Add mechanism to set OpenSSL session timeout

In a sofia profile, you can now set the parameter tls-timeout to a
positive integer value which represents the maximum time in seconds
that OpenSSL will keep a TLS session (and its ephemeral keys) alive.

This value is passed to OpenSSL's SSL_CTX_set_timeout(3).

OpenSSL's default value is 300 seconds, but the relevant standard
(RFC 2246) suggests that much longer session lifetimes are
acceptable (it recommends values less than 24 hours).

Longer values can be useful for extending battery life on mobile
devices.

Signed-off-by: Travis Cross <tc@traviscross.com>

libs/sofia-sip/.update

@@ -1 +1 @@
-Thu May  3 16:30:20 CDT 2012
+Sat Jun  9 03:24:47 UTC 2012

libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h

@@ -198,6 +198,12 @@ enum tport_tls_verify_policy {
   TPTLS_VERIFY_SUBJECTS_ALL = 0xF,
 };
 
+TPORT_DLL extern tag_typedef_t tptag_tls_timeout;
+#define TPTAG_TLS_TIMEOUT(x) tptag_tls_timeout, tag_uint_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_timeout_ref;
+#define TPTAG_TLS_TIMEOUT_REF(x) tptag_tls_timeout_ref, tag_uint_vr(&(x))
+
 TPORT_DLL extern tag_typedef_t tptag_tls_passphrase;
 #define TPTAG_TLS_PASSPHRASE(x)  tptag_tls_passphrase, tag_str_v(x)
 

libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c

@@ -280,6 +280,19 @@ tag_typedef_t tptag_compartment = PTRTAG_TYPEDEF(compartment);
  */
 tag_typedef_t tptag_tls_version = UINTTAG_TYPEDEF(tls_version);
 
+/**@def TPTAG_TLS_TIMEOUT(x)
+ *
+ * Sets the maximum TLS session lifetime in seconds.
+ *
+ * The default value is 300 seconds.
+ *
+ * Use with tport_tbind(), nua_create(), nta_agent_create(),
+ * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create().
+ *
+ * @NEW_UNRELEASED.
+ */
+tag_typedef_t tptag_tls_timeout = UINTTAG_TYPEDEF(tls_timeout);
+
 /**@def TPTAG_TLS_VERIFY_PEER(x)
  * @par Depreciated:
  *    Alias for TPTAG_TLS_VERIFY_POLICY(TPTLS_VERIFY_IN|TPTLS_VERIFY_OUT)

libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c

@@ -311,6 +311,8 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
     return -1;
   }
 
+  SSL_CTX_set_timeout(tls->ctx, ti->timeout);
+
   /* Set callback if we have a passphrase */
   if (ti->passphrase != NULL) {
     SSL_CTX_set_default_passwd_cb(tls->ctx, passwd_cb);

libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h

@@ -65,6 +65,7 @@ typedef struct tls_issues_s {
                          */
   int   version;	/* For tls1, version is 1. When ssl3/ssl2 is
 			 * used, it is 0. */
+  unsigned timeout;	/* Maximum session lifetime in seconds */
 } tls_issues_t;
 
 typedef struct tport_tls_s {

libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c

@@ -181,6 +181,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
   char *tbf = NULL;
   char const *path = NULL;
   unsigned tls_version = 1;
+  unsigned tls_timeout = 300;
   unsigned tls_verify = 0;
   char const *passphrase = NULL;
   unsigned tls_policy = TPTLS_VERIFY_NONE;
@@ -198,6 +199,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
   tl_gets(tags,
 	  TPTAG_CERTIFICATE_REF(path),
 	  TPTAG_TLS_VERSION_REF(tls_version),
+	  TPTAG_TLS_TIMEOUT_REF(tls_timeout),
 	  TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
 	  TPTAG_TLS_PASSPHRASE_REF(passphrase),
 	  TPTAG_TLS_VERIFY_POLICY_REF(tls_policy),
@@ -224,6 +226,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
     ti.cert = ti.key;
     ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
     ti.version = tls_version;
+    ti.timeout = tls_timeout;
     ti.CApath = su_strdup(autohome, path);
 
     SU_DEBUG_9(("%s(%p): tls key = %s\n", __func__, (void *)pri, ti.key));

src/mod/endpoints/mod_sofia/conf/sofia.conf.xml

@@ -242,6 +242,8 @@
         <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not
              work with TLSv1 -->
         <param name="tls-version" value="$${sip_tls_version}"/>
+        <!-- TLS maximum session lifetime -->
+        <!-- <param name="tls-timeout" value="300"/> -->
 
         <!-- turn on auto-flush during bridge (skip timer sleep when the socket
              already has data) (reduces delay on latent connections default

src/mod/endpoints/mod_sofia/mod_sofia.h

@@ -596,6 +596,7 @@ struct sofia_profile {
 	switch_port_t sip_port;
 	switch_port_t tls_sip_port;
 	int tls_version;
+	unsigned int tls_timeout;
 	char *inbound_codec_string;
 	char *outbound_codec_string;
 	int running;

src/mod/endpoints/mod_sofia/sofia.c

@@ -2071,6 +2071,8 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 									  TPTAG_TLS_VERIFY_SUBJECTS(profile->tls_verify_in_subjects)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
 									 TPTAG_TLS_VERSION(profile->tls_version)),
+							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_timeout,
+									 TPTAG_TLS_TIMEOUT(profile->tls_timeout)),
 							  TAG_IF(!strchr(profile->sipip, ':'),
 									 NTATAG_UDP_MTU(65535)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_DISABLE_SRV),
@@ -3934,6 +3936,7 @@ switch_status_t config_sofia(int reload, char *profile_name)
 				profile->sip_force_expires = 0;
 				profile->sip_expires_max_deviation = 0;
 				profile->tls_version = 0;
+				profile->tls_timeout = 300;
 				profile->mflags = MFLAG_REFER | MFLAG_REGISTER;
 				profile->server_rport_level = 1;
 				profile->client_rport_level = 1;
@@ -4754,6 +4757,9 @@ switch_status_t config_sofia(int reload, char *profile_name)
 						} else {
 							profile->tls_version = 0;
 						}
+					} else if (!strcasecmp(var, "tls-timeout")) {
+						int v = atoi(val);
+						profile->tls_timeout = v > 0 ? (unsigned int)v : 300;
 					} else if (!strcasecmp(var, "timer-T1")) {
 						int v = atoi(val);
 						if (v > 0) {