dect
/
asterisk
Archived
13
0
Fork 0
Code Releases Activity

Consistent SSL/TLS options across conf files 

ast_tls_read_conf() is a new api call for handling SSL/TLS options across all conf files.  Before this change, SSL/TLS options were not consistent.  http.conf and manager.conf required the 'ssl' prefix while sip.conf used options with the 'tls' prefix.  While the options had different names in different conf files, they all did the exact same thing.  Now, instead of mixing 'ssl' or 'tls' prefixes to do the same thing depending on what conf file you're in, all SSL/TLS options use the 'tls' prefix.  For example.  'sslenable' in http.conf and manager.conf is now 'tlsenable' which matches what already existed in sip.conf. Since this has the potential to break backwards compatibility, previous options containing the 'ssl' prefix still work, but they are no longer documented in the sample.conf files.  The change is noted in the CHANGES file though.

Review: http://reviewboard.digium.com/r/237/



git-svn-id: http://svn.digium.com/svn/asterisk/trunk@191028 f38db490-d61c-443f-a65b-d21fe96a405b
This commit is contained in:
dvossel 2009-04-29 14:39:48 +00:00
parent 0ad875b34e
commit cfa021cb17
8 changed files with 89 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES
View File

@ -107,6 +107,12 @@ Asterisk Manager Interface
* sslprivatekey option added to manager.conf and http.conf. Adds the ability
to specify a separate .pem file to hold a private key. By default sslcert
is used to hold both the public and private key.
* Options in manager.conf and http.conf with the 'ssl' prefix have been replaced
for options containing the 'tls' prefix. For example, 'sslenable' is now
'tlsenable'. This has been done in effort to keep ssl and tls options consistent
across all .conf files. All affected sample.conf files have been modified to
reflect this change. Previous options such as 'sslenable' still work,
but options with the 'tls' prefix are preferred.
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2 -------------
------------------------------------------------------------------------------

40
channels/chan_sip.c
View File

@ -23943,13 +23943,18 @@ static int reload_config(enum channelreloadreason reason)
if (!ast_jb_read_conf(&global_jbconf, v->name, v->value))
continue;
/* handle tls conf */
if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
continue;
}
if (!strcasecmp(v->name, "context")) {
ast_copy_string(sip_cfg.default_context, v->value, sizeof(sip_cfg.default_context));
} else if (!strcasecmp(v->name, "subscribecontext")) {
ast_copy_string(sip_cfg.default_subscribecontext, v->value, sizeof(sip_cfg.default_subscribecontext));
} else if (!strcasecmp(v->name, "callcounter")) {
} else if (!strcasecmp(v->name, "callcounter")) {
global_callcounter = ast_true(v->value) ? 1 : 0;
} else if (!strcasecmp(v->name, "allowguest")) {
} else if (!strcasecmp(v->name, "allowguest")) {
sip_cfg.allowguest = ast_true(v->value) ? 1 : 0;
} else if (!strcasecmp(v->name, "realm")) {
ast_copy_string(sip_cfg.realm, v->value, sizeof(sip_cfg.realm));
@ -23967,7 +23972,7 @@ static int reload_config(enum channelreloadreason reason)
} else if (!strcasecmp(v->name, "allowtransfer")) {
sip_cfg.allowtransfer = ast_true(v->value) ? TRANSFER_OPENFORALL : TRANSFER_CLOSED;
} else if (!strcasecmp(v->name, "rtcachefriends")) {
ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS);
ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS);
} else if (!strcasecmp(v->name, "rtsavesysname")) {
sip_cfg.rtsave_sysname = ast_true(v->value);
} else if (!strcasecmp(v->name, "rtupdate")) {
@ -23990,7 +23995,7 @@ static int reload_config(enum channelreloadreason reason)
while ((trans = strsep(&val, ","))) {
trans = ast_skip_blanks(trans);
if (!strncasecmp(trans, "udp", 3))
if (!strncasecmp(trans, "udp", 3))
default_transports |= SIP_TRANSPORT_UDP;
else if (!strncasecmp(trans, "tcp", 3))
default_transports |= SIP_TRANSPORT_TCP;
@ -24011,31 +24016,6 @@ static int reload_config(enum channelreloadreason reason)
ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
sip_tcp_desc.local_address.sin_family = family;
ast_debug(2, "Setting TCP socket address to %s\n", v->value);
} else if (!strcasecmp(v->name, "tlsenable")) {
default_tls_cfg.enabled = ast_true(v->value) ? TRUE : FALSE;
sip_tls_desc.local_address.sin_family = AF_INET;
} else if (!strcasecmp(v->name, "tlscertfile")) {
ast_free(default_tls_cfg.certfile);
default_tls_cfg.certfile = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "tlsprivatekey")) {
ast_free(default_tls_cfg.pvtfile);
default_tls_cfg.pvtfile = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "tlscipher")) {
ast_free(default_tls_cfg.cipher);
default_tls_cfg.cipher = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "tlscafile")) {
ast_free(default_tls_cfg.cafile);
default_tls_cfg.cafile = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "tlscapath")) {
ast_free(default_tls_cfg.capath);
default_tls_cfg.capath = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "tlsverifyclient")) {
ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_VERIFY_CLIENT);
} else if (!strcasecmp(v->name, "tlsdontverifyserver")) {
ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_DONT_VERIFY_SERVER);
} else if (!strcasecmp(v->name, "tlsbindaddr")) {
if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.local_address))
ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
} else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) {
global_dynamic_exclude_static = ast_true(v->value);
} else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {
@ -24052,7 +24032,7 @@ static int reload_config(enum channelreloadreason reason)
i = 0;
ast_set2_flag(&global_flags[1], i || ast_true(v->value), SIP_PAGE2_RTAUTOCLEAR);
} else if (!strcasecmp(v->name, "usereqphone")) {
ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE);
ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE);
} else if (!strcasecmp(v->name, "relaxdtmf")) {
global_relaxdtmf = ast_true(v->value);
} else if (!strcasecmp(v->name, "vmexten")) {

17
configs/http.conf.sample
View File

@ -46,17 +46,16 @@ bindaddr=127.0.0.1
;redirect = / /static/config/cfgbasic.html
;
; HTTPS support. In addition to enabled=yes, you need to
; explicitly enable ssl, define the port to use,
; explicitly enable tls, define the port to use,
; and have a certificate somewhere.
; sslenable=yes ; enable ssl - default no.
; sslbindport=4433 ; port to use - default is 8089
; sslbindaddr=0.0.0.0 ; address to bind to - default is bindaddr.
;tlsenable=yes ; enable tls - default no.
;tlsbindport=4433 ; port to use - default is 8089
;tlsbindaddr=0.0.0.0 ; address to bind to - default is bindaddr.
;
;
; sslcert=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
; sslprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
; If no path is given for sslcert or sslprivatekey, default is to look in current
; directory. If no sslprivatekey is given, default is to search sslcert for private key.
;tlscertfile=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
;
; To produce a certificate you can e.g. use openssl. This places both the cert and
; private in same .pem file.

17
configs/manager.conf.sample
View File

@ -39,15 +39,14 @@ bindaddr = 0.0.0.0
;
; openssl s_client -connect my_host:5039
;
; sslenable=no ; set to YES to enable it
; sslbindport=5039 ; the port to bind to
; sslbindaddr=0.0.0.0 ; address to bind to, default to bindaddr
; sslcert=/tmp/asterisk.pem ; path to the certificate.
; sslprivatekey=/tmp/private.pem ; path to the private key, if no private given,
; if no sslprivatekey is given, default is to search
; sslcert for private key.
; sslcipher=<cipher string> ; string specifying which SSL ciphers to use or not use
;tlsenable=no ; set to YES to enable it
;tlsbindport=5039 ; the port to bind to
;tlsbindaddr=0.0.0.0 ; address to bind to, default to bindaddr
;tlscertfile=/tmp/asterisk.pem ; path to the certificate.
;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
; if no tlsprivatekey is given, default is to search
; tlscertfile for private key.
;tlscipher=<cipher string> ; string specifying which SSL ciphers to use or not use
;
;allowmultiplelogin = yes ; IF set to no, rejects manager logins that are already in use.
; ; The default is yes.

5
include/asterisk/tcptls.h
View File

@ -174,6 +174,11 @@ void ast_tcptls_server_start(struct ast_tcptls_session_args *desc);
void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc);
int ast_ssl_setup(struct ast_tls_config *cfg);
/*!
* \brief Used to parse conf files containing tls/ssl options.
*/
int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value);
HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, const void *buf, size_t count);

31
main/http.c
View File

@ -983,7 +983,6 @@ static int __ast_http_load(int reload)
struct hostent *hp;
struct ast_hostent ahp;
char newprefix[MAX_PREFIX] = "";
int have_sslbindaddr = 0;
struct http_uri_redirect *redirect;
struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
@ -1024,32 +1023,18 @@ static int __ast_http_load(int reload)
if (cfg) {
v = ast_variable_browse(cfg, "general");
for (; v; v = v->next) {
/* handle tls conf */
if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
continue;
}
if (!strcasecmp(v->name, "enabled")) {
enabled = ast_true(v->value);
} else if (!strcasecmp(v->name, "sslenable")) {
http_tls_cfg.enabled = ast_true(v->value);
} else if (!strcasecmp(v->name, "sslbindport")) {
https_desc.local_address.sin_port = htons(atoi(v->value));
} else if (!strcasecmp(v->name, "sslcert")) {
ast_free(http_tls_cfg.certfile);
http_tls_cfg.certfile = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "sslprivatekey")) {
ast_free(http_tls_cfg.pvtfile);
http_tls_cfg.pvtfile = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "sslcipher")) {
ast_free(http_tls_cfg.cipher);
http_tls_cfg.cipher = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "enablestatic")) {
newenablestatic = ast_true(v->value);
} else if (!strcasecmp(v->name, "bindport")) {
http_desc.local_address.sin_port = htons(atoi(v->value));
} else if (!strcasecmp(v->name, "sslbindaddr")) {
if ((hp = ast_gethostbyname(v->value, &ahp))) {
memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr));
have_sslbindaddr = 1;
} else {
ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value);
}
} else if (!strcasecmp(v->name, "bindaddr")) {
if ((hp = ast_gethostbyname(v->value, &ahp))) {
memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr));
@ -1072,8 +1057,8 @@ static int __ast_http_load(int reload)
ast_config_destroy(cfg);
}
if (!have_sslbindaddr) {
/* if the https addres has not been set, default is the same as non secure http */
if (!https_desc.local_address.sin_addr.s_addr) {
https_desc.local_address.sin_addr = http_desc.local_address.sin_addr;
}
if (enabled) {

33
main/manager.c
View File

@ -4719,9 +4719,6 @@ static int __init_manager(int reload)
const char *val;
char *cat = NULL;
int newhttptimeout = 60;
int have_sslbindaddr = 0;
struct hostent *hp;
struct ast_hostent ahp;
struct ast_manager_user *user = NULL;
struct ast_variable *var;
struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
@ -4804,27 +4801,12 @@ static int __init_manager(int reload)
for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {
val = var->value;
if (!strcasecmp(var->name, "sslenable")) {
ami_tls_cfg.enabled = ast_true(val);
} else if (!strcasecmp(var->name, "sslbindport")) {
amis_desc.local_address.sin_port = htons(atoi(val));
} else if (!strcasecmp(var->name, "sslbindaddr")) {
if ((hp = ast_gethostbyname(val, &ahp))) {
memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr));
have_sslbindaddr = 1;
} else {
ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val);
}
} else if (!strcasecmp(var->name, "sslcert")) {
ast_free(ami_tls_cfg.certfile);
ami_tls_cfg.certfile = ast_strdup(val);
} else if (!strcasecmp(var->name, "sslprivatekey")) {
ast_free(ami_tls_cfg.pvtfile);
ami_tls_cfg.pvtfile = ast_strdup(val);
} else if (!strcasecmp(var->name, "sslcipher")) {
ast_free(ami_tls_cfg.cipher);
ami_tls_cfg.cipher = ast_strdup(val);
} else if (!strcasecmp(var->name, "enabled")) {
if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
continue;
}
if (!strcasecmp(var->name, "enabled")) {
manager_enabled = ast_true(val);
} else if (!strcasecmp(var->name, "block-sockets")) {
block_sockets = ast_true(val);
@ -4856,7 +4838,8 @@ static int __init_manager(int reload)
if (manager_enabled) {
ami_desc.local_address.sin_family = AF_INET;
}
if (!have_sslbindaddr) {
/* if the amis address has not been set, default is the same as non secure ami */
if (!amis_desc.local_address.sin_addr.s_addr) {
amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr;
}
if (ami_tls_cfg.enabled) {

36
main/tcptls.c
View File

@ -488,3 +488,39 @@ void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
desc->accept_fd = -1;
ast_debug(2, "Stopped server :: %s\n", desc->name);
}
int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
{
if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
tls_cfg->enabled = ast_true(value) ? 1 : 0;
tls_desc->local_address.sin_family = AF_INET;
} else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert")) {
ast_free(tls_cfg->certfile);
tls_cfg->certfile = ast_strdup(value);
} else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
ast_free(tls_cfg->pvtfile);
tls_cfg->pvtfile = ast_strdup(value);
} else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
ast_free(tls_cfg->cipher);
tls_cfg->cipher = ast_strdup(value);
} else if (!strcasecmp(varname, "tlscafile")) {
ast_free(tls_cfg->cafile);
tls_cfg->cafile = ast_strdup(value);
} else if (!strcasecmp(varname, "tlscapath")) {
ast_free(tls_cfg->capath);
tls_cfg->capath = ast_strdup(value);
} else if (!strcasecmp(varname, "tlsverifyclient")) {
ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
} else if (!strcasecmp(varname, "tlsdontverifyserver")) {
ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
} else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
if (ast_parse_arg(value, PARSE_INADDR, &tls_desc->local_address))
ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
} else if (!strcasecmp(varname, "tlsbindport") || !strcasecmp(varname, "sslbindport")) {
tls_desc->local_address.sin_port = htons(atoi(value));
} else {
return -1;
}
return 0;
}