12 Dec
2017
12 Dec
'17
8:01 p.m.
Broken is in the eyes of the beholder: well designed cryptographic code wants to ensure
that information (keys, cleartext) doesn't leak via unsanitized memory (there are many
ways, both within and beyond calling programs); the easy and more foolproof way to do that
for the cryptography programmer is often to use a memory manager that takes care of that,
such as jemalloc (with appropriate configuration parameters).
If you make security representations (and the certificate is reasonably construed to make
a security representation) you shouldn't bypass this unless you verify that you
prevent all possible information leaks.
From armslength, you might just try to use jemalloc as kamailio's mm library, but even
there it would be necessary to be really careful about kamailio freeing sensitive memory
immediately after use--everywhere that happens. That's why it's probably easier
to just let a properly implemented crypto library do what it's designed to do.
Sent from Samsung Mobile
-------- Original message --------
From: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: 12/12/2017 2:26 AM (GMT-06:00)
To: "Kamailio (SER) - Users Mailing List"
<sr-users(a)lists.kamailio.org>,Tomi Hakkarainen <tpaivaa(a)gmail.com>
Subject: Re: [SR-Users] Unable to enable TLS on Kamailio
Hello,
there were some broken versions of openssl that didn't allow anymore to set custom
memory manager. The only option is to upgrade libssl to a version that doesn't expose
the issue. If you search on kamailio issues tracker on gihub.com, there should be one
closed about this topic.
Cheers,
Daniel
On 11.12.17 22:20, Tomi Hakkarainen wrote:
Hi,
I have problem to enable TLS on just installed Kamailio server
openSUSE 42.3 (x86_64)
VERSION = 42.3
CODENAME = Malachite
version: kamailio 5.0.4 (x86_64/linux)
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, DISABLE_NAGLE, USE_MCAST,
DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC,
DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024,
BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled on 18:06:25 Dec 3 2017 with gcc 4.8.5
I get this on debug log:
0(11336) DEBUG: <core> [core/cfg.y:1642]: yyparse(): loading modules
under /usr/lib64/kamailio/modules/
loading modules under config path: /usr/lib64/kamailio/modules/
0(11336) DEBUG: <core> [core/cfg.y:1623]: yyparse(): loading module tls.so
0(11336) DEBUG: <core> [core/sr_module.c:575]: load_module(): trying to load
</usr/lib64/kamailio/modules/tls.so>
0(11336) DEBUG: <core> [core/mem/q_malloc.c:189]: qm_malloc_init(): qm_malloc_init:
QM_OPTIMIZE=16384, /ROUNDTO=2048
0(11336) DEBUG: <core> [core/mem/q_malloc.c:191]: qm_malloc_init(): qm_malloc_init:
QM_HASH_SIZE=2099, qm_block size=235152
0(11336) DEBUG: <core> [core/mem/q_malloc.c:193]: qm_malloc_init():
qm_malloc_init(0x7f6e001cb000, 67108864), start=0x7f6e001cb000
0(11336) DEBUG: <core> [core/mem/q_malloc.c:202]: qm_malloc_init(): qm_malloc_init:
size= 67108864, init_overhead=235256
0(11336) ERROR: tls [tls_init.c:595]: tls_pre_init(): Unable to set the memory allocation
functions
0(11336) ERROR: tls [tls_init.c:597]: tls_pre_init(): libssl current mem functions - m:
0x7f6e055b33d0 r: 0x7f6e055b3a30 f: 0x7f6e055b39a0
0(11336) ERROR: tls [tls_init.c:599]: tls_pre_init(): Be sure tls module is loaded before
any other module using libssl (can be loaded first to be safe)
0(11336) ERROR: <core> [core/sr_module.c:607]: load_module():
/usr/lib64/kamailio/modules/tls.so: mod_register failed
0(11336) CRITICAL: <core> [core/cfg.y:3411]: yyerror_at(): parse error in config
file /etc/kamailio/kamailio.cfg, line 150, column 12-19: failed to load
module
for resolving have compiled openssl from 1.0.2j-fips to
openssl version
OpenSSL 1.0.2n 7 Dec 2017
Is this information enough to see what we are missing
Will provide more info if needed.
Any help and suggestions are appreciated.
Regards,
T
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com
12 Dec
12 Dec
8:46 p.m.
New subject: Unable to enable TLS on Kamailio
Can you actually explain better what is the relation between your
message and the issue discussed on this email thread? Maybe I didn't get
it right, but the bug that didn't allow setting a memory manager has
nothing to do with how good or bad a memory manager implementation is
from security and safety points of view. Your suggestion to use jemalloc
or whatever else memory manager is not possible in that version of
libssl, because that version simply doesn't allow setting a memory manager.
The bug was fixed in libssl, but some distros distributed the broken
version, that's the reason it is required to use an older or newer
version than the affected ones.
Cheers,
Daniel
On 12.12.17 18:01, otron2016(a)gmail.com wrote:
Broken is in the eyes of the beholder: well designed cryptographic
code wants to ensure that information (keys, cleartext) doesn't leak
via unsanitized memory (there are many ways, both within and beyond
calling programs); the easy and more foolproof way to do that for the
cryptography programmer is often to use a memory manager that takes
care of that, such as jemalloc (with appropriate configuration
parameters).
If you make security representations (and the certificate is
reasonably construed to make a security representation) you shouldn't
bypass this unless you verify that you prevent all possible
information leaks.
From armslength, you might just try to use jemalloc as kamailio's mm
library, but even there it would be necessary to be really careful
about kamailio freeing sensitive memory immediately after
use--everywhere that happens. That's why it's probably easier to
just let a properly implemented crypto library do what it's designed
to do.
Sent from Samsung Mobile
-------- Original message --------
From: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: 12/12/2017 2:26 AM (GMT-06:00)
To: "Kamailio (SER) - Users Mailing List"
<sr-users(a)lists.kamailio.org>,Tomi Hakkarainen <tpaivaa(a)gmail.com>
Subject: Re: [SR-Users] Unable to enable TLS on Kamailio
Hello,
there were some broken versions of openssl that didn't allow anymore
to set custom memory manager. The only option is to upgrade libssl to
a version that doesn't expose the issue. If you search on kamailio
issues tracker on gihub.com, there should be one closed about this topic.
Cheers,
Daniel
On 11.12.17 22:20, Tomi Hakkarainen wrote:
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com
Hi,
I have problem to enable TLS on just installed Kamailio server
openSUSE 42.3 (x86_64)
VERSION = 42.3
CODENAME = Malachite
version: kamailio 5.0.4 (x86_64/linux)
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS,
DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX,
FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR,
USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled on 18:06:25 Dec 3 2017 with gcc 4.8.5
I get this on debug log:
0(11336) DEBUG: <core> [core/cfg.y:1642]: yyparse(): loading modules
under /usr/lib64/kamailio/modules/
loading modules under config path: /usr/lib64/kamailio/modules/
0(11336) DEBUG: <core> [core/cfg.y:1623]: yyparse(): loading module
tls.so
0(11336) DEBUG: <core> [core/sr_module.c:575]: load_module(): trying
to load </usr/lib64/kamailio/modules/tls.so>
0(11336) DEBUG: <core> [core/mem/q_malloc.c:189]: qm_malloc_init():
qm_malloc_init: QM_OPTIMIZE=16384, /ROUNDTO=2048
0(11336) DEBUG: <core> [core/mem/q_malloc.c:191]: qm_malloc_init():
qm_malloc_init: QM_HASH_SIZE=2099, qm_block size=235152
0(11336) DEBUG: <core> [core/mem/q_malloc.c:193]: qm_malloc_init():
qm_malloc_init(0x7f6e001cb000, 67108864), start=0x7f6e001cb000
0(11336) DEBUG: <core> [core/mem/q_malloc.c:202]: qm_malloc_init():
qm_malloc_init: size= 67108864, init_overhead=235256
0(11336) ERROR: tls [tls_init.c:595]: tls_pre_init(): Unable to set
the memory allocation functions
0(11336) ERROR: tls [tls_init.c:597]: tls_pre_init(): libssl current
mem functions - m: 0x7f6e055b33d0 r: 0x7f6e055b3a30 f: 0x7f6e055b39a0
0(11336) ERROR: tls [tls_init.c:599]: tls_pre_init(): Be sure tls
module is loaded before any other module using libssl (can be loaded
first to be safe)
0(11336) ERROR: <core> [core/sr_module.c:607]: load_module():
/usr/lib64/kamailio/modules/tls.so: mod_register failed
0(11336) CRITICAL: <core> [core/cfg.y:3411]: yyerror_at(): parse
error in config file /etc/kamailio/kamailio.cfg, line 150, column
12-19: failed to load module
for resolving have compiled openssl from 1.0.2j-fips to
openssl version
OpenSSL 1.0.2n 7 Dec 2017
Is this information enough to see what we are missing
Will provide more info if needed.
Any help and suggestions are appreciated.
Regards,
T
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com
2537
days inactive
2537
days old
1 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
otron2016@gmail.com