Summary:ASTERISK-27876: [patch] tcptls: Allow OpenSSL configured with no-dh.
Reporter:Alexander Traud (traud)Labels:patch
Date Opened:2018-05-25 09:44:44Date Closed:2018-06-05 14:23:39
Versions:13.21.0 15.4.0 Frequency of
Environment:Attachments:( 0) no-dh.patch
Description:Fixing my own code, I introduced in commit [eaee921|https://github.com/asterisk/asterisk/commit/eaee92198d89f7feb4206b412104f439bc80754f] (ASTERISK-23905). OpenSSL can be configured (and then built) in various combinations. The _easiest_ (?) way to find the relevant configuration, is to look-up each used symbol and check the surrounding Defines in the header file of OpenSSL. If one of the guards is missing (or is a combination of several ones) and OpenSSL was built with that, Asterisk is not going to compile.

Asterisk does not build, if a OpenSSL was built via {code}./config no-dh
make{code}The attached patch fixes this. Additionally, the patch undos commit [758b138|https://github.com/asterisk/asterisk/commit/758b13858b79256104c0f81a9adf1924df7d2da9] (no issue report!), because that guard was too broad (included DH and EC related code) and was done via the script {{./configure}} instead directly via the OpenSSL configuration. Instead, the patch guards only that part which must be guarded, when OpenSSL was configured with no-ec or no-ecdh. Finally, that patch enables the named-curves X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1), because {{SSL_CTRL_SET_ECDH_AUTO}} got enabled on default, that symbol got removed and {{SSL_CTX_ctrl}} returns an error now. Because of that, just the named-curve P-256 was set, which disabled X25519 (and X448).

This is just about TLS (HTTPs, SIP-over-TLS, ...). In the file {{res/res_rtp_asterisk.c}}, the code for DTLS needs a similar treatment. However, this is out of scope of the attached patch.
Comments:By: Asterisk Team (asteriskteam) 2018-05-25 09:44:45.704-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

By: Friendly Automation (friendly-automation) 2018-06-05 14:23:39.857-0500

Change 9055 merged by George Joseph:
tcptls: Allow OpenSSL configured with no-dh.


By: Friendly Automation (friendly-automation) 2018-06-06 04:37:17.718-0500

Change 9054 merged by Joshua Colp:
tcptls: Allow OpenSSL configured with no-dh.


By: Friendly Automation (friendly-automation) 2018-06-06 04:37:29.214-0500

Change 9056 merged by Joshua Colp:
tcptls: Allow OpenSSL configured with no-dh.