Hi Henning and Alex, Thanks very much for the answers. I added the following line to /etc/systemd/system/kamailio.service, reloaded the systemd configuration, and restarted Kamailio. However the "OpenSSL version" logged by Kamailio is the same as before. I also tried using libcrypto.so instead of libssl.so with the same result. I was able to verify that the LD_PRELOAD environment variable was the correct value inside the startup script that's run by systemd. Have you any suggestions on what I could be doing wrong? Thanks again. Environment="LD_PRELOAD=/opt/openssl/lib64/libssl.so" On Thu, 1 Aug 2024 at 22:24, Alex Balashov via sr-users < sr-users(a)lists.kamailio.org&gt; wrote: -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782

Hi Henning, I've tried that but with no difference. Even when the environment variables are set directly in the script which runs the Kamailio binary, it still logs the same OpenSSL version as the Ubuntu one, not the FIPS version that we compiled into /opt. Would anyone have any suggestions on where to go from here? Thank you very much! On Fri, 16 Aug 2024 at 19:20, Henning Westerholt &lt;hw(a)gilawa.com&gt; wrote: -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782

Hi Henning, It's the same unfortunately, and reports the Ubuntu OpenSSL version rather than the OpenSSL version specified in the environment variables. For example: # ls /opt/openssl/lib64/libssl.so /opt/openssl/lib64/libssl.so # env | egrep 'LD_PRELOAD|LD_LIBRARY' LD_PRELOAD=libssl.so LD_LIBRARY_PATH=/opt/openssl/lib64 # /sbin/kamailio -m 512 -M 8 -P /var/run/enswitch/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060 # grep 'OpenSSL version' /var/log/syslog | tail -n 1 Aug 22 16:53:50 caes8 /sbin/kamailio[769472]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020 But the OpenSSL in /opt/openssl/lib64 is version 3.0.9. BTW, it tried using libcrypto.so instead of libssl.so but it didn't work either. Is it possible to pass a specific version of OpenSSL to Kamailio at compile time, or something like that? Thanks again. On Thu, 22 Aug 2024 at 00:49, Henning Westerholt &lt;hw(a)gilawa.com&gt; wrote: -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782

Hello David, the version output is indeed the compiled version, sorry for the mistake. Check with the lsof command given earlier for the actually linked version. Otherwise, you could compile a custom kamailio specifically with a local OpenSSL by adapting the library paths, I think. But maybe its not needed, if you can confirm with the lsof command that its using the custom library already. Cheers, Henning From: David Cunningham &lt;dcunningham(a)voisonics.com&gt; Sent: Freitag, 23. August 2024 02:02 To: Henning Westerholt &lt;hw(a)gilawa.com&gt; Cc: Kamailio (SER) - Users Mailing List &lt;sr-users(a)lists.kamailio.org&gt; Subject: Re: [SR-Users] Re: Using a different OpenSSL Hi Henning, It's the same unfortunately, and reports the Ubuntu OpenSSL version rather than the OpenSSL version specified in the environment variables. For example: # ls /opt/openssl/lib64/libssl.so /opt/openssl/lib64/libssl.so # env | egrep 'LD_PRELOAD|LD_LIBRARY' LD_PRELOAD=libssl.so LD_LIBRARY_PATH=/opt/openssl/lib64 # /sbin/kamailio -m 512 -M 8 -P /var/run/enswitch/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060 # grep 'OpenSSL version' /var/log/syslog | tail -n 1 Aug 22 16:53:50 caes8 /sbin/kamailio[769472]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020 But the OpenSSL in /opt/openssl/lib64 is version 3.0.9. BTW, it tried using libcrypto.so instead of libssl.so but it didn't work either. Is it possible to pass a specific version of OpenSSL to Kamailio at compile time, or something like that? Thanks again. On Thu, 22 Aug 2024 at 00:49, Henning Westerholt <hw@gilawa.com<mailto:hw@gilawa.com>> wrote: Hello David, does it work when you start the kamailio manually on the command line, not with systemd? Cheers, Henning From: David Cunningham <dcunningham@voisonics.com<mailto:dcunningham@voisonics.com>> Sent: Dienstag, 20. August 2024 02:32 To: Henning Westerholt <hw@gilawa.com<mailto:hw@gilawa.com>> Cc: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>> Subject: Re: [SR-Users] Re: Using a different OpenSSL Hi Henning, I've tried that but with no difference. Even when the environment variables are set directly in the script which runs the Kamailio binary, it still logs the same OpenSSL version as the Ubuntu one, not the FIPS version that we compiled into /opt. Would anyone have any suggestions on where to go from here? Thank you very much! On Fri, 16 Aug 2024 at 19:20, Henning Westerholt <hw@gilawa.com<mailto:hw@gilawa.com>> wrote: Hello David, I have not tried it, but it might be the problem that you need to specify library name and library paths independently, e.g. refer to this discussion: https://stackoverflow.com/questions/72862714/systemd-ignores-ld-preload-var… Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com<https://gilawa.com/> From: David Cunningham via sr-users <sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>> Sent: Freitag, 16. August 2024 02:08 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>> Cc: David Cunningham <dcunningham@voisonics.com<mailto:dcunningham@voisonics.com>> Subject: [SR-Users] Re: Using a different OpenSSL Hi Henning and Alex, Thanks very much for the answers. I added the following line to /etc/systemd/system/kamailio.service, reloaded the systemd configuration, and restarted Kamailio. However the "OpenSSL version" logged by Kamailio is the same as before. I also tried using libcrypto.so instead of libssl.so with the same result. I was able to verify that the LD_PRELOAD environment variable was the correct value inside the startup script that's run by systemd. Have you any suggestions on what I could be doing wrong? Thanks again. Environment="LD_PRELOAD=/opt/openssl/lib64/libssl.so" On Thu, 1 Aug 2024 at 22:24, Alex Balashov via sr-users <sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>> wrote: Yes, you can use the LD_LIBRARY_PATH, and `ldd` to verify. -- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com Tel: +1-706-510-6800 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org<mailto:sr-users-leave@lists.kamailio.org> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782

Hi Henning, The issue happens even if I run Kamailio directly from the command line, having set LD_LIBRARY_PATH in the environment first. Please see the commands below. OpenSSL 3.0.2 is installed with Ubuntu, and OpenSSL 3.0.9 with FIPS compiled in /opt/openssl. Setting LD_LIBRARY_PATH does seem to work for Apache, although Apache was compiled with the "--with-ssl=/opt/openssl" option. Would there by any chance be an equivalent for Kamailio? Thanks again for your help. root@caes8:~# ls /opt/openssl/lib64/ engines-3 libcrypto.a libcrypto.so libcrypto.so.3 libssl.a libssl.so libssl.so.3 ossl-modules pkgconfig root@caes8:~# export LD_LIBRARY_PATH=/opt/openssl/lib64 root@caes8:~# /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060 tls: xx.xx.xx.xx:5061 Aliases: root@caes8:~# ps -ef | grep kamailio | head product 2905052 1 9 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905078 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905079 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905080 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905081 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905082 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905083 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905084 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905085 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905087 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid root@caes8:~# grep -i 'OpenSSL version' /var/log/syslog | tail Aug 26 16:55:28 caes8 /sbin/kamailio[2905052]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020 On Sun, 25 Aug 2024 at 18:34, Richard Chan via sr-users < sr-users(a)lists.kamailio.org&gt; wrote: -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782

Hello David, thanks for reporting back. Just for the archives, the code change mentioned below was also integrated in git master. Cheers, Henning From: David Cunningham via sr-users &lt;sr-users(a)lists.kamailio.org&gt; Sent: Mittwoch, 4. September 2024 01:41 To: Kamailio (SER) - Users Mailing List &lt;sr-users(a)lists.kamailio.org&gt; Cc: David Cunningham &lt;dcunningham(a)voisonics.com&gt; Subject: [SR-Users] Re: Using a different OpenSSL Hi everyone, Just sharing that the solution was to add these two lines to the [Service] section of the systemd unit file: Environment=LD_LIBRARY_PATH=/opt/openssl/lib64 Environment=OPENSSL_CONF=/etc/ssl/fips.cnf And also apply a patch to Kamailio in src/modules/tls/tls_mod.c so that it logs the OpenSSL library at run-time, as well as the default logging of the OpenSSL library at compilation: 448c448,461 < LM_INFO("use OpenSSL version: %08x\n", (uint32_t)(OPENSSL_VERSION_NUMBER)); --- Tested with Kamailio 5.8.2. Hope this helps. On Tue, 27 Aug 2024 at 12:01, David Cunningham <dcunningham@voisonics.com<mailto:dcunningham@voisonics.com>> wrote: Hi Henning, The issue happens even if I run Kamailio directly from the command line, having set LD_LIBRARY_PATH in the environment first. Please see the commands below. OpenSSL 3.0.2 is installed with Ubuntu, and OpenSSL 3.0.9 with FIPS compiled in /opt/openssl. Setting LD_LIBRARY_PATH does seem to work for Apache, although Apache was compiled with the "--with-ssl=/opt/openssl" option. Would there by any chance be an equivalent for Kamailio? Thanks again for your help. root@caes8:~# ls /opt/openssl/lib64/ engines-3 libcrypto.a libcrypto.so libcrypto.so.3 libssl.a libssl.so libssl.so.3 ossl-modules pkgconfig root@caes8:~# export LD_LIBRARY_PATH=/opt/openssl/lib64 root@caes8:~# /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid loading modules under config path: /lib/kamailio/modules/:/lib64/kamailio/modules/ Listening on udp: xx.xx.xx.xx:5060 tls: xx.xx.xx.xx:5061 Aliases: root@caes8:~# ps -ef | grep kamailio | head product 2905052 1 9 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905078 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905079 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905080 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905081 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905082 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905083 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905084 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905085 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid product 2905087 2905052 0 16:55 ? 00:00:00 /sbin/kamailio -m 512 -M 8 -P /var/run/product/kamailio.pid root@caes8:~# grep -i 'OpenSSL version' /var/log/syslog | tail Aug 26 16:55:28 caes8 /sbin/kamailio[2905052]: INFO: tls [tls_mod.c:448]: mod_init(): use OpenSSL version: 30000020 On Sun, 25 Aug 2024 at 18:34, Richard Chan via sr-users <sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>> wrote: Hello David, Can you present your launcher script here? LD_LIBRARY_PATH is the correct way to use an ABI compatible(same SONAME) alternative to a system library. The boilerplate looks like this: #!/bin/bash # IMPORTANT: intended replacements must have the same SONAME as what # tls.so was built with, i.e., libssl.so.3, libcrypto.so.3 # Your local artifacts libssl.so.3 libcrypto.so.3 installed to /opt/openssl3/lib64 # EITHER export LD_LIBRARY_PATH=/opt/openssl3/lib64 #export is required /usr/sbin/kamailio <args .....> # OR - same line - LD_LIBRARY_PATH=/opt/openssl3/lib64 /usr/sbin/kamailio <args .....> Cheers Richard __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org<mailto:sr-users-leave@lists.kamailio.org> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782