[Spce-user] After update to latest hotfix from today 4.3.1 version - Kamailio failed to start

Alex Lutay alutay at sipwise.com
Tue Jun 7 08:16:50 EDT 2016


Hi all,

On 06/07/2016 10:50 AM, Christian Rohmann wrote:
> On 06/07/2016 12:53 AM, Alex Lutay wrote:
>> The update came from Debian Jessie which is not under Sipwise control.
> 
> True, but the Debian policy to to only fix things and don't do anything
> inside one release that breaks things.

Yes. It is in theory, while on practice we have two problems released
from Debian security in the same day:
1) current libssl <-> kamailio tls issue
2) perl <-> ngcp-panel issue, see upsteam report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826563

Both happens in the same time, both were noticed by internal Sipwise
nightly tests. ngcp-panel was addressed and hotfixed immediately,
kamailio has been rebuilt using new library a bit later after the report
in spce-users@ mailing list.

> Why is there such a hard dependency to a certain version of the library?
> I mean the whole idea behind external and dynamic libraries is that you
> can update them individually from your binaries.

We were surprised in the same way.
We are working internally to make it more friendly to libssl upgrades.

> I suppose you'll investigate further what was the issue in this case.
> The documentation says that minor version updates (read "security
> updates") should be fine:
> http://kamailio.org/docs/modules/4.3.x/modules/tls.html#tls.p.tls_force_run

Yes, sure, we are checking possibility to prevent this in the future.
Documentation VS code here :-(

> Either Kamailio (or the tls_module) is too strict in checking the
> external lib or the update to the openssl package  was a little too intense.

It is a kamailio TLS module, see the code here:

>>  modules/tls/tls_init.c
>> #if OPENSSL_VERSION_NUMBER < 0x00907000L
>>         WARN("You are using an old version of OpenSSL (< 0.9.7). Upgrade!\n");
>> #endif
>>         ssl_version=SSLeay();
>>         /* check if version have the same major minor and fix level
>>          * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */
>>         if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){
>>                 LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl library "
>>                                 "version is too different from the library the Kamailio tls module "
>>                                 "was compiled with: installed \"%s\" (0x%08lx), compiled "
>>                                 "\"%s\" (0x%08lx).\n"
>>                                 " Please make sure a compatible version is used"
>>                                 " (tls_force_run in kamailio.cfg will override this check)\n",
>>                                 SSLeay_version(SSLEAY_VERSION), ssl_version,
>>                                 OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER);
>>                 if (cfg_get(tls, tls_cfg, force_run))
>>                         LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, ignoring "
>>                                                 " openssl version mismatch\n");
>>                 else
>>                         return -1; /* safer to exit */
>>         }

-- 
Alex Lutay

Meet us @ ANGACOM: Hall 10.1 / booth N10
Exhibition and Congress for Broadband,
Cable & Satellite: 07 – 09 June, 2016 in Cologne



More information about the Spce-user mailing list