ASTERISK-15490: [patch] TLS socket file descriptor fails to open (with no error message in log)

[Home]

Summary: ASTERISK-15490: [patch] TLS socket file descriptor fails to open (with no error message in log)

Reporter: Michi (michaesc) Labels:

Date Opened: 2010-01-22 10:55:14.000-0600 Date Closed: 2010-02-26 11:01:15.000-0600

Priority: Minor Regression? No

Status: Closed/Complete Components: Core/Portability

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) tls_error_msg.diff

Description: On platforms missing funopen(3) or fopencookie(3) DO_SSL is undefined in main/tcptls.h. Other files including tcptls.h will fail in their TLS operations, because of this portability problem.

In the most basic case of configuring (in sip.conf) the TLS variables properly, one expects the TLS logic to open the necessary TCP socket file descriptors. Asterisk (see tcptls.c) doesn't do it on all supported platforms, and doesn't even write any error or debug message to the log announcing the problem.

****** ADDITIONAL INFORMATION ******

The recommended way to solve the problem is to not make the DO_SSL definition dependent on the funopen(3) and fopencookie(3) libc functions. The necessary work is in main/tcptls.c and probably some autoconf logic as well to determine just which function to use.

Comments: By: Leif Madsen (lmadsen) 2010-01-22 11:00:43.000-0600

Can you give an example of which platforms don't support this?
By: Michi (michaesc) 2010-01-23 13:30:12.000-0600

Solaris 11 x86 (nv-b91) is the one I tested. I looked at FreeBSD which has funopen(3), but only on newer releases. Glibc implements fopencookie(3), but glibc has not yet been ported to many platforms (according to the developers.)

In other words, if you use Linux then not writing code portably like this works. Most other platforms fail if the releases are older than a couple years. Some platforms (Solaris notably) fail even with newer releases.

By the way, the author of tcptls.c seems to be aware of that as there are three parts to the condition (#if HAVE_FUNOPEN, #elif HAVE_FOPENCOOKIE, #else /* to be implemented */) But there is a problem with this logic, because all three parts of the condition are wrapped in #if DO_SSL which depends wholly on either HAVE_FUNOPEN or HAVE_FOPENCOOKIE being available on the platform. It looks kind of hacky.

Other than this, every other component of Asterisk 1.6.2.X is building and running well on Solaris 11.
By: David Vossel (dvossel) 2010-02-11 15:42:15.000-0600

I have uploaded a patch that should indicate when someone attempts to configure tls without openssl support. Does this do what you were wanting?
By: Digium Subversion (svnbot) 2010-02-16 14:54:49.000-0600

Repository: asterisk
Revision: 246980

U trunk/main/tcptls.c

------------------------------------------------------------------------
r246980 | dvossel | 2010-02-16 14:54:48 -0600 (Tue, 16 Feb 2010) | 8 lines

warning message if openssl support is missing while attempting tls connection

(closes issue ASTERISK-15490)
Reported by: michaesc
Patches:
tls_error_msg.diff uploaded by dvossel (license 671)

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=246980
By: Digium Subversion (svnbot) 2010-02-16 15:03:35.000-0600

Repository: asterisk
Revision: 246981

U trunk/main/tcptls.c

------------------------------------------------------------------------
r246981 | dvossel | 2010-02-16 15:03:35 -0600 (Tue, 16 Feb 2010) | 4 lines

swap openssl with OpenSSL in warning message.

(issue ASTERISK-15490)

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=246981
By: Digium Subversion (svnbot) 2010-02-16 15:03:58.000-0600

Repository: asterisk
Revision: 246982

_U branches/1.6.2/
U branches/1.6.2/main/tcptls.c

------------------------------------------------------------------------
r246982 | dvossel | 2010-02-16 15:03:57 -0600 (Tue, 16 Feb 2010) | 14 lines

Merged revisions 246980 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
r246980 | dvossel | 2010-02-16 14:54:48 -0600 (Tue, 16 Feb 2010) | 8 lines

warning message if openssl support is missing while attempting tls connection

(closes issue ASTERISK-15490)
Reported by: michaesc
Patches:
tls_error_msg.diff uploaded by dvossel (license 671)
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=246982
By: Digium Subversion (svnbot) 2010-02-16 15:05:24.000-0600

Repository: asterisk
Revision: 246983

_U branches/1.6.1/
U branches/1.6.1/main/tcptls.c

------------------------------------------------------------------------
r246983 | dvossel | 2010-02-16 15:05:24 -0600 (Tue, 16 Feb 2010) | 14 lines

Merged revisions 246980 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
r246980 | dvossel | 2010-02-16 14:54:48 -0600 (Tue, 16 Feb 2010) | 8 lines

warning message if openssl support is missing while attempting tls connection

(closes issue ASTERISK-15490)
Reported by: michaesc
Patches:
tls_error_msg.diff uploaded by dvossel (license 671)
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=246983
By: Digium Subversion (svnbot) 2010-02-16 15:07:49.000-0600

Repository: asterisk
Revision: 246984

_U branches/1.6.0/
U branches/1.6.0/main/tcptls.c

------------------------------------------------------------------------
r246984 | dvossel | 2010-02-16 15:07:48 -0600 (Tue, 16 Feb 2010) | 14 lines

Merged revisions 246980 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
r246980 | dvossel | 2010-02-16 14:54:48 -0600 (Tue, 16 Feb 2010) | 8 lines

warning message if openssl support is missing while attempting tls connection

(closes issue ASTERISK-15490)
Reported by: michaesc
Patches:
tls_error_msg.diff uploaded by dvossel (license 671)
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=246984
By: Michi (michaesc) 2010-02-22 07:23:43.000-0600

Hello dvossel,

Your patch does nothing to implement funopen(3) or fopencookie(3) on all platforms supported by Asterisk should you insist on using those functions, so this bug is still valid even after detecting OpenSSL absence.

Please read my recommendation as it is much easier than reimplementing system code on a hundred platforms. It really is better to simply not insist on using these nonportable functions and provide logic making DO_SSL succeed on all supported platforms.
By: David Vossel (dvossel) 2010-02-26 11:01:14.000-0600

You are right, we need to figure out a way to support TLS on Solaris.

There was a miscommunication on purpose of this issue. Your summary and description indicated that you were simply requesting a clarification in the log message, but you did clearly outline your recommended solution under Additional Information involved more. The problem here is this issue was prioritized by us with the understanding that the fix would only take a few minutes. I know this sounds silly, but can you create a new issue for this clearly stating the purpose is to support TLS on Solaris within the summary so this can be re-prioritized correctly.