Hello David, thanks for reporting back. Just for the archives, the code change mentioned below was also integrated in git master.
Cheers, Henning From: David Cunningham via sr-users <[email protected]> Sent: Mittwoch, 4. September 2024 01:41 To: Kamailio (SER) - Users Mailing List <[email protected]> Cc: David Cunningham <[email protected]> Subject: [SR-Users] Re: Using a different OpenSSL Hi everyone, Just sharing that the solution was to add these two lines to the [Service] section of the systemd unit file: Environment=LD_LIBRARY_PATH=/opt/openssl/lib64 Environment=OPENSSL_CONF=/etc/ssl/fips.cnf And also apply a patch to Kamailio in src/modules/tls/tls_mod.c so that it logs the OpenSSL library at run-time, as well as the default logging of the OpenSSL library at compilation: 448c448,461 < LM_INFO("use OpenSSL version: %08x\n", (uint32_t)(OPENSSL_VERSION_NUMBER)); --- > > #if OPENSSL_VERSION_NUMBER < 0x030000000L > LM_INFO("compiled with OpenSSL version: %08x\n", > (uint32_t)(OPENSSL_VERSION_NUMBER)); > #elif OPENSSL_VERSION_NUMBER >= 0x030000000L > LM_INFO("compiled with OpenSSL: %s\n", OPENSSL_VERSION_TEXT); > LM_INFO("run-time OpenSSL library: %s\n", > OpenSSL_version(OPENSSL_VERSION)); > > if(EVP_default_properties_is_fips_enabled(NULL) == 1) { > LM_INFO("FIPS mode enabled in OpenSSL library\n"); > } else { > LM_INFO("FIPS mode not enabled in OpenSSL library\n"); > } > #endif > Tested with Kamailio 5.8.2. Hope this helps. On Tue, 27 Aug 2024 at 12:01, David Cunningham <[email protected]<mailto:[email protected]>> wrote: Hi Henning, The issue happens even if I run Kamailio directly from the command line, having set LD_LIBRARY_PATH in the environment first. Please see the commands below. OpenSSL 3.0.2 is installed with Ubuntu, and OpenSSL 3.0.9 with FIPS compiled in /opt/openssl. Setting LD_LIBRARY_PATH does seem to work for Apache, although Apache was compiled with the "--with-ssl=/opt/openssl" option. Would there by any chance be an equivalent for Kamailio? Thanks again for your help. root@caes8:~# ls /opt/openssl/lib64/ engines-3 libcrypto.a libcrypto.so libcrypto.so.3 libssl.a libssl.so libssl.so.3 ossl-modules pkgconfig root@caes8:~# export LD_LIBRARY_PATH=/opt/openssl/lib64 root@caes8:~# /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060 tls: xx.xx.xx.xx:5061 Aliases: root@caes8:~# ps -ef | grep kamailio | head product 2905052 1 9 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905078 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905079 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905080 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905081 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905082 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905083 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905084 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905085 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905087 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid root@caes8:~# grep -i 'OpenSSL version' /var/log/syslog | tail Aug 26 16:55:28 caes8 /sbin/kamailio[2905052]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020 On Sun, 25 Aug 2024 at 18:34, Richard Chan via sr-users <[email protected]<mailto:[email protected]>> wrote: Hello David, Can you present your launcher script here? LD_LIBRARY_PATH is the correct way to use an ABI compatible(same SONAME) alternative to a system library. The boilerplate looks like this: #!/bin/bash # IMPORTANT: intended replacements must have the same SONAME as what # tls.so was built with, i.e., libssl.so.3, libcrypto.so.3 # Your local artifacts libssl.so.3 libcrypto.so.3 installed to /opt/openssl3/lib64 # EITHER export LD_LIBRARY_PATH=/opt/openssl3/lib64 #export is required /usr/sbin/kamailio <args .....> # OR - same line - LD_LIBRARY_PATH=/opt/openssl3/lib64 /usr/sbin/kamailio <args .....> Cheers Richard __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to [email protected]<mailto:[email protected]> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
