

And also apply a patch to Kamailio in src/modules/tls/tls_mod.c so that it
logs the OpenSSL library at run-time, as well as the default logging of the
OpenSSL library at compilation:

448c448,461
<       LM_INFO("use OpenSSL version: %08x\n",
(uint32_t)(OPENSSL_VERSION_NUMBER));
---
>
> #if OPENSSL_VERSION_NUMBER < 0x030000000L
>       LM_INFO("compiled with OpenSSL version: %08x\n",
(uint32_t)(OPENSSL_VERSION_NUMBER));
> #elif OPENSSL_VERSION_NUMBER >= 0x030000000L
>       LM_INFO("compiled with OpenSSL: %s\n", OPENSSL_VERSION_TEXT);
>       LM_INFO("run-time OpenSSL library: %s\n",
OpenSSL_version(OPENSSL_VERSION));
>
>       if(EVP_default_properties_is_fips_enabled(NULL) == 1) {
>               LM_INFO("FIPS mode enabled in OpenSSL library\n");
>       } else  {
>               LM_INFO("FIPS mode not enabled in OpenSSL library\n");
>       }
> #endif
>

Tested with Kamailio 5.8.2. Hope this helps.


On Tue, 27 Aug 2024 at 12:01, David Cunningham <[email protected]>
wrote:

> Hi Henning,
>
> The issue happens even if I run Kamailio directly from the command line,
> having set LD_LIBRARY_PATH in the environment first. Please see the
> commands below. OpenSSL 3.0.2 is installed with Ubuntu, and OpenSSL 3.0.9
> with FIPS compiled in /opt/openssl.
>
> Setting LD_LIBRARY_PATH does seem to work for Apache, although Apache was
> compiled with the "--with-ssl=/opt/openssl" option. Would there by any
> chance be an equivalent for Kamailio? Thanks again for your help.
>
>
> root@caes8:~# ls /opt/openssl/lib64/
> engines-3  libcrypto.a  libcrypto.so  libcrypto.so.3  libssl.a  libssl.so
>  libssl.so.3  ossl-modules  pkgconfig
>
> root@caes8:~# export LD_LIBRARY_PATH=/opt/openssl/lib64
>
> root@caes8:~# /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid
> loading modules under config path:
> /lib/kamailio/modules/:/lib64/kamailio/modules/
> Listening on
>              udp: xx.xx.xx.xx:5060
>              tls: xx.xx.xx.xx:5061
> Aliases:
>
> root@caes8:~# ps -ef | grep kamailio | head
> product 2905052       1  9 16:55 ?        00:00:00 /sbin/kamailio -m 512
> -M 8 -P /var/run/product/kamailio.pid
> product 2905078 2905052  0 16:55 ?        00:00:00 /sbin/kamailio -m 512
> -M 8 -P /var/run/product/kamailio.pid
> product 2905079 2905052  0 16:55 ?        00:00:00 /sbin/kamailio -m 512
> -M 8 -P /var/run/product/kamailio.pid
> product 2905080 2905052  0 16:55 ?        00:00:00 /sbin/kamailio -m 512
> -M 8 -P /var/run/product/kamailio.pid
> product 2905081 2905052  0 16:55 ?        00:00:00 /sbin/kamailio -m 512
> -M 8 -P /var/run/product/kamailio.pid
> product 2905082 2905052  0 16:55 ?        00:00:00 /sbin/kamailio -m 512
> -M 8 -P /var/run/product/kamailio.pid
> product 2905083 2905052  0 16:55 ?        00:00:00 /sbin/kamailio -m 512
> -M 8 -P /var/run/product/kamailio.pid
> product 2905084 2905052  0 16:55 ?        00:00:00 /sbin/kamailio -m 512
> -M 8 -P /var/run/product/kamailio.pid
> product 2905085 2905052  0 16:55 ?        00:00:00 /sbin/kamailio -m 512
> -M 8 -P /var/run/product/kamailio.pid
> product 2905087 2905052  0 16:55 ?        00:00:00 /sbin/kamailio -m 512
> -M 8 -P /var/run/product/kamailio.pid
>
> root@caes8:~# grep -i 'OpenSSL version' /var/log/syslog | tail
> Aug 26 16:55:28 caes8 /sbin/kamailio[2905052]: INFO: tls [tls_mod.c:448]:
> mod_init(): use OpenSSL version: 30000020
>
>
> On Sun, 25 Aug 2024 at 18:34, Richard Chan via sr-users <
> [email protected]> wrote:
>
>> Hello David,
>>
>> Can you present your launcher script here?
>>
>> LD_LIBRARY_PATH is the correct way to use an ABI compatible(same SONAME)
>> alternative to a system library.
>>
>> The boilerplate looks like this:
>>
>> #!/bin/bash
>> # IMPORTANT: intended replacements must have the same SONAME as what
>> # tls.so was built with, i.e., libssl.so.3, libcrypto.so.3
>> # Your local artifacts libssl.so.3 libcrypto.so.3 installed to
>> /opt/openssl3/lib64
>> # EITHER
>> export LD_LIBRARY_PATH=/opt/openssl3/lib64  #export is required
>> /usr/sbin/kamailio  <args .....>
>>
>> # OR - same line -
>> LD_LIBRARY_PATH=/opt/openssl3/lib64 /usr/sbin/kamailio <args .....>
>>
>> Cheers
>> Richard
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> To unsubscribe send an email to [email protected]
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>> Edit mailing list options or unsubscribe:
>>
>
>
> --
> David Cunningham, Voisonics Limited
> http://voisonics.com/
> USA: +1 213 221 1092
> New Zealand: +64 (0)28 2558 3782
>


-- 
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
New Zealand: +64 (0)28 2558 3782

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

[SR-Users] Re: Using a different OpenSSL

Reply via email to