kenmirrors/freeswitch
1
0
Fork 0
mirror of https://github.com/signalwire/freeswitch.git synced 2025-07-03 22:26:51 +00:00
Code Issues Projects Releases Wiki Activity

Let FS use shorter (at least 256 bits) ECC certificates.

Browse Source
This commit is contained in:
Taras Tsiura 2021-09-08 16:17:50 +03:00 committed by Ryan Mitchell
parent 6827c66373
commit 948e622f6f
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/include/switch_ssl.h
View File

@ -47,6 +47,7 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include <crypto/evp/evp.h>
SWITCH_DECLARE(int) switch_core_cert_extract_fingerprint(X509* x509, dtls_fingerprint_t *fp);

7
src/switch_core_cert.c
View File

@ -336,6 +336,7 @@ SWITCH_DECLARE(switch_bool_t) switch_core_check_dtls_pem(const char *file)
FILE *fp = NULL;
EVP_PKEY *pkey = NULL;
int bits = 0;
int min_cert_size_bits = 0;
if (switch_is_file_path(file)) {
pem = strdup(file);
@ -364,10 +365,12 @@ SWITCH_DECLARE(switch_bool_t) switch_core_check_dtls_pem(const char *file)
}
bits = EVP_PKEY_bits(pkey);
min_cert_size_bits = EVP_PKEY_EC == pkey->type ? 256 : 4096;
EVP_PKEY_free(pkey);
if (bits < 4096) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "%s cryptographic length is too short (%d), it will be regenerated\n", pem, bits);
if (bits < min_cert_size_bits) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "%s cryptographic length is too short (%d, < %d), it will be regenerated\n",
pem, bits, min_cert_size_bits);
goto rename_pem;
}