Using libwebsockets + ssl in asterisk getting error creating ssl context 140A90A1:lib(20):func(169):reason(161)

Question

We are using libwebsockets 1.3 in our ssl enabled web socket client program written in c, we are compiling on Centos 6.5 with openssl 1.0.1 installed, making a .so library which is later used in asterisk. The compilation goes fine but I'm getting this runtime error:

problem creating ssl context 336236705: error:140A90A1:lib(20):func(169):reason(161)

Going through libwebsockets code I spotted the part that is generating the error message (lib/ssl.c line 90):

/* basic openssl init */

SSL_library_init();

OpenSSL_add_all_algorithms();
SSL_load_error_strings();

openssl_websocket_private_data_index =
    SSL_get_ex_new_index(0, "libwebsockets", NULL, NULL, NULL);

/*
 * Firefox insists on SSLv23 not SSLv3
 * Konq disables SSLv2 by default now, SSLv23 works
 */

method = (SSL_METHOD *)SSLv23_server_method();

if (!method) {
    error = ERR_get_error();
    lwsl_err("problem creating ssl method %lu: %s\n", 
        error, ERR_error_string(error,
                      (char *)context->service_buffer));
    return 1;
}

context->ssl_ctx = SSL_CTX_new(method); /* create context */
if (!context->ssl_ctx) {
    error = ERR_get_error();
    lwsl_err("problem creating ssl context %lu: %s\n",
        error, ERR_error_string(error,
                      (char *)context->service_buffer));
    return 1;
}

Which according to examples I've seen on the web looks absolutely fine, I've been scratching my head, searching and trying everything for the past couple of days including reinstalling different versions of openssl, changing the code above, replacing SSLv23_server_method with other methods, etc... but can't get it to work, does anybody know where the problem might be?

---

Additional informaiton: Using ERR_print_errors_fp() I get:

3077879544:error:140A90A1:lib(20):func(169):reason(161):ssl_lib.c:1802:

part of our code that calls libwebsocket_create_context looks like this:

int opts = 0;

const char *interface = NULL;

int listen_port;

memset(&wsInfo, 0, sizeof wsInfo);

listen_port = CONTEXT_PORT_NO_LISTEN;

wsInfo.port = listen_port;
wsInfo.iface = interface;
wsInfo.protocols = protocols;
wsInfo.extensions = libwebsocket_get_internal_extensions();

wsInfo.gid = -1;
wsInfo.uid = -1;
wsInfo.options = opts;

wsContext = libwebsocket_create_context(&wsInfo);

The program is compiled into an .so library and the library is used in our modified version of asterisk (which itself uses openssl as far as I know).

Answer 1

The problem is asterisk overrides all openssl initialization functions including SSL_library_init() and OpenSSL_add_all_algorithms() in main\libasteriskssl.c and replaces them with dummy functions that do nothing, instead it defines an ast_ssl_init() which does all the initializations and is called once in main() in main/asterisk.c, my code happened to be before that call.

Answer 2

Too long for a comment, but:

First things first, let's eliminate your code. In the libwebsockets distribution, in test/test-server.c there is a test server that works with SSL. Does that work? If so, I'm guessing it's something you are doing in your code (in which case we are going to need some of your code). If not, I'm guessing it's your distribution.

Next, let's make that error message a bit more informative. Can you introduce ERR_print_errors_fp() to print SSL errors to stderr or similar, and tell us what it says?

Answer 3

problem creating ssl context 336236705: error:140A90A1:lib(20):func(169):reason(161)

This may have helped:

$ openssl errstr 0x140A90A1
error:140A90A1:SSL routines:SSL_CTX_new:library has no ciphers

"library has no ciphers" is a sure sign the library was not initialized. See OpenSSL's wiki page on intializing the library at Library Initialization.

Since Asterisk is doing really clever things, you should check what else its doing. In particular, you should ensure its not using weak/wounded/broken protocols and cipher suites. An example of how to improve a security posture can be found at SSL/TLS Client. The sample ensure TLS 1.0 and above, and uses "strong" cipher suites.

Answer 4

I got this error too by using a library that used the boost asio. The lib was compiled against openssl-1.0, while my binary was compiled against openssl-1.1.

Switching my binary to also use openssl-1.0 solved the issue for me.