### Description
I am connecting two kamailio (5.4.5) using TLS with client cert verification. When one side is OpenSSL 1.1.1 (CentOS 8) + P-256 cert and the other side is OpenSSL 1.0.2 (CentOS 7) + P-521 cert *and* `cipher_list` is set(e.g., `DEFAULT`), the ClientHello fails because the only supported curve sent is P-256 (server has P-521).
### Troubleshooting
1. If `cipher_list` is *not* set at all in `[client:defaut]`l, then the ClientHello sends 4 supported EC groups and the handshake succeeds.
2 . If `cipher_list` is set in `[client:defaut]` (e.g. `DEFAULT` or `ANY`) then the ClientHello sends only 1 supported EC group P-256 (I guess because the client is using a P-256 cert), then the handshake will fail.
#### Reproduction
1. Connect two kamailos one on CentOS 8 sending SIP to one on CentOS 7, enable TLS, with client cert verification. Put a P-256 cert on CentOS 8 and a P-521 cert on CentOS 7.
#### Debugging Data
1. `cipher_list` is not set: TLS ClientHello Supported Groups is 4 groups: secp256r1 secp521r1 secp384r1 secp256k1
2. `cipher_list` is set to `DEFAULT`: TLS ClientHello Supported Groups is 1 group: secp256r1.
#### Log Messages
```
ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
```
#### SIP Traffic
NA - couldn't complete TLS handshake so no SIP was transferred.
### Possible Solutions
1. Don't set cipher_list at all; the moment you set cipher_list to anything(`ANY`, `DEFAULT` etc), the ClientHello will narrow the supported groups to P-256 and the server will reject.
I have a thought: does `setup_ecdh()` in `tls_domain.c` behave differently on OpenSSL 1.1.1? Maybe it is forcing the handshake to send only the curve of the client.
### Additional Information
1. kamailio version is 5.4.5
2. Must be OpenSSL 1.1.1 to OpenSSL 1.0.2. BTW in the reverse direction P-521 CentOS 7 to P-256 CentOS 8 doesn't encounter this issue.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2716
Address GH #2716. Also see https://bugs.python.org/issue29697.
<!-- Kamailio Pull Request Template -->
<!--
IMPORTANT:
- for detailed contributing guidelines, read:
https://github.com/kamailio/kamailio/blob/master/.github/CONTRIBUTING.md
- pull requests must be done to master branch, unless they are backports
of fixes from master branch to a stable branch
- backports to stable branches must be done with 'git cherry-pick -x ...'
- code is contributed under BSD for core and main components (tm, sl, auth, tls)
- code is contributed GPLv2 or a compatible license for the other components
- GPL code is contributed with OpenSSL licensing exception
-->
#### Pre-Submission Checklist
<!-- Go over all points below, and after creating the PR, tick all the checkboxes that apply -->
<!-- All points should be verified, otherwise, read the CONTRIBUTING guidelines from above-->
<!-- If you're unsure about any of these, don't hesitate to ask on sr-dev mailing list -->
- [X ] Commit message has the format required by CONTRIBUTING guide
- [X] Commits are split per component (core, individual modules, libs, utils, ...)
- [X ] Each component has a single commit (if not, squash them into one commit)
- [ ] No commits to README files for modules (changes must be done to docbook files
in `doc/` subfolder, the README file is autogenerated)
#### Type Of Change
- [X] Small bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds new functionality)
- [ ] Breaking change (fix or feature that would change existing functionality)
#### Checklist:
<!-- Go over all points below, and after creating the PR, tick the checkboxes that apply -->
- [X] PR should be backported to stable branches
- [X ] Tested changes locally
- [ ] Related to issue #2716
#### Description
For OpenSSL 1.1.x initialization of EC SSL contexts has changed — we should be using the < 1.0.2 technique on OpenSSL 1.1+. This addresses a corner case where TLS server with P-256 cert would not handshake with a TLS client presenting a P-521 cert.
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/2717
-- Commit Summary --
* [tls] Don't use OpenSSL<1.0.2 fallback on 1.1+
-- File Changes --
M src/modules/tls/tls_domain.c (12)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/2717.patchhttps://github.com/kamailio/kamailio/pull/2717.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/2717
**missing braces around initializer**
*mohq_funcs.c:2163*
```
LD (gcc) [M matrix.so] matrix.so
CC (gcc) [M mohqueue.so] mohq_locks.o
CC (gcc) [M mohqueue.so] mohq_funcs.o
mohq_funcs.c: In function 'send_rtp_answer':
mohq_funcs.c:2163:23: warning: missing braces around initializer [-Wmissing-braces]
2163 | fparam_t pzflag [1] = {"", FPARAM_STRING, {pflagbuf}, 0};
| ^
| {
mohq_funcs.c:2163:23: warning: missing braces around initializer [-Wmissing-braces]
2163 | fparam_t pzflag [1] = {"", FPARAM_STRING, {pflagbuf}, 0};
| ^
| { }
CC (gcc) [M mohqueue.so] mohq_db.o
CC (gcc) [M mohqueue.so] mohqueue_mod.o
make[3]: 'libsrdb1.so.1.0' is up to date.
LD (gcc) [M mohqueue.so] mohqueue.so
CC (gcc) [M msilo.so] msfuncs.o
CC (gcc) [M msilo.so] msilo.o
```
**"_POSIX_C_SOURCE" redefined**
```
CC (gcc) [M app_python.so] python_iface.o
CC (gcc) [M app_python.so] apy_kemi_export.o
In file included from /usr/include/python2.7/pyconfig.h:6,
from /usr/include/python2.7/Python.h:8,
from apy_kemi_export.c:30:
/usr/include/python2.7/pyconfig-64.h:1232: warning: "_POSIX_C_SOURCE" redefined
1232 | #define _POSIX_C_SOURCE 200112L
|
In file included from /usr/include/bits/libc-header-start.h:33,
from /usr/include/stdio.h:27,
from apy_kemi_export.c:26:
/usr/include/features.h:265: note: this is the location of the previous definition
265 | # define _POSIX_C_SOURCE 200809L
|
CC (gcc) [M app_python.so] mod_Core.o
CC (gcc) [M app_python.so] apy_kemi.o
In file included from /usr/include/python2.7/pyconfig.h:6,
from /usr/include/python2.7/Python.h:8,
from apy_kemi.c:25:
/usr/include/python2.7/pyconfig-64.h:1232: warning: "_POSIX_C_SOURCE" redefined
1232 | #define _POSIX_C_SOURCE 200112L
|
In file included from /usr/include/bits/libc-header-start.h:33,
from /usr/include/stdio.h:27,
from apy_kemi.c:21:
/usr/include/features.h:265: note: this is the location of the previous definition
265 | # define _POSIX_C_SOURCE 200809L
|
CC (gcc) [M app_python.so] python_msgobj.o
CC (gcc) [M app_python.so] mod_Router.o
CC (gcc) [M app_python.so] app_python_mod.
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2710
Hello,
the branch 5.5 has been created, to be used for releasing v5.5.x series.
To check out this branch, the following commands can be used:
  git clone https://github.com/kamailio/kamailio kamailio-5.5
  cd kamailio-5.5
  git checkout -b 5.5 origin/5.5
Pushing commits in this branch:
 git push origin 5.5:5.5
Note that 5.5 is an official stable branch, so only bug fixes, missing
kemi exports (discuss on sr-dev if not sure) or improvements to
documentation or helper tools can be pushed to this branch.
As usual, if there is a bug fixed, commit and push first to master
branch and then cherry pick to 5.5 branch:
 git cherry-pick -x COMMITID
In few weeks, the first release from branch 5.5 will be out,
respectively Kamailio v5.5.0.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
* https://www.asipto.com/sw/kamailio-advanced-training-online/
Hello,
the branch 5.5 was created, therefore the master branch is open for
adding new features, to be part of future release series v5.6.x (or
whatever version is decided for next series).
Any bug fix committed to master that applies to 5.5.x or older stable
branches should be backported as usual with "git cherry-pick -x ..." to
appropriate branches like 5.5 or 5.4.
Expect that v5.5.0 will be released in a few weeks from now.
Based on the workflow used during the past years, the next future
release v5.6.0 should be out after another 6-10 months of development,
plus 1-2 months of testing, so sometime by end of 2021 or in the first
part of 2022.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
* https://www.asipto.com/sw/kamailio-advanced-training-online/