From 28be3016a0dde1726d7e0bdfdf68cd79272cd964 Mon Sep 17 00:00:00 2001
From: Stefan Knoblich <stkn@freeswitch.org>
Date: Sat, 22 Dec 2007 23:50:15 +0000
Subject: [PATCH] Add "a tls-version" configuration option to select the
 protocol version of the SIP/TLS endpoint, possible values are "tlsv1" and
 "sslv23", with SSLv2/3 being the default because that is what phones seem to
 be using (e.g. spa962)

git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@6963 d0543943-73ff-0310-b7d9-9358b9ac24b2
---
 conf/sip_profiles/default.xml           | 2 ++
 src/mod/endpoints/mod_sofia/mod_sofia.h | 1 +
 src/mod/endpoints/mod_sofia/sofia.c     | 9 +++++++++
 3 files changed, 12 insertions(+)

diff --git a/conf/sip_profiles/default.xml b/conf/sip_profiles/default.xml
index 6d58257476..7507c6df69 100644
--- a/conf/sip_profiles/default.xml
+++ b/conf/sip_profiles/default.xml
@@ -53,6 +53,8 @@
     <param name="tls-sip-port" value="5061"/>
     <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
     <param name="tls-cert-dir" value="$${base_dir}/conf/ssl"/>
+    <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
+    <param name="tls-version" value="sslv23"/>
     
     <!--If you don't want to pass through timestampes from 1 RTP call to another (on a per call basis with rtp_rewrite_timestamps chanvar)-->
     <!--<param name="rtp-rewrite-timestamps" value="true"/>-->
diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index 9f65d23c52..131193f8bf 100644
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -243,6 +243,7 @@ struct sofia_profile {
 	sofia_dtmf_t dtmf_type;
 	int sip_port;
 	int tls_sip_port;
+	int tls_version;
 	char *codec_string;
 	int running;
 	int dtmf_duration;
diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index a4c4ab9f2b..dba4335442 100644
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -390,6 +390,7 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 							NUTAG_URL(profile->bindurl),
 							TAG_IF(sofia_test_pflag(profile, PFLAG_TLS), NUTAG_SIPS_URL(profile->tls_bindurl)),
 							TAG_IF(sofia_test_pflag(profile, PFLAG_TLS), NUTAG_CERTIFICATE_DIR(profile->tls_cert_dir)),
+							TAG_IF(sofia_test_pflag(profile, PFLAG_TLS), TPTAG_TLS_VERSION(profile->tls_version)),
 							NTATAG_UDP_MTU(65536),
 							TAG_IF(tportlog, TPTAG_LOG(1)),
 							TAG_END());	/* Last tag should always finish the sequence */
@@ -857,6 +858,7 @@ switch_status_t config_sofia(int reload, char *profile_name)
 				switch_thread_rwlock_create(&profile->rwlock, profile->pool);
 				switch_mutex_init(&profile->flag_mutex, SWITCH_MUTEX_NESTED, profile->pool);
 				profile->dtmf_duration = 100;
+				profile->tls_version = 0;
 
 				for (param = switch_xml_child(settings, "param"); param; param = param->next) {
 					char *var = (char *) switch_xml_attr_soft(param, "name");
@@ -1056,6 +1058,13 @@ switch_status_t config_sofia(int reload, char *profile_name)
 						profile->tls_sip_port = atoi(val);
 					} else if (!strcasecmp(var, "tls-cert-dir")) {
 						profile->tls_cert_dir = switch_core_strdup(profile->pool, val);
+					} else if (!strcasecmp(var, "tls-version")) {
+
+						if (!strcasecmp(val, "tlsv1")) {
+							profile->tls_version = 1;
+						} else {
+							profile->tls_version = 0;
+						}
  					}
 				}