Debian Buster updated /etc/ssl/openssl.cnf to default to
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
gentls_cert currently uses SHA1 as message digest. According to OpenSSL
documentation this only offers 80 bit of security. 80 bits is enough for
security level 1, but not 2.
The OpenSSL default MD nowadays is SHA256. This commit updates
gentls_cert to use it.
Issue was reported on the FS mailing list. The certificates created by
gentls_cert caused "md too weak" errors and clients were unable to
connect.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
[build] OSX Catalina configure does not support --extra-cflags and fix broken compiler option test for -Wno-extended-offsetof that was used to fix older osx clang issue
From FS-11833.
After FS sends a reINVITE to T38 which gets rejected by peer it is no
longer in a state where it can properly answer a reINVITE which requests
a change of the media setup.
1. FS sends INVITE (destination is a fax machine)
2. Call connects with "8 101"
3. FS sends reINVITE to T38
4. T38 rejected (488)
5. FS receives INVITE to "8"
6. FS replies with 200 OK without SDP
7. Call fails
The bug is related to TFLAG_SDP. This flag is set when a media session
is established. And when there's a reINVITE sofia_glue_do_invite() from
sofia_glue.c is called and clears the flag again:
sofia_clear_flag_locked(tech_pvt, TFLAG_SDP);
So when FS sends a reINVITE to T38 the flag gets cleared. But when the
reINVITE is rejected with 488 the flag is not set again. It stays
cleared. So the call continues with the previously negotiated media, fax
passthrough (8 101 in this case), but TFLAG_SDP is not set.
So when FS receives a reINVITE at this point it doesn't see the need to
renegotiate anything, even though it realizes that 2833 DTMF is now off:
2019-04-30 16:42:12.478025 [DEBUG] switch_core_media.c:5478 Audio Codec Compare [PCMA:8:8000:20:64000:1]/[PCMA:8:8000:20:64000:1]
2019-04-30 16:42:12.478025 [DEBUG] switch_core_media.c:5533 Audio Codec Compare [PCMA:8:8000:20:64000:1] ++++ is saved as a match
2019-04-30 16:42:12.478025 [DEBUG] switch_core_media.c:5802 No 2833 in SDP. Disable 2833 dtmf and switch to INFO
When FS doesn't send a reINVITE (fax_enable_t38_request=false) and the
reINVITE to "8" is received, TFLAG_SDP is still set and then FS
understands that it needs to renegotiate and replies with a 200 OK that
includes SDP:
2019-04-30 16:41:19.358028 [DEBUG] switch_core_media.c:5478 Audio Codec Compare [PCMA:8:8000:20:64000:1]/[PCMA:8:8000:20:64000:1]
2019-04-30 16:41:19.358028 [DEBUG] switch_core_media.c:5533 Audio Codec Compare [PCMA:8:8000:20:64000:1] ++++ is saved as a match
2019-04-30 16:41:19.358028 [DEBUG] switch_core_media.c:5802 No 2833 in SDP. Disable 2833 dtmf and switch to INFO
2019-04-30 16:41:19.358028 [DEBUG] sofia.c:8237 skemper was here in line 8232
2019-04-30 16:41:19.358028 [DEBUG] switch_core_media.c:8390 skemper was here in line 8390.
2019-04-30 16:41:19.358028 [DEBUG] switch_core_media.c:8496 Audio params are unchanged for sofia/external/+called_number.
2019-04-30 16:41:19.358028 [DEBUG] sofia.c:8243 Processing updated SDP
This fixes the state problem after a rejected T38 reINVITE by setting
TFLAG_SDP.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Related to FS-11309.
Commit bc3e1c9e7de1855eec454bba467fd2586e5e251b introduced a typo that
results in EL_REFRESH never being used, even if available. This can
cause the screen to garble.
This fixes the typo.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Taken from FS-11193:
In "event_handler()" function, when encrypting data using openssl 1.1.0,
the context ctx is allocated by "EVP_CIPHER_CTX_new()", then data is
encrypted, and at the end, EVP_CIPHER_CTX_cleanup is called. This
function resets the context (the function itself is deprecated, and has
been renamed to "EVP_CIPHER_CTX_reset) so that it can be used again. The
correct call would be to "EVP_CIPHER_CTX_free()", which frees the
memory. The code for openssl 1.0 is OK, since the "ctx" struct is kept
in stack. The same thing happens during decryption. "ctx" is allocated,
but never freed.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
