[Spce-user] After update to latest hotfix from today 4.3.1 version - Kamailio failed to start
Matthias Hohl
matthias.hohl at telematica.at
Tue Jun 7 15:30:57 EDT 2016
Hello,
i did update right now:
apt-get update && apt-get upgrade && ngcp-update-db-schema &&
ngcp-update-cfg-schema && ngcpcfg apply 'Hotfix Update'
and activate TLS again in config.yml and kamailio started now.
So look like that it works now.
OFFTOPIC: The sslverify problem with fraud script is still there...
thanks
-----Ursprüngliche Nachricht-----
Von: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] Im Auftrag von
Alex Lutay
Gesendet: Dienstag, 7. Juni 2016 14:17
An: spce-user at lists.sipwise.com
Betreff: Re: [Spce-user] After update to latest hotfix from today 4.3.1
version - Kamailio failed to start
Hi all,
On 06/07/2016 10:50 AM, Christian Rohmann wrote:
> On 06/07/2016 12:53 AM, Alex Lutay wrote:
>> The update came from Debian Jessie which is not under Sipwise control.
>
> True, but the Debian policy to to only fix things and don't do
> anything inside one release that breaks things.
Yes. It is in theory, while on practice we have two problems released from
Debian security in the same day:
1) current libssl <-> kamailio tls issue
2) perl <-> ngcp-panel issue, see upsteam report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826563
Both happens in the same time, both were noticed by internal Sipwise nightly
tests. ngcp-panel was addressed and hotfixed immediately, kamailio has been
rebuilt using new library a bit later after the report in spce-users@
mailing list.
> Why is there such a hard dependency to a certain version of the library?
> I mean the whole idea behind external and dynamic libraries is that
> you can update them individually from your binaries.
We were surprised in the same way.
We are working internally to make it more friendly to libssl upgrades.
> I suppose you'll investigate further what was the issue in this case.
> The documentation says that minor version updates (read "security
> updates") should be fine:
> http://kamailio.org/docs/modules/4.3.x/modules/tls.html#tls.p.tls_forc
> e_run
Yes, sure, we are checking possibility to prevent this in the future.
Documentation VS code here :-(
> Either Kamailio (or the tls_module) is too strict in checking the
> external lib or the update to the openssl package was a little too
intense.
It is a kamailio TLS module, see the code here:
>> modules/tls/tls_init.c
>> #if OPENSSL_VERSION_NUMBER < 0x00907000L
>> WARN("You are using an old version of OpenSSL (< 0.9.7).
>> Upgrade!\n"); #endif
>> ssl_version=SSLeay();
>> /* check if version have the same major minor and fix level
>> * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */
>> if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){
>> LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl
library "
>> "version is too different from the
library the Kamailio tls module "
>> "was compiled with: installed \"%s\"
(0x%08lx), compiled "
>> "\"%s\" (0x%08lx).\n"
>> " Please make sure a compatible version
is used"
>> " (tls_force_run in kamailio.cfg will
override this check)\n",
>> SSLeay_version(SSLEAY_VERSION),
ssl_version,
>> OPENSSL_VERSION_TEXT,
(long)OPENSSL_VERSION_NUMBER);
>> if (cfg_get(tls, tls_cfg, force_run))
>> LOG(L_WARN, "tls: init_tls_h: tls_force_run
turned on, ignoring "
>> " openssl version
mismatch\n");
>> else
>> return -1; /* safer to exit */
>> }
--
Alex Lutay
Meet us @ ANGACOM: Hall 10.1 / booth N10 Exhibition and Congress for
Broadband, Cable & Satellite: 07 – 09 June, 2016 in Cologne
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user
More information about the Spce-user
mailing list