kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-19 11:42:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

pjsip: Clarify certificate configuration for Websocket.

Browse Source 
The Websocket transport uses the built-in HTTP server. As a result
the TLS configuration is done in http.conf and not in pjsip.conf.

This change adds a warning if this is configured in pjsip.conf and
also clarifies in the sample configuration file.

Change-Id: I187d994d328c3ed274b6754fd4c2a4955bdc6dd9
This commit is contained in:
Joshua Colp
2018-07-02 20:44:53 -03:00
parent efe2ba43ca
commit de5144e751
3 changed files with 22 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
configs/samples/pjsip.conf.sample
View File

@@ -862,10 +862,13 @@
;==========================TRANSPORT SECTION OPTIONS========================= ;==========================TRANSPORT SECTION OPTIONS=========================
;[transport] ;[transport]
; SYNOPSIS: SIP Transport ; SYNOPSIS: SIP Transport
;
;async_operations=1 ; Number of simultaneous Asynchronous Operations ;async_operations=1 ; Number of simultaneous Asynchronous Operations
; (default: "1") ; (default: "1")
;bind= ; IP Address and optional port to bind to for this transport (default: ;bind= ; IP Address and optional port to bind to for this transport (default:
; "") ; "")
; Note that for the Websocket transport the TLS configuration is configured
; in http.conf and is applied for all HTTPS traffic.
;ca_list_file= ; File containing a list of certificates to read TLS ONLY ;ca_list_file= ; File containing a list of certificates to read TLS ONLY
; (default: "") ; (default: "")
;ca_list_path= ; Path to directory containing certificates to read TLS ONLY. ;ca_list_path= ; Path to directory containing certificates to read TLS ONLY.
@@ -883,6 +886,13 @@
; different, at least OpenSSL 1.0.2 is required. ; different, at least OpenSSL 1.0.2 is required.
; (default: "") ; (default: "")
;cipher= ; Preferred cryptography cipher names TLS ONLY (default: "") ;cipher= ; Preferred cryptography cipher names TLS ONLY (default: "")
;method= ; Method of SSL transport TLS ONLY (default: "")
;priv_key_file= ; Private key file TLS ONLY (default: "")
;verify_client= ; Require verification of client certificate TLS ONLY (default:
; "")
;verify_server= ; Require verification of server certificate TLS ONLY (default:
; "")
;require_client_cert= ; Require client certificate TLS ONLY (default: "")
;domain= ; Domain the transport comes from (default: "") ;domain= ; Domain the transport comes from (default: "")
;external_media_address= ; External IP address to use in RTP handling ;external_media_address= ; External IP address to use in RTP handling
; (default: "") ; (default: "")
@@ -890,17 +900,10 @@
; "") ; "")
;external_signaling_port=0 ; External port for SIP signalling (default: ;external_signaling_port=0 ; External port for SIP signalling (default:
; "0") ; "0")
;method= ; Method of SSL transport TLS ONLY (default: "")
;local_net= ; Network to consider local used for NAT purposes (default: "") ;local_net= ; Network to consider local used for NAT purposes (default: "")
;password= ; Password required for transport (default: "") ;password= ; Password required for transport (default: "")
;priv_key_file= ; Private key file TLS ONLY (default: "")
;protocol=udp ; Protocol to use for SIP traffic (default: "udp") ;protocol=udp ; Protocol to use for SIP traffic (default: "udp")
;require_client_cert= ; Require client certificate TLS ONLY (default: "")
;type= ; Must be of type transport (default: "") ;type= ; Must be of type transport (default: "")
;verify_client= ; Require verification of client certificate TLS ONLY (default:
; "")
;verify_server= ; Require verification of server certificate TLS ONLY (default:
; "")
;tos=0 ; Enable TOS for the signalling sent over this transport (default: "0") ;tos=0 ; Enable TOS for the signalling sent over this transport (default: "0")
;cos=0 ; Enable COS for the signalling sent over this transport (default: "0") ;cos=0 ; Enable COS for the signalling sent over this transport (default: "0")
;websocket_write_timeout=100 ; Default write timeout to set on websocket ;websocket_write_timeout=100 ; Default write timeout to set on websocket

18
res/res_pjsip.c
View File

@@ -1211,13 +1211,13 @@
<synopsis>IP Address and optional port to bind to for this transport</synopsis> <synopsis>IP Address and optional port to bind to for this transport</synopsis>
</configOption> </configOption>
<configOption name="ca_list_file"> <configOption name="ca_list_file">
<synopsis>File containing a list of certificates to read (TLS ONLY)</synopsis> <synopsis>File containing a list of certificates to read (TLS ONLY, not WSS)</synopsis>
</configOption> </configOption>
<configOption name="ca_list_path"> <configOption name="ca_list_path">
<synopsis>Path to directory containing a list of certificates to read (TLS ONLY)</synopsis> <synopsis>Path to directory containing a list of certificates to read (TLS ONLY, not WSS)</synopsis>
</configOption> </configOption>
<configOption name="cert_file"> <configOption name="cert_file">
<synopsis>Certificate file for endpoint (TLS ONLY)</synopsis> <synopsis>Certificate file for endpoint (TLS ONLY, not WSS)</synopsis>
<description><para> <description><para>
A path to a .crt or .pem file can be provided. However, only A path to a .crt or .pem file can be provided. However, only
the certificate is read from the file, not the private key. the certificate is read from the file, not the private key.
@@ -1226,7 +1226,7 @@
</para></description> </para></description>
</configOption> </configOption>
<configOption name="cipher"> <configOption name="cipher">
<synopsis>Preferred cryptography cipher names (TLS ONLY)</synopsis> <synopsis>Preferred cryptography cipher names (TLS ONLY, not WSS)</synopsis>
<description> <description>
<para>Comma separated list of cipher names or numeric equivalents. <para>Comma separated list of cipher names or numeric equivalents.
Numeric equivalents can be either decimal or hexadecimal (0xX). Numeric equivalents can be either decimal or hexadecimal (0xX).
@@ -1258,7 +1258,7 @@
<synopsis>External port for SIP signalling</synopsis> <synopsis>External port for SIP signalling</synopsis>
</configOption> </configOption>
<configOption name="method"> <configOption name="method">
<synopsis>Method of SSL transport (TLS ONLY)</synopsis> <synopsis>Method of SSL transport (TLS ONLY, not WSS)</synopsis>
<description> <description>
<enumlist> <enumlist>
<enum name="default"> <enum name="default">
@@ -1285,7 +1285,7 @@
<synopsis>Password required for transport</synopsis> <synopsis>Password required for transport</synopsis>
</configOption> </configOption>
<configOption name="priv_key_file"> <configOption name="priv_key_file">
<synopsis>Private key file (TLS ONLY)</synopsis> <synopsis>Private key file (TLS ONLY, not WSS)</synopsis>
</configOption> </configOption>
<configOption name="protocol" default="udp"> <configOption name="protocol" default="udp">
<synopsis>Protocol to use for SIP traffic</synopsis> <synopsis>Protocol to use for SIP traffic</synopsis>
@@ -1300,16 +1300,16 @@
</description> </description>
</configOption> </configOption>
<configOption name="require_client_cert" default="false"> <configOption name="require_client_cert" default="false">
<synopsis>Require client certificate (TLS ONLY)</synopsis> <synopsis>Require client certificate (TLS ONLY, not WSS)</synopsis>
</configOption> </configOption>
<configOption name="type"> <configOption name="type">
<synopsis>Must be of type 'transport'.</synopsis> <synopsis>Must be of type 'transport'.</synopsis>
</configOption> </configOption>
<configOption name="verify_client" default="false"> <configOption name="verify_client" default="false">
<synopsis>Require verification of client certificate (TLS ONLY)</synopsis> <synopsis>Require verification of client certificate (TLS ONLY, not WSS)</synopsis>
</configOption> </configOption>
<configOption name="verify_server" default="false"> <configOption name="verify_server" default="false">
<synopsis>Require verification of server certificate (TLS ONLY)</synopsis> <synopsis>Require verification of server certificate (TLS ONLY, not WSS)</synopsis>
</configOption> </configOption>
<configOption name="tos" default="false"> <configOption name="tos" default="false">
<synopsis>Enable TOS for the signalling sent over this transport</synopsis> <synopsis>Enable TOS for the signalling sent over this transport</synopsis>

3
res/res_pjsip/config_transport.c
View File

@@ -651,6 +651,9 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
} else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) { } else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) {
if (transport->cos || transport->tos) { if (transport->cos || transport->tos) {
ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n"); ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n");
} else if (!ast_strlen_zero(transport->ca_list_file) || !ast_strlen_zero(transport->ca_list_path) ||
!ast_strlen_zero(transport->cert_file) || !ast_strlen_zero(transport->privkey_file)) {
ast_log(LOG_WARNING, "TLS certificate values ignored for websocket transport as they are configured in http.conf\n");
} }
res = PJ_SUCCESS; res = PJ_SUCCESS;
} }