kenmirrors
/
freeswitch
mirror of https://github.com/signalwire/freeswitch.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

FS-3071 Added the tls extra options patch

This commit is contained in:
Marc Olivier Chouinard 2011-12-18 11:37:04 -05:00
parent 235ef72f1b
commit 947096c66d
6 changed files with 69 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
conf/sip_profiles/external.xml
View File

@ -69,12 +69,21 @@
<!-- TLS: disabled by default, set to "true" to enable --> <!-- TLS: disabled by default, set to "true" to enable -->
<param name="tls" value="$${external_ssl_enable}"/> <param name="tls" value="$${external_ssl_enable}"/>
<!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
<param name="tls-only" value="false"/>
<!-- additional bind parameters for TLS --> <!-- additional bind parameters for TLS -->
<param name="tls-bind-params" value="transport=tls"/> <param name="tls-bind-params" value="transport=tls"/>
<!-- Port to listen on for TLS requests. (5081 will be used if unspecified) --> <!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
<param name="tls-sip-port" value="$${external_tls_port}"/> <param name="tls-sip-port" value="$${external_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) --> <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<param name="tls-cert-dir" value="$${external_ssl_dir}"/> <param name="tls-cert-dir" value="$${external_ssl_dir}"/>
<!-- Don't verify the date on TLS certificates -->
<param name="tls-no-verify-date" value="false"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 --> <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/> <param name="tls-version" value="$${sip_tls_version}"/>
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files --> <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->

9
conf/sip_profiles/internal.xml
View File

@ -176,12 +176,21 @@
<!-- TLS: disabled by default, set to "true" to enable --> <!-- TLS: disabled by default, set to "true" to enable -->
<param name="tls" value="$${internal_ssl_enable}"/> <param name="tls" value="$${internal_ssl_enable}"/>
<!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
<param name="tls-only" value="false"/>
<!-- additional bind parameters for TLS --> <!-- additional bind parameters for TLS -->
<param name="tls-bind-params" value="transport=tls"/> <param name="tls-bind-params" value="transport=tls"/>
<!-- Port to listen on for TLS requests. (5061 will be used if unspecified) --> <!-- Port to listen on for TLS requests. (5061 will be used if unspecified) -->
<param name="tls-sip-port" value="$${internal_tls_port}"/> <param name="tls-sip-port" value="$${internal_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) --> <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<param name="tls-cert-dir" value="$${internal_ssl_dir}"/> <param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
<!-- Don't verify the date on TLS certificates -->
<param name="tls-no-verify-date" value="false"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 --> <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/> <param name="tls-version" value="$${sip_tls_version}"/>
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files --> <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->

14
src/mod/endpoints/mod_sofia/mod_sofia.c
View File

@ -2930,8 +2930,10 @@ static switch_status_t cmd_status(char **argv, int argc, switch_stream_handle_t
if (profile->extsipip) { if (profile->extsipip) {
stream->write_function(stream, "Ext-SIP-IP \t%s\n", profile->extsipip); stream->write_function(stream, "Ext-SIP-IP \t%s\n", profile->extsipip);
} }
stream->write_function(stream, "URL \t%s\n", switch_str_nil(profile->url)); if (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only) {
stream->write_function(stream, "BIND-URL \t%s\n", switch_str_nil(profile->bindurl)); stream->write_function(stream, "URL \t%s\n", switch_str_nil(profile->url));
stream->write_function(stream, "BIND-URL \t%s\n", switch_str_nil(profile->bindurl));
}
if (sofia_test_pflag(profile, PFLAG_TLS)) { if (sofia_test_pflag(profile, PFLAG_TLS)) {
stream->write_function(stream, "TLS-URL \t%s\n", switch_str_nil(profile->tls_url)); stream->write_function(stream, "TLS-URL \t%s\n", switch_str_nil(profile->tls_url));
stream->write_function(stream, "TLS-BIND-URL \t%s\n", switch_str_nil(profile->tls_bindurl)); stream->write_function(stream, "TLS-BIND-URL \t%s\n", switch_str_nil(profile->tls_bindurl));
@ -3056,8 +3058,10 @@ static switch_status_t cmd_status(char **argv, int argc, switch_stream_handle_t
ac++; ac++;
stream->write_function(stream, "%25s\t%s\t %40s\t%s\n", vvar, " alias", profile->name, "ALIASED"); stream->write_function(stream, "%25s\t%s\t %40s\t%s\n", vvar, " alias", profile->name, "ALIASED");
} else { } else {
stream->write_function(stream, "%25s\t%s\t %40s\t%s (%u)\n", profile->name, "profile", profile->url, if (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only) {
stream->write_function(stream, "%25s\t%s\t %40s\t%s (%u)\n", profile->name, "profile", profile->url,
sofia_test_pflag(profile, PFLAG_RUNNING) ? "RUNNING" : "DOWN", profile->inuse); sofia_test_pflag(profile, PFLAG_RUNNING) ? "RUNNING" : "DOWN", profile->inuse);
}
if (sofia_test_pflag(profile, PFLAG_TLS)) { if (sofia_test_pflag(profile, PFLAG_TLS)) {
stream->write_function(stream, "%25s\t%s\t %40s\t%s (%u) (TLS)\n", profile->name, "profile", profile->tls_url, stream->write_function(stream, "%25s\t%s\t %40s\t%s (%u) (TLS)\n", profile->name, "profile", profile->tls_url,
@ -3331,9 +3335,11 @@ static switch_status_t cmd_xml_status(char **argv, int argc, switch_stream_handl
stream->write_function(stream, "<alias>\n<name>%s</name>\n<type>%s</type>\n<data>%s</data>\n<state>%s</state>\n</alias>\n", vvar, "alias", stream->write_function(stream, "<alias>\n<name>%s</name>\n<type>%s</type>\n<data>%s</data>\n<state>%s</state>\n</alias>\n", vvar, "alias",
profile->name, "ALIASED"); profile->name, "ALIASED");
} else { } else {
stream->write_function(stream, "<profile>\n<name>%s</name>\n<type>%s</type>\n<data>%s</data>\n<state>%s (%u)</state>\n</profile>\n", if (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only){
stream->write_function(stream, "<profile>\n<name>%s</name>\n<type>%s</type>\n<data>%s</data>\n<state>%s (%u)</state>\n</profile>\n",
profile->name, "profile", profile->url, sofia_test_pflag(profile, PFLAG_RUNNING) ? "RUNNING" : "DOWN", profile->name, "profile", profile->url, sofia_test_pflag(profile, PFLAG_RUNNING) ? "RUNNING" : "DOWN",
profile->inuse); profile->inuse);
}
if (sofia_test_pflag(profile, PFLAG_TLS)) { if (sofia_test_pflag(profile, PFLAG_TLS)) {
stream->write_function(stream, stream->write_function(stream,

5
src/mod/endpoints/mod_sofia/mod_sofia.h
View File

@ -639,6 +639,10 @@ struct sofia_profile {
switch_mutex_t *gw_mutex; switch_mutex_t *gw_mutex;
uint32_t queued_events; uint32_t queued_events;
uint32_t cseq_base; uint32_t cseq_base;
int tls_only;
int tls_no_verify_date;
enum tport_tls_verify_policy tls_verify_policy;
int tls_verify_depth;
char *tls_passphrase; char *tls_passphrase;
}; };
@ -1039,6 +1043,7 @@ void sofia_reg_release_gateway__(const char *file, const char *func, int line, s
sofia_transport_t sofia_glue_via2transport(const sip_via_t * via); sofia_transport_t sofia_glue_via2transport(const sip_via_t * via);
sofia_transport_t sofia_glue_url2transport(const url_t *url); sofia_transport_t sofia_glue_url2transport(const url_t *url);
sofia_transport_t sofia_glue_str2transport(const char *str); sofia_transport_t sofia_glue_str2transport(const char *str);
enum tport_tls_verify_policy sofia_glue_str2tls_verify_policy(const char * str);
const char *sofia_glue_transport2str(const sofia_transport_t tp); const char *sofia_glue_transport2str(const sofia_transport_t tp);
char *sofia_glue_find_parameter(const char *str, const char *param); char *sofia_glue_find_parameter(const char *str, const char *param);

21
src/mod/endpoints/mod_sofia/sofia.c
View File

@ -1845,7 +1845,7 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
supported = switch_core_sprintf(profile->pool, "%s%s%sprecondition, path, replaces", use_100rel ? "100rel, " : "", use_timer ? "timer, " : "", use_rfc_5626 ? "outbound, " : ""); supported = switch_core_sprintf(profile->pool, "%s%s%sprecondition, path, replaces", use_100rel ? "100rel, " : "", use_timer ? "timer, " : "", use_rfc_5626 ? "outbound, " : "");
if (sofia_test_pflag(profile, PFLAG_AUTO_NAT) && switch_nat_get_type()) { if (sofia_test_pflag(profile, PFLAG_AUTO_NAT) && switch_nat_get_type()) {
if (switch_nat_add_mapping(profile->sip_port, SWITCH_NAT_UDP, NULL, SWITCH_FALSE) == SWITCH_STATUS_SUCCESS) { if ( (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only) && switch_nat_add_mapping(profile->sip_port, SWITCH_NAT_UDP, NULL, SWITCH_FALSE) == SWITCH_STATUS_SUCCESS) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Created UDP nat mapping for %s port %d\n", profile->name, profile->sip_port); switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Created UDP nat mapping for %s port %d\n", profile->name, profile->sip_port);
} }
if (switch_nat_add_mapping(profile->sip_port, SWITCH_NAT_TCP, NULL, SWITCH_FALSE) == SWITCH_STATUS_SUCCESS) { if (switch_nat_add_mapping(profile->sip_port, SWITCH_NAT_TCP, NULL, SWITCH_FALSE) == SWITCH_STATUS_SUCCESS) {
@ -1860,7 +1860,7 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
profile->nua = nua_create(profile->s_root, /* Event loop */ profile->nua = nua_create(profile->s_root, /* Event loop */
sofia_event_callback, /* Callback for processing events */ sofia_event_callback, /* Callback for processing events */
profile, /* Additional data to pass to callback */ profile, /* Additional data to pass to callback */
NUTAG_URL(profile->bindurl), TAG_IF( ! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only, NUTAG_URL(profile->bindurl)),
NTATAG_USER_VIA(1), NTATAG_USER_VIA(1),
TAG_IF(!strchr(profile->sipip, ':'), TAG_IF(!strchr(profile->sipip, ':'),
SOATAG_AF(SOA_AF_IP4_ONLY)), SOATAG_AF(SOA_AF_IP4_ONLY)),
@ -1873,7 +1873,11 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_passphrase, TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_passphrase,
TPTAG_TLS_PASSPHRASE(profile->tls_passphrase)), TPTAG_TLS_PASSPHRASE(profile->tls_passphrase)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS), TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
TPTAG_TLS_VERIFY_POLICY(0)), TPTAG_TLS_VERIFY_POLICY(profile->tls_verify_policy)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
TPTAG_TLS_VERIFY_DEPTH(profile->tls_verify_depth)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
TPTAG_TLS_VERIFY_DATE(! profile->tls_no_verify_date)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS), TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
TPTAG_TLS_VERSION(profile->tls_version)), TPTAG_TLS_VERSION(profile->tls_version)),
TAG_IF(!strchr(profile->sipip, ':'), TAG_IF(!strchr(profile->sipip, ':'),
@ -3467,6 +3471,9 @@ switch_status_t reconfig_sofia(sofia_profile_t *profile)
} }
} }
} }
profile->tls_verify_policy = TPTLS_VERIFY_NONE;
/* lib default */
profile->tls_verify_depth = 2;
switch_event_destroy(&xml_params); switch_event_destroy(&xml_params);
} }
@ -4403,6 +4410,14 @@ switch_status_t config_sofia(int reload, char *profile_name)
} }
} else if (!strcasecmp(var, "tls-bind-params")) { } else if (!strcasecmp(var, "tls-bind-params")) {
profile->tls_bind_params = switch_core_strdup(profile->pool, val); profile->tls_bind_params = switch_core_strdup(profile->pool, val);
} else if (!strcasecmp(var, "tls-only")) {
profile->tls_only = switch_true(val);
} else if (!strcasecmp(var, "tls-no-verify-date")) {
profile->tls_no_verify_date = switch_true(val);
} else if (!strcasecmp(var, "tls-verify-depth")) {
profile->tls_verify_depth = atoi(val);
} else if (!strcasecmp(var, "tls-verify-policy")) {
profile->tls_verify_policy = sofia_glue_str2tls_verify_policy(val);
} else if (!strcasecmp(var, "tls-sip-port")) { } else if (!strcasecmp(var, "tls-sip-port")) {
if (!strcasecmp(val, "auto")) { if (!strcasecmp(val, "auto")) {
sofia_set_pflag(profile, PFLAG_AUTO_ASSIGN_TLS_PORT); sofia_set_pflag(profile, PFLAG_AUTO_ASSIGN_TLS_PORT);

18
src/mod/endpoints/mod_sofia/sofia_glue.c
View File

@ -1142,6 +1142,24 @@ sofia_transport_t sofia_glue_str2transport(const char *str)
return SOFIA_TRANSPORT_UNKNOWN; return SOFIA_TRANSPORT_UNKNOWN;
} }
enum tport_tls_verify_policy sofia_glue_str2tls_verify_policy(const char * str){
if (!strcasecmp(str, "in")) {
return TPTLS_VERIFY_IN;
} else if (!strcasecmp(str, "out")) {
return TPTLS_VERIFY_OUT;
} else if (!strcasecmp(str, "all")) {
return TPTLS_VERIFY_ALL;
} else if (!strcasecmp(str, "subjects_in")) {
return TPTLS_VERIFY_SUBJECTS_IN;
} else if (!strcasecmp(str, "subjects_out")) {
return TPTLS_VERIFY_SUBJECTS_OUT;
} else if (!strcasecmp(str, "subjects_all")) {
return TPTLS_VERIFY_SUBJECTS_ALL;
}
return TPTLS_VERIFY_NONE;
}
char *sofia_glue_find_parameter_value(switch_core_session_t *session, const char *str, const char *param) char *sofia_glue_find_parameter_value(switch_core_session_t *session, const char *str, const char *param)
{ {
const char *param_ptr; const char *param_ptr;