[Freeswitch-users] 1.4/master openssl requirement change.

Privus P privus007 at gmail.com
Sun Feb 2 20:55:18 MSK 2014


Well done guys.
This, to me, seems like a no brainer. If we want to use webRTC and if we
care about security at all - which nowadays has become pretty important to
more and more people - then we should definitely update to the latest
openssl. Having FS limited to TLS 1.0 with all its inherent security
weaknesses always seemed dodgy to me.
I for one welcome the security upgrade, even if it makes life a little
harder while we all transition.

Just my 2 cents.


On Thu, Jan 30, 2014 at 6:19 PM, Anthony Minessale <
anthony.minessale at gmail.com> wrote:

> Its a question of bundling the ones get get a benefit from bundling.  We
> never bundled openssl, the problem was that we need certain features from a
> modern version of openssl and the older versions were not really working
> correctly even when they compiled properly.
>
>
>
> On Thu, Jan 30, 2014 at 12:06 PM, François <fdelawarde at wirelessmundi.com>wrote:
>
>> Hi Mike,
>>
>> What happened with the arguments in:
>> http://www.freeswitch.org/node/472
>>
>> I'm quite confused, you guys just convinced me of the benefits of
>> bundling libs, and now I have to go back and say to everyone how system
>> libs are better for FS?
>>
>> No way! :-)
>>
>> Regards,
>> --
>> François
>>
>>
>> On Thu, 2014-01-30 at 10:07 -0500, Michael Jerris wrote:
>> > The upside is the control, the downside is that it requires us to
>> > maintain them for security issues and such. We are leaning towards
>> > moving to system libs where its practical.
>> >
>> > On Jan 30, 2014, at 4:07 AM, François <fdelawarde at wirelessmundi.com>
>> > wrote:
>> >
>> > > Hi Anthony,
>> > >
>> > > Thanks for the tip, sounds like the best option!
>> > >
>> > > BTW, why isn't OpenSSL just bundled into FreeSWITCH source like many
>> > > other libraries? Wouldn't it prevent all these issues and give you
>> > guys
>> > > more control to change versions or patch at will?
>> > >
>> > > Thanks,
>> > > François.
>> > >
>> > >
>> > > On Wed, 2014-01-29 at 16:19 -0600, Anthony Minessale wrote:
>> > >> Here is a recipe for cent5 and probably other linux if someone
>> > would
>> > >> be so kind as to clean it up and document and maybe make into a
>> > shell
>> > >> script.
>> > >>
>> > >>
>> > >> wget http://www.openssl.org/source/openssl-1.0.1f.tar.gz
>> > >> tar -zxvf openssl-1.0.1f.tar.gz
>> > >> cd openssl-1.0.1f
>> > >> ./config --prefix=/usr/openssl101f -fPIC
>> > >>
>> > >> make
>> > >> make install
>> > >>
>> > >>
>> > >> then go over to FS build root (even on existing build that had
>> > picked
>> > >> up the dependency by a git pull)
>> > >>
>> > >>
>> > >> ./configure CFLAGS="-I/usr/openssl101f/include"
>> > >> LDFLAGS="-L/usr/openssl101f/lib"
>> > >>
>> > >>
>> > >>
>> > >> Then build as normal
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> /usr/openssl101f can really be anywhere and its a static linking so
>> > >> you don't need to distribute it.
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> On Wed, Jan 29, 2014 at 3:54 PM, Michael Jerris <mike at jerris.com>
>> > >> wrote:
>> > >> Fair enough, I'm not actually a huge fan of homebrew either,
>> > >> but one thing it does quite nicely is to install conflicting
>> > >> libraries into a location that will not conflict with system
>> > >> libraries for things that may conflict, specifically:
>> > >>
>> > >> /usr/local/opt/openssl/
>> > >>
>> > >> if you want to build your own, without having to change your
>> > >> freeswitch build procedures, make sure the libs end up
>> > >> in /usr/local/opt/openssl/lib and the headers get
>> > >> into /usr/local/opt/openssl/include.
>> > >>
>> > >> Alternatively, you can pick whatever directory you like to
>> > >> build into, i would suggest something not part of the typical
>> > >> lib chain, and specify to configure such as:
>> > >>
>> > >> ./configure LDFLAGS=-L/usr/local/opt/openssl/lib
>> > >> CFLAGS=-I/usr/local/opt/openssl/include
>> > >>
>> > >> Mike
>> > >>
>> > >> On Jan 29, 2014, at 4:41 PM, Michael Jerris <mike at jerris.com>
>> > >> wrote:
>> > >>
>> > >>> We do not look at the version number, we look at support for
>> > >> features that were added after 1.0.1c was released. I'm not
>> > >> positive if they are in 1.0.1d or not, but for pretty much
>> > >> everyone I would recommend you be on at least 1.0.1f or
>> > >> equivalent security patches. The 1.0.1e latest package in
>> > >> wheezy I think is effectively the same as 1.0.1f as 1.0.1f was
>> > >> just 1.0.1e plus some security patches i know they pulled in.
>> > >>>
>> > >>>
>> > >>> On Jan 29, 2014, at 3:21 PM, Tamas Jalsovszky
>> > >> <jalsot at gmail.com> wrote:
>> > >>>
>> > >>>> Hello,
>> > >>>>
>> > >>>> As far as I know, on Ubuntu 12.04 the latest openssl
>> > >> package is: 1.0.1-4ubuntu5.11
>> > >>>> As you can see, there is no 'e' letter, however as we have
>> > >> checked, ubuntu backported changes from 1.0.1 (incliding e
>> > >> afaik) to this package. We have successful tests with webrtc
>> > >> on 12.04.
>> > >>>> Would it be possible to not hardcode that way 1.0.1e?
>> > >>>>
>> > >>>> T.
>> > >>
>> > >>
>> > >>
>> >
>> _________________________________________________________________________
>> > >> Professional FreeSWITCH Consulting Services:
>> > >> consulting at freeswitch.org
>> > >> http://www.freeswitchsolutions.com
>> > >>
>> > >> 
>> > >> 
>> > >>
>> > >> Official FreeSWITCH Sites
>> > >> http://www.freeswitch.org
>> > >> http://wiki.freeswitch.org
>> > >> http://www.cluecon.com
>> > >>
>> > >> FreeSWITCH-users mailing list
>> > >> FreeSWITCH-users at lists.freeswitch.org
>> > >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > >>
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > >> http://www.freeswitch.org
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> Anthony Minessale II ♬ @anthmfs ♬ @FreeSWITCH ♬
>> > >>
>> > >> ☞ http://freeswitch.org/http://cluecon.com/>> > >> http://twitter.com/FreeSWITCH
>> > >> ☞ irc.freenode.net #freeswitch ☞ http://freeswitch.org/g+
>> > >>
>> > >>
>> > >> ClueCon Weekly Development Call
>> > >>
>> > >> ☎ sip:888 at conference.freeswitch.org ☎ +19193869900
>> > >>
>> > >>
>> > >>
>> >
>> _________________________________________________________________________
>> > >> Professional FreeSWITCH Consulting Services:
>> > >> consulting at freeswitch.org
>> > >> http://www.freeswitchsolutions.com
>> > >>
>> > >> 
>> > >> 
>> > >>
>> > >> Official FreeSWITCH Sites
>> > >> http://www.freeswitch.org
>> > >> http://wiki.freeswitch.org
>> > >> http://www.cluecon.com
>> > >>
>> > >> FreeSWITCH-users mailing list
>> > >> FreeSWITCH-users at lists.freeswitch.org
>> > >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > >>
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > >> http://www.freeswitch.org
>> > >
>> > >
>> > >
>> >
>> _________________________________________________________________________
>> > > Professional FreeSWITCH Consulting Services:
>> > > consulting at freeswitch.org
>> > > http://www.freeswitchsolutions.com
>> > >
>> > > 
>> > > 
>> > >
>> > > Official FreeSWITCH Sites
>> > > http://www.freeswitch.org
>> > > http://wiki.freeswitch.org
>> > > http://www.cluecon.com
>> > >
>> > > FreeSWITCH-users mailing list
>> > > FreeSWITCH-users at lists.freeswitch.org
>> > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > >
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > > http://www.freeswitch.org
>> >
>> >
>> >
>> _________________________________________________________________________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org
>> > http://www.freeswitchsolutions.com
>> >
>> > 
>> > 
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://wiki.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Anthony Minessale II       ♬ @anthmfs  ♬ @FreeSWITCH  ♬
>
>http://freeswitch.org/http://cluecon.com/> http://twitter.com/FreeSWITCH
> ☞ irc.freenode.net #freeswitch ☞ *http://freeswitch.org/g+
> <http://freeswitch.org/g+>*
>
> ClueCon Weekly Development Call
> ☎ sip:888 at conference.freeswitch.org  ☎ +19193869900
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140202/4abd5389/attachment-0001.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list