mirror of
https://github.com/signalwire/freeswitch.git
synced 2025-07-03 22:26:51 +00:00
Let FS use shorter (at least 256 bits) ECC certificates.
This commit is contained in:
parent
6827c66373
commit
948e622f6f
@ -47,6 +47,7 @@
|
|||||||
#include <openssl/ssl.h>
|
#include <openssl/ssl.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#include <openssl/bio.h>
|
#include <openssl/bio.h>
|
||||||
|
#include <crypto/evp/evp.h>
|
||||||
|
|
||||||
SWITCH_DECLARE(int) switch_core_cert_extract_fingerprint(X509* x509, dtls_fingerprint_t *fp);
|
SWITCH_DECLARE(int) switch_core_cert_extract_fingerprint(X509* x509, dtls_fingerprint_t *fp);
|
||||||
|
|
||||||
|
@ -336,6 +336,7 @@ SWITCH_DECLARE(switch_bool_t) switch_core_check_dtls_pem(const char *file)
|
|||||||
FILE *fp = NULL;
|
FILE *fp = NULL;
|
||||||
EVP_PKEY *pkey = NULL;
|
EVP_PKEY *pkey = NULL;
|
||||||
int bits = 0;
|
int bits = 0;
|
||||||
|
int min_cert_size_bits = 0;
|
||||||
|
|
||||||
if (switch_is_file_path(file)) {
|
if (switch_is_file_path(file)) {
|
||||||
pem = strdup(file);
|
pem = strdup(file);
|
||||||
@ -364,10 +365,12 @@ SWITCH_DECLARE(switch_bool_t) switch_core_check_dtls_pem(const char *file)
|
|||||||
}
|
}
|
||||||
|
|
||||||
bits = EVP_PKEY_bits(pkey);
|
bits = EVP_PKEY_bits(pkey);
|
||||||
|
min_cert_size_bits = EVP_PKEY_EC == pkey->type ? 256 : 4096;
|
||||||
EVP_PKEY_free(pkey);
|
EVP_PKEY_free(pkey);
|
||||||
|
|
||||||
if (bits < 4096) {
|
if (bits < min_cert_size_bits) {
|
||||||
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "%s cryptographic length is too short (%d), it will be regenerated\n", pem, bits);
|
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "%s cryptographic length is too short (%d, < %d), it will be regenerated\n",
|
||||||
|
pem, bits, min_cert_size_bits);
|
||||||
goto rename_pem;
|
goto rename_pem;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user