diff --git a/conf/vanilla/sip_profiles/external.xml b/conf/vanilla/sip_profiles/external.xml index 5070c87913..6edc878c06 100644 --- a/conf/vanilla/sip_profiles/external.xml +++ b/conf/vanilla/sip_profiles/external.xml @@ -78,7 +78,7 @@ - + diff --git a/conf/vanilla/sip_profiles/internal.xml b/conf/vanilla/sip_profiles/internal.xml index 7beecbfeab..3665b91df0 100644 --- a/conf/vanilla/sip_profiles/internal.xml +++ b/conf/vanilla/sip_profiles/internal.xml @@ -188,7 +188,7 @@ - + diff --git a/conf/vanilla/vars.xml b/conf/vanilla/vars.xml index 2792a567ce..c3f235bfe3 100644 --- a/conf/vanilla/vars.xml +++ b/conf/vanilla/vars.xml @@ -257,12 +257,12 @@ - + - + diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c index cd2ac9a9b6..60be814834 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c @@ -222,9 +222,13 @@ static int tport_tls_init_master(tport_primary_t *pri, ti.configured = path != tbf; ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat"); ti.key = su_sprintf(autohome, "%s/%s", path, "agent.pem"); + if (access(ti.key, R_OK) != 0) ti.key = NULL; + if (!ti.key) ti.key = su_sprintf(autohome, "%s/%s", path, "tls.pem"); ti.passphrase = su_strdup(autohome, passphrase); ti.cert = ti.key; ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem"); + if (access(ti.CAfile, R_OK) != 0) ti.CAfile = NULL; + if (!ti.CAfile) ti.CAfile = su_sprintf(autohome, "%s/%s", path, "tls.pem"); ti.version = tls_version; ti.timeout = tls_timeout; ti.CApath = su_strdup(autohome, path); diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c index c543bb8314..24f91ad51c 100644 --- a/src/mod/endpoints/mod_sofia/sofia.c +++ b/src/mod/endpoints/mod_sofia/sofia.c @@ -3643,6 +3643,7 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name) profile->mflags = MFLAG_REFER | MFLAG_REGISTER; profile->server_rport_level = 1; profile->client_rport_level = 1; + profile->tls_cert_dir = SWITCH_GLOBAL_dirs.certs_dir; sofia_set_pflag(profile, PFLAG_DISABLE_100REL); profile->auto_restart = 1; sofia_set_media_flag(profile, SCMF_AUTOFIX_TIMING); @@ -4503,13 +4504,13 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name) } else { profile->tls_sip_port = (switch_port_t) atoi(val); } - } else if (!strcasecmp(var, "tls-cert-dir")) { + } else if (!strcasecmp(var, "tls-cert-dir") && !zstr(val)) { profile->tls_cert_dir = switch_core_strdup(profile->pool, val); - } else if (!strcasecmp(var, "tls-passphrase")) { + } else if (!strcasecmp(var, "tls-passphrase") && !zstr(val)) { profile->tls_passphrase = switch_core_strdup(profile->pool, val); - } else if (!strcasecmp(var, "tls-verify-in-subjects")) { + } else if (!strcasecmp(var, "tls-verify-in-subjects") && !zstr(val)) { profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val); - } else if (!strcasecmp(var, "tls-version")) { + } else if (!strcasecmp(var, "tls-version") && !zstr(val)) { if (!strcasecmp(val, "tlsv1")) { profile->tls_version = 1; @@ -4671,10 +4672,33 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name) config_sofia_profile_urls(profile); - if (!profile->tls_cert_dir) { - profile->tls_cert_dir = switch_core_sprintf(profile->pool, "%s/ssl", SWITCH_GLOBAL_dirs.conf_dir); + if (profile->tls_cert_dir) { + if (profile->wss_ip) { + char *key, *cert; + key = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.key"); + if (switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS) key = NULL; + cert = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.crt"); + if (switch_file_exists(cert, profile->pool) != SWITCH_STATUS_SUCCESS) cert = NULL; + if ( !key || !cert) { + key = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.pem"); + if ( switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS ) { + switch_core_gen_certs(key); + } + } + } + if (sofia_test_pflag(profile, PFLAG_TLS)) { + char *key = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "agent.pem"); + char *ca = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "cafile.pem");; + if (switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS) key = NULL; + if (switch_file_exists(ca, profile->pool) != SWITCH_STATUS_SUCCESS) ca = NULL; + if ( !key || !ca ) { + key = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "tls.pem"); + if ( switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS ) { + switch_core_gen_certs(key); + } + } + } } - } if (profile) { diff --git a/src/switch_core_cert.c b/src/switch_core_cert.c index 4f52384e94..5a56746fa1 100644 --- a/src/switch_core_cert.c +++ b/src/switch_core_cert.c @@ -214,12 +214,31 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix) EVP_PKEY *pkey = NULL; char *rsa = NULL, *pvt = NULL; FILE *fp; + char *pem = NULL; - pvt = switch_mprintf("%s%s%s.key", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix); - rsa = switch_mprintf("%s%s%s.crt", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix); + if (switch_stristr(".pem", prefix)) { - if (switch_file_exists(pvt, NULL) == SWITCH_STATUS_SUCCESS || switch_file_exists(rsa, NULL) == SWITCH_STATUS_SUCCESS) { - goto end; + if (switch_is_file_path(prefix)) { + pem = strdup(prefix); + } else { + pem = switch_mprintf("%s%s%s", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix); + } + + if (switch_file_exists(pem, NULL) == SWITCH_STATUS_SUCCESS) { + goto end; + } + } else { + if (switch_is_file_path(prefix)) { + pvt = switch_mprintf("%s.key", prefix); + rsa = switch_mprintf("%s.crt", prefix); + } else { + pvt = switch_mprintf("%s%s%s.key", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix); + rsa = switch_mprintf("%s%s%s.crt", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix); + } + + if (switch_file_exists(pvt, NULL) == SWITCH_STATUS_SUCCESS || switch_file_exists(rsa, NULL) == SWITCH_STATUS_SUCCESS) { + goto end; + } } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); @@ -231,18 +250,26 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix) //RSA_print_fp(stdout, pkey->pkey.rsa, 0); //X509_print_fp(stdout, x509); + if (pem) { + if ((fp = fopen(pem, "w"))) { + PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL); + PEM_write_X509(fp, x509); + fclose(fp); + } - if ((fp = fopen(pvt, "w"))) { - PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL); - } + } else { + if ((fp = fopen(pvt, "w"))) { + PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL); + } - fclose(fp); + fclose(fp); - if ((fp = fopen(rsa, "w"))) { - PEM_write_X509(fp, x509); - } + if ((fp = fopen(rsa, "w"))) { + PEM_write_X509(fp, x509); + } - fclose(fp); + fclose(fp); + } X509_free(x509); EVP_PKEY_free(pkey); @@ -260,6 +287,7 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix) switch_safe_free(pvt); switch_safe_free(rsa); + switch_safe_free(pem); return(0); }