FS-3071 I've finally merged it all. It all look good, shouldn't affect anyone who didn't set those value
This commit is contained in:
Marc Olivier Chouinard
parent
947096c66d
commit
9574ba27f7
|
|
@ -77,17 +77,19 @@
|
|||
<param name="tls-sip-port" value="$${external_tls_port}"/>
|
||||
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
|
||||
<param name="tls-cert-dir" value="$${external_ssl_dir}"/>
|
||||
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
|
||||
<param name="tls-passphrase" value=""/>
|
||||
<!-- Don't verify the date on TLS certificates -->
|
||||
<param name="tls-no-verify-date" value="false"/>
|
||||
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
|
||||
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
|
||||
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
|
||||
<param name="tls-verify-policy" value="none"/>
|
||||
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
|
||||
<param name="tls-verify-depth" value="2"/>
|
||||
<!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
|
||||
<param name="tls-verify-in-subjects" value=""/>
|
||||
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
|
||||
<param name="tls-version" value="$${sip_tls_version}"/>
|
||||
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
|
||||
<param name="tls-passphrase" value=""/>
|
||||
|
||||
</settings>
|
||||
</profile>
|
||||
|
|
|
|||
|
|
@ -184,17 +184,19 @@
|
|||
<param name="tls-sip-port" value="$${internal_tls_port}"/>
|
||||
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
|
||||
<param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
|
||||
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
|
||||
<param name="tls-passphrase" value=""/>
|
||||
<!-- Don't verify the date on TLS certificates -->
|
||||
<param name="tls-no-verify-date" value="false"/>
|
||||
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
|
||||
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
|
||||
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
|
||||
<param name="tls-verify-policy" value="none"/>
|
||||
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
|
||||
<param name="tls-verify-depth" value="2"/>
|
||||
<!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
|
||||
<param name="tls-verify-in-subjects" value=""/>
|
||||
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
|
||||
<param name="tls-version" value="$${sip_tls_version}"/>
|
||||
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
|
||||
<param name="tls-passphrase" value=""/>
|
||||
|
||||
<!-- turn on auto-flush during bridge (skip timer sleep when the socket already has data)
|
||||
(reduces delay on latent connections default true, must be disabled explicitly)-->
|
||||
|
|
|
|||
|
|
@ -122,6 +122,7 @@ typedef struct private_object private_object_t;
|
|||
#include <sofia-sip/auth_module.h>
|
||||
#include <sofia-sip/su_md5.h>
|
||||
#include <sofia-sip/su_log.h>
|
||||
#include <sofia-sip/su_strlst.h>
|
||||
#include <sofia-sip/nea.h>
|
||||
#include <sofia-sip/msg_addr.h>
|
||||
#include <sofia-sip/tport_tag.h>
|
||||
|
|
@ -644,6 +645,8 @@ struct sofia_profile {
|
|||
enum tport_tls_verify_policy tls_verify_policy;
|
||||
int tls_verify_depth;
|
||||
char *tls_passphrase;
|
||||
char *tls_verify_in_subjects_str;
|
||||
su_strlst_t *tls_verify_in_subjects;
|
||||
};
|
||||
|
||||
struct private_object {
|
||||
|
|
|
|||
|
|
@ -1857,6 +1857,11 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
|
|||
}
|
||||
}
|
||||
|
||||
/* We have to init the verify_subjects here as during config stage profile->home isn't setup, it should be freed when profile->home is freed */
|
||||
if ( (profile->tls_verify_policy & TPTLS_VERIFY_SUBJECTS_IN) && profile->tls_verify_in_subjects_str && ! profile->tls_verify_in_subjects) {
|
||||
profile->tls_verify_in_subjects = su_strlst_dup_split((su_home_t *)profile->nua, profile->tls_verify_in_subjects_str, "|");
|
||||
}
|
||||
|
||||
profile->nua = nua_create(profile->s_root, /* Event loop */
|
||||
sofia_event_callback, /* Callback for processing events */
|
||||
profile, /* Additional data to pass to callback */
|
||||
|
|
@ -1878,6 +1883,8 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
|
|||
TPTAG_TLS_VERIFY_DEPTH(profile->tls_verify_depth)),
|
||||
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
|
||||
TPTAG_TLS_VERIFY_DATE(! profile->tls_no_verify_date)),
|
||||
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_verify_in_subjects,
|
||||
TPTAG_TLS_VERIFY_SUBJECTS(profile->tls_verify_in_subjects)),
|
||||
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
|
||||
TPTAG_TLS_VERSION(profile->tls_version)),
|
||||
TAG_IF(!strchr(profile->sipip, ':'),
|
||||
|
|
@ -3632,6 +3639,9 @@ switch_status_t config_sofia(int reload, char *profile_name)
|
|||
sofia_profile_start_failure(NULL, xprofilename);
|
||||
goto done;
|
||||
}
|
||||
profile->tls_verify_policy = TPTLS_VERIFY_NONE;
|
||||
/* lib default */
|
||||
profile->tls_verify_depth = 2;
|
||||
|
||||
|
||||
switch_mutex_init(&profile->gw_mutex, SWITCH_MUTEX_NESTED, pool);
|
||||
|
|
@ -4428,6 +4438,8 @@ switch_status_t config_sofia(int reload, char *profile_name)
|
|||
profile->tls_cert_dir = switch_core_strdup(profile->pool, val);
|
||||
} else if (!strcasecmp(var, "tls-passphrase")) {
|
||||
profile->tls_passphrase = switch_core_strdup(profile->pool, val);
|
||||
} else if (!strcasecmp(var, "tls-verify-in-subjects")) {
|
||||
profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
|
||||
} else if (!strcasecmp(var, "tls-version")) {
|
||||
|
||||
if (!strcasecmp(val, "tlsv1")) {
|
||||
|
|
|
|||
|
|
@ -1143,21 +1143,34 @@ sofia_transport_t sofia_glue_str2transport(const char *str)
|
|||
}
|
||||
|
||||
enum tport_tls_verify_policy sofia_glue_str2tls_verify_policy(const char * str){
|
||||
if (!strcasecmp(str, "in")) {
|
||||
return TPTLS_VERIFY_IN;
|
||||
} else if (!strcasecmp(str, "out")) {
|
||||
return TPTLS_VERIFY_OUT;
|
||||
} else if (!strcasecmp(str, "all")) {
|
||||
return TPTLS_VERIFY_ALL;
|
||||
} else if (!strcasecmp(str, "subjects_in")) {
|
||||
return TPTLS_VERIFY_SUBJECTS_IN;
|
||||
} else if (!strcasecmp(str, "subjects_out")) {
|
||||
return TPTLS_VERIFY_SUBJECTS_OUT;
|
||||
} else if (!strcasecmp(str, "subjects_all")) {
|
||||
return TPTLS_VERIFY_SUBJECTS_ALL;
|
||||
}
|
||||
char *ptr_next;
|
||||
int len;
|
||||
enum tport_tls_verify_policy ret;
|
||||
char *ptr_cur = (char *) str;
|
||||
ret = TPTLS_VERIFY_NONE;
|
||||
|
||||
return TPTLS_VERIFY_NONE;
|
||||
while (ptr_cur) {
|
||||
if ((ptr_next = strchr(ptr_cur, '|'))) {
|
||||
len = ptr_next++ - ptr_cur;
|
||||
} else {
|
||||
len = strlen(ptr_cur);
|
||||
}
|
||||
if (!strncasecmp(ptr_cur, "in",len)) {
|
||||
ret |= TPTLS_VERIFY_IN;
|
||||
} else if (!strncasecmp(ptr_cur, "out",len)) {
|
||||
ret |= TPTLS_VERIFY_OUT;
|
||||
} else if (!strncasecmp(ptr_cur, "all",len)) {
|
||||
ret |= TPTLS_VERIFY_ALL;
|
||||
} else if (!strncasecmp(ptr_cur, "subjects_in",len)) {
|
||||
ret |= TPTLS_VERIFY_SUBJECTS_IN;
|
||||
} else if (!strncasecmp(ptr_cur, "subjects_out",len)) {
|
||||
ret |= TPTLS_VERIFY_SUBJECTS_OUT;
|
||||
} else if (!strncasecmp(ptr_cur, "subjects_all",len)) {
|
||||
ret |= TPTLS_VERIFY_SUBJECTS_ALL;
|
||||
}
|
||||
ptr_cur = ptr_next;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
char *sofia_glue_find_parameter_value(switch_core_session_t *session, const char *str, const char *param)
|
||||
|
|
|
|||
Loading…
Reference in New Issue