Hello Kamailio users,
I would like testers to try out a new module tls_wolfssl, an alternate TLS transport based on wolfSSL.
Why another TLS transport implementation?
The travails of using OpenSSL >= 1.1.1 in Kamailio’s multi-process paradigm has been documented by OpenSIPS (and that sister project has implemented tls_wolfssl). Essentially, OpenSSL makes no concessions to the multi-process use case and in fact has implementation details that work against global shared memory structures.
As a result Kamailio contains some tricky code * a pthread polyfill in core * duplicated SSL_CTX per worker * atexit workaround
How to test?
The code is currently in master and can be built in the usual way. Debian has 5.2.0 libwolfssl-dev needed; for some RPM distros (el8, el9, fc36) I have created a Copr repository https://copr.fedorainfracloud.org/coprs/beaveryoga/wolfSSL/
Known limitations The current state can be considered as identical to tls+OpenSSL 1.1.1/3.0.x.
Old TLS protocols < 1.2 and cipher list configuration don’t work, i.e., only TLS 1.2 and 1.3 work with the default cipher list.
In your configuration just replace loadmodule “tls.so” with loadmodule “tls_wolfssl.so”
The rest of the TLS configuration can remain unchanged unless you are using a funky protocol version/cipher list combination.
Thanks!
S-P