Asterisk SSL Support Broken With Update From Openssl-1.0.0 To 1.0.1e, Recompiling Does *not* Help

Home » Asterisk Users » Asterisk SSL Support Broken With Update From Openssl-1.0.0 To 1.0.1e, Recompiling Does *not* Help
Asterisk Users No Comments

I am having an issue that prevents WebSockets over SSL/TLS (or any kind of encrypted HTTP traffic to Asterisk) from working after an openssl library update.

My setup is CentOS 6 x86_64, and initially, with openssl[-devel]-1.0.0-20.el6_2.5.x86_64 . With this openssl versions, https over TCP port 8089 initializes correctly with asterisk-11.7.0. After an upgrade to openssl[-devel]-1.0.1e-16.el6_5.4.x86_64 , I
compiled asterisk-11.8.1 . When testing the exact same configuration, I noticed that TCP port 8089 was no longer listening, even though TCP port 8088 (standard unencrypted HTTP) was. After a patch coaxing some error message to be shown in the logs, I got the following:

[Mar 27 10:25:47] DEBUG[10516] config.c: Parsing /etc/asterisk/acl.conf
[Mar 27 10:25:47] VERBOSE[10516] config.c: == Parsing ‘/etc/asterisk/acl.conf’: Found
[Mar 27 10:25:47] DEBUG[10516] config.c: Parsing /etc/asterisk/http.conf
[Mar 27 10:25:47] VERBOSE[10516] config.c: == Parsing ‘/etc/asterisk/http.conf’: Found
[Mar 27 10:25:47] DEBUG[10516] netsock2.c: Splitting ‘0.0.0.0’ into…
[Mar 27 10:25:47] DEBUG[10516] netsock2.c: …host ‘0.0.0.0’ and port ”.
[Mar 27 10:25:47] DEBUG[10516] config.c: extract uint from [8088] in [0, 65535] gives [8088](0)
[Mar 27 10:25:47] DEBUG[10516] netsock2.c: Splitting ‘0.0.0.0:8089’ into…
[Mar 27 10:25:47] DEBUG[10516] netsock2.c: …host ‘0.0.0.0’ and port ‘8089’.
[Mar 27 10:25:47] DEBUG[10516] config.c: extract addr from 0.0.0.0:8089 gives 0.0.0.0:8089(0)
[Mar 27 10:25:47] VERBOSE[10516] http.c: Bound HTTP server to address 0.0.0.0:0
[Mar 27 10:25:47] DEBUG[10516] tcptls.c: Sorry, SSL_CTX_new call returned null… (sslerror36236705 sslstring=”error:140A90A1:lib(20):func(169):reason(161)”)
[Mar 27 10:25:47] VERBOSE[10516] manager.c: == Manager registered action Ping

From googling around, I see that reason(161) means that somehow, there are no loaded cyphers for SSL (source: http://marc.info/?l=openssl-users&m