Configure OpenSSL for Linux
When using any Speech SDK version before 1.9.0, OpenSSL is dynamically configured to the host-system version. In later versions of the Speech SDK OpenSSL is statically linked to the core library of the Speech SDK. In Speech SDK versions 1.9.0 to 1.16.0 OpenSSL version 1.1.1b is used. In Speech SDK version 1.17.0 onward Open SSL version 1.1.1k is used.
To ensure connectivity, verify that OpenSSL certificates have been installed in your system. Run a command:
openssl version -d
The output on Ubuntu/Debian based systems should be:
Check whether there is
certs subdirectory under OPENSSLDIR. In the example above, it would be
If there is
/usr/lib/ssl/certsand it contains many individual certificate files (with
.pemextension), there is no need for further actions.
If OPENSSLDIR is something else than
/usr/lib/ssland/or there is a single certificate bundle file instead of multiple individual files, you need to set an appropriate SSL environment variable to indicate where the certificates can be found.
- OPENSSLDIR is
/opt/ssl. There is
certssubdirectory with many
.pemfiles. Set environment variable
SSL_CERT_DIRto point at
/opt/ssl/certsbefore running a program that uses the Speech SDK. For example:
- OPENSSLDIR is
/etc/pki/tls(like on RHEL/CentOS based systems). There is
certssubdirectory with a certificate bundle file, for example
ca-bundle.crt. Set environment variable
SSL_CERT_FILEto point at that file before running a program that uses the Speech SDK. For example:
Certificate Revocation Checks
When connecting to the Speech Service, the Speech SDK will verify that the TLS certificate used by the Speech Service has not been revoked. To conduct this check, the Speech SDK will need access to the CRL distribution points for Certificate Authorities used by Azure. A list of possible CRL download locations can be found in this document. If a certificate has been revoked or the CRL cannot be downloaded the Speech SDK will abort the connection and raise the Canceled event.
In the event the network where the Speech SDK is being used from is configured in a manner that does not permit access to the CRL download locations, the CRL check can either be disabled or set to not fail if the CRL cannot be retrieved. This configuration is done through the configuration object used to create a Recognizer object.
To continue with the connection when a CRL cannot be retrieved set the property OPENSSL_CONTINUE_ON_CRL_DOWNLOAD_FAILURE.
[config setPropertyTo:@"true" byName:"OPENSSL_CONTINUE_ON_CRL_DOWNLOAD_FAILURE"];
When set to "true" an attempt will be made to retrieve the CRL and if the retrieval is successful the certificate will be checked for revocation, if the retrieval fails, the connection will be allowed to continue.
To completely disable certificate revocation checks, set the property OPENSSL_DISABLE_CRL_CHECK to "true".
[config setPropertyTo:@"true" byName:"OPENSSL_DISABLE_CRL_CHECK"];
It is also worth noting that some distributions of Linux do not have a TMP or TMPDIR environment variable defined. This will cause the Speech SDK to download the Certificate Revocation List (CRL) every time, rather than caching the CRL to disk for reuse until they expire. To improve initial connection performance you can create an environment variable named TMPDIR and set it to the path of your chosen temporary directory..