search

sipcapture / captagent

100% Open-Source Packet Capture Agent for HEP
https://sipcapture.org
GNU Affero General Public License v3.0
165 stars 75 forks source link

"TLS has been not enabled." - even after fresh reinstall #270

Closed eq-spo closed 8 months ago

eq-spo commented 1 year ago

Hi everyone,

We are trying to get TLS to work, but getting: [ERR] protocol_tls.c:269 TLS has been not enabled. Please reconfigure captagent with param --enable-ssl and --enable-tls

We have deleted captagent completely and installed/compiled it with the tags as mentioned in the TLS wiki page. The dependencies libgcrypt20 libgcrypt20-dev libssl-dev and openssl are also installed

With ./configure --enable-tls --enable-ssl we get the following summary at the end of the performance

captagent 6.4.1

Build directory............. :
Installation prefix......... : /usr/local/captagent
HEP Compression............. : no
IPv6 support.................: no
HEP SSL/TLS................. : yes
Flex........................ : flex
Bison....................... : bison -y

Build with REDIS............ : no
Build with MySQL............ : no
Build with PCRE............. : no
Build with LibUV............ : yes
Build with EPAN............. : no
Build with TLS.............. : yes

Looks good, but after the make && sudo make install command and re-entering the needed values in the config-files, we are still getting the above mentioned error.

captagent.xml:

...
<load module="transport_hep" register="local"/>
<load module="protocol_sip" register="local"/>
<load module="database_hash" register="local"/>
<load module="protocol_rtcp" register="local"/>
<load module="protocol_tls" register="local"/>        
<load module="socket_pcap" register="local"/>
...

socket_pcap.xml

...
        <profile name="socketspcap_tls_ens257" description="TLS Socket" enable="true" serial="2014010402">
            <settings>
                <param name="dev" value="ens257"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <param name="tcpdefrag" value="true"/>
                <param name="capture-plan" value="tls_capture_plan.cfg"/>
                <param name="filter">
                    <value>tcp port 5061</value>
                </param>
            </settings>
        </profile>
...

protocol_tls.xml

<?xml version="1.0"?>
<document type="captagent_module/xml">
  <module name="protocol_tls" description="TLS Protocol" serial="2014010402">
    <profile name="proto_tls" description="TLS PROTO" enable="true" serial="2014010402">
      <settings>
    <param name="flow-timeout" value="180"/>
    <!-- the value of private key refers to the absolute path of the key (used for decription) -->
    <param name="private-key-path" value="/etc/ssl/private/trunking.key"/>
      </settings>
    </profile>
  </module>
</document>

The key mentioned above is a 2048 bit RSA private key and we are using TLS_RSA_WITH_AES_256_GCM_SHA384.

The only thing that seemed a little weird was with the ./configure command: Most of the output ends with a "yes" or similar, only the values like mysql, ssl or similar have nothing else after the dots:

...
checking whether UID '0' is supported by ustar format... yes
checking whether GID '0' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking whether make supports nested variables... (cached) yes
checking whether to use compression... 
checking whether to use ssl... 
checking whether to use mysql... 

checking whether to use pcre... 
checking whether to use redis... 

checking whether to use TLS...

checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to print strings... printf
...

Could we be missing something here? Perhaps the configure script is ignoring the --enable arguments?

kYroL01 commented 1 year ago

Hi @eq-spo you're one of the few that is trying this feature :) I'm sure you already read this https://github.com/sipcapture/captagent/wiki/TLS and that you're aware that this key is not fully secure anymore (just to be sure). Anyway I will try it again once I can so I can give help on this.

NOTE: I will remove mysql module inside of captagent as we don't support anymore.

greenbea commented 8 months ago

When --enable-ssl is set, the configure.ac script defines here SSL macro, but it is never used throughout the code.

The only SSL related macro used in the code is USE_SSL, but the configure.ac supposedly sets it here, but the if check if test "$SSL" = "yes"; never evaluates to true. I modified the if statement to if test "$enableSSL" = "yes"; it passed, but failed with the following error

configure: checking for OpenSSL SSL Library and Header files...
checking openssl/ssl.h usability... no
checking openssl/ssl.h presence... yes
configure: WARNING: openssl/ssl.h: present but cannot be compiled
configure: WARNING: openssl/ssl.h:     check for missing prerequisite headers?
configure: WARNING: openssl/ssl.h: see the Autoconf documentation
configure: WARNING: openssl/ssl.h:     section "Present But Cannot Be Compiled"
configure: WARNING: openssl/ssl.h: proceeding with the compiler's result
configure: WARNING:     ## ------------------------------------- ##
configure: WARNING:     ## Report this to support@sipcapture.org ##
configure: WARNING:     ## ------------------------------------- ##
checking for openssl/ssl.h... no
kYroL01 commented 8 months ago

Hi @greenbea First of all --enable-tls and --enable-ssl are for two different things. I will recheck the part you mentioned anyway, just to be sure.

I will work on a new version of captagent in the following months.

Thank you