``` Jun 6 14:38:43 spce lb[27903]: : tls [tls_init.c:557]: init_tls_h(): ERROR: tls: init_tls_h: installed openssl library version is too different from the library the Kamailio tls module was compiled with: installed "OpenSSL 1.0.1t 3 May 2016" (0x1000114f), compiled "OpenSSL 1.0.1k 8 Jan 2015" (0x100010bf).#012 Please make sure a compatible version is used (tls_force_run in kamailio.cfg will override this check) Jun 6 14:38:43 spce lb[27903]: CRITICAL: <core> [main.c:2577]: main(): could not initialize tls, exiting... ``` openssl was upgraded from 1.0.1k-3+deb8u5 to 1.0.1t-1+deb8u2
This seems not to work properly https://github.com/kamailio/kamailio/blob/master/modules/tls/tls_init.c#L543...
``` #if OPENSSL_VERSION_NUMBER < 0x00907000L WARN("You are using an old version of OpenSSL (< 0.9.7). Upgrade!\n"); #endif ssl_version=SSLeay(); /* check if version have the same major minor and fix level * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */ if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){ LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl library " "version is too different from the library the Kamailio tls module " "was compiled with: installed "%s" (0x%08lx), compiled " ""%s" (0x%08lx).\n" " Please make sure a compatible version is used" " (tls_force_run in kamailio.cfg will override this check)\n", SSLeay_version(SSLEAY_VERSION), ssl_version, OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER); if (cfg_get(tls, tls_cfg, force_run)) LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, ignoring " " openssl version mismatch\n"); else return -1; /* safer to exit */ } ```
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/662
Pushed a patch for it, can you try with it? If all ok, it can be backported as needed.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/662#issuecomment-224279345
what about this https://github.com/linuxmaniac/kamailio/commit/0daacc90d3de154b9cc4d117c16e2...
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/662#issuecomment-224282154
I see you test also the status value for <1.0.0 -- is it useful? I think if it was compiled with a beta version should be fine to work with corresponding stable
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/662#issuecomment-224284144
I see you test also the status value for <1.0.0 -- is it useful?
Not really :-1: please, forget my version.
Pushed a patch for it, can you try with it?
Testing in progress
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/662#issuecomment-224288132
Your version was more flexible, allowing that the fix version can be different in 1.0.0+, so compiling with 1.0.1x and using it with 1.0.2x would be ok -- I am not familiar when the libssl can break the api, but I am fine to introduce your kind of check if you know the api compatibility is preserved when MMNN is the same.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/662#issuecomment-224294099
Works!! :+1:
Previous patch: upgrade libssl1.0.0 -> error ``` root@sp1:/var/sipwise# apt-get install libssl1.0.0 Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: libssl1.0.0 1 upgraded, 0 newly installed, 0 to remove and 55 not upgraded. Need to get 1045 kB of archives. After this operation, 7168 B of additional disk space will be used. Get:1 http://sp:9998/debian/ jessie/main libssl1.0.0 amd64 1.0.1t-1+deb8u2 [1045 kB] Fetched 1045 kB in 0s (18.7 MB/s) Preconfiguring packages ... (Reading database ... 110066 files and directories currently installed.) Preparing to unpack .../libssl1.0.0_1.0.1t-1+deb8u2_amd64.deb ... Unpacking libssl1.0.0:amd64 (1.0.1t-1+deb8u2) over (1.0.1k-3+deb8u5) ... Setting up libssl1.0.0:amd64 (1.0.1t-1+deb8u2) ... Processing triggers for libc-bin (2.19-18+deb8u4) ... Executing postapt init removal by Sipwise [sysv] root@sp1:/var/sipwise# invoke-rc.d kamailio-lb restart Restarting kamailio-lb: Active node or transition. loading modules under config path: /usr/lib/x86_64-linux-gnu/kamailio/modules:/usr/lib/kamailio/modules Listening on udp: 10.15.20.143 [10.15.20.143]:5060 udp: 127.0.0.1:5060 tcp: 10.15.20.143 [10.15.20.143]:5060 tcp: 127.0.0.1:5060 tls: 10.15.20.143 [10.15.20.143]:5061 Aliases:
kamailio error, failed to start. invoke-rc.d: initscript kamailio-lb, action "restart" failed. ```
After patch (binary built with 1.0.1t-1+deb8u2), downgraded libssl1.0.0 (to previous version) -> works
``` root@sp1:/var/sipwise# apt-get install libssl1.0.0=1.0.1k-3+deb8u5 Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be DOWNGRADED: libssl1.0.0 0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 44 not upgraded. Need to get 1038 kB of archives. After this operation, 7168 B disk space will be freed. Do you want to continue? [Y/n] y Get:1 http://sp:9998/debian-security/ jessie-security/main libssl1.0.0 amd64 1.0.1k-3+deb8u5 [1038 kB] Fetched 1038 kB in 0s (1268 kB/s) [master 292277a] saving uncommitted changes in /etc prior to apt run Author: sipwise sipwise@sp1 2 files changed, 2 insertions(+), 2 deletions(-) Preconfiguring packages ... dpkg: warning: downgrading libssl1.0.0:amd64 from 1.0.1t-1+deb8u2 to 1.0.1k-3+deb8u5 (Reading database ... 110066 files and directories currently installed.) Preparing to unpack .../libssl1.0.0_1.0.1k-3+deb8u5_amd64.deb ... Unpacking libssl1.0.0:amd64 (1.0.1k-3+deb8u5) over (1.0.1t-1+deb8u2) ... Setting up libssl1.0.0:amd64 (1.0.1k-3+deb8u5) ... Processing triggers for libc-bin (2.19-18+deb8u4) ... Executing postapt init removal by Sipwise [sysv] root@sp1:/var/sipwise# invoke-rc.d kamailio-lb restart Restarting kamailio-lb: Active node or transition. loading modules under config path: /usr/lib/x86_64-linux-gnu/kamailio/modules:/usr/lib/kamailio/modules Listening on udp: 10.15.20.143 [10.15.20.143]:5060 udp: 127.0.0.1:5060 tcp: 10.15.20.143 [10.15.20.143]:5060 tcp: 127.0.0.1:5060 tls: 10.15.20.143 [10.15.20.143]:5061 Aliases:
kamailio started. ```
I am not familiar when the libssl can break the api, but I am fine to introduce your kind of check if you know the api compatibility is preserved when MMNN is the same.
Neither do I, lets keep it like it is right now.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/662#issuecomment-224302784
Closed #662.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/662#event-684468132
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844548
Since the openssl update from 1.1.0b to 1.1.0c kamailio fails to start, logging:
/usr/sbin/kamailio[20003]: INFO: tls [tls_init.c:633]: init_tls_h(): tls: _init_tls_h: compiled with openssl version "OpenSSL 1.1.0b 26 Sep 2016" (0x1010002f), kerberos support: on, compression: on /usr/sbin/kamailio[20003]: INFO: tls [tls_init.c:641]: init_tls_h(): tls: init_tls_h: installed openssl library version "OpenSSL 1.1.0c 10 Nov 2016" (0x1010003f), kerberos support: off, zlib compression: off#012 compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR=""/usr/lib/ssl"" -DENGINESDIR=""/usr/lib/x86_64-linux-gnu/engines-1.1""
And then:
Nov 16 17:50:41 tea /usr/sbin/kamailio[20003]: : tls [tls_init.c:651]: init_tls_h(): ERROR: tls: init_tls_h: openssl compile options mismatch: library has kerberos support disabled and Kamailio tls enabled (unstable configuration)
Please re-compile kamailio against 1.1.0c.
Thank you.
Is this related to this issue??
Doesn't seem related to previous one.
Was kamailio compiled with libssl 1.1.0c? Or built with libssl 1.1.0b and then the libssl upgraded to 1.1.0c? Because it complains of mismatching some options.
I also need to look in the code what's the impact...
It was compiled with libssl 1.1.0b and then libssl has been upgraded to 1.1.0c
-
Daniel-Constantin Mierla -
Victor Seva