[Spce-user] After update to latest hotfix from today 4.3.1 version - Kamailio failed to start
Alex Lutay
alutay at sipwise.com
Tue Jun 7 08:16:50 EDT 2016
Hi all,
On 06/07/2016 10:50 AM, Christian Rohmann wrote:
> On 06/07/2016 12:53 AM, Alex Lutay wrote:
>> The update came from Debian Jessie which is not under Sipwise control.
>
> True, but the Debian policy to to only fix things and don't do anything
> inside one release that breaks things.
Yes. It is in theory, while on practice we have two problems released
from Debian security in the same day:
1) current libssl <-> kamailio tls issue
2) perl <-> ngcp-panel issue, see upsteam report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826563
Both happens in the same time, both were noticed by internal Sipwise
nightly tests. ngcp-panel was addressed and hotfixed immediately,
kamailio has been rebuilt using new library a bit later after the report
in spce-users@ mailing list.
> Why is there such a hard dependency to a certain version of the library?
> I mean the whole idea behind external and dynamic libraries is that you
> can update them individually from your binaries.
We were surprised in the same way.
We are working internally to make it more friendly to libssl upgrades.
> I suppose you'll investigate further what was the issue in this case.
> The documentation says that minor version updates (read "security
> updates") should be fine:
> http://kamailio.org/docs/modules/4.3.x/modules/tls.html#tls.p.tls_force_run
Yes, sure, we are checking possibility to prevent this in the future.
Documentation VS code here :-(
> Either Kamailio (or the tls_module) is too strict in checking the
> external lib or the update to the openssl package was a little too intense.
It is a kamailio TLS module, see the code here:
>> modules/tls/tls_init.c
>> #if OPENSSL_VERSION_NUMBER < 0x00907000L
>> WARN("You are using an old version of OpenSSL (< 0.9.7). Upgrade!\n");
>> #endif
>> ssl_version=SSLeay();
>> /* check if version have the same major minor and fix level
>> * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */
>> if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){
>> LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl library "
>> "version is too different from the library the Kamailio tls module "
>> "was compiled with: installed \"%s\" (0x%08lx), compiled "
>> "\"%s\" (0x%08lx).\n"
>> " Please make sure a compatible version is used"
>> " (tls_force_run in kamailio.cfg will override this check)\n",
>> SSLeay_version(SSLEAY_VERSION), ssl_version,
>> OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER);
>> if (cfg_get(tls, tls_cfg, force_run))
>> LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, ignoring "
>> " openssl version mismatch\n");
>> else
>> return -1; /* safer to exit */
>> }
--
Alex Lutay
Meet us @ ANGACOM: Hall 10.1 / booth N10
Exhibition and Congress for Broadband,
Cable & Satellite: 07 – 09 June, 2016 in Cologne
More information about the Spce-user
mailing list