diff options
author | Richard Mudgett <rmudgett@digium.com> | 2014-02-04 18:16:09 +0000 |
---|---|---|
committer | Richard Mudgett <rmudgett@digium.com> | 2014-02-04 18:16:09 +0000 |
commit | 12668b6659279a9bead4a82f06a0f4a0785cc402 (patch) | |
tree | ba1277875fa7147594979dbaf8aff9d863b938f1 | |
parent | 9e7a10d894945ea60a444ae7781be69f9389e319 (diff) |
tcptls.c: Made TLS handle a certificate chain file.
Thanks to Guillaume Martres for doing the necessary research to validate
the change.
(closes issue ASTERISK-17727)
Reported by: LN
Patches:
use_certificate_chain.patch (license #5864) patch uploaded by st
documente_certificate_chain.patch (license #6576) patch uploaded by Guillaume Martres
........
Merged revisions 407272 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 407273 from http://svn.asterisk.org/svn/asterisk/branches/11
........
Merged revisions 407274 from http://svn.asterisk.org/svn/asterisk/branches/12
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@407275 65c4cc65-6c06-0410-ace0-fbb531ad65f3
-rw-r--r-- | configs/sip.conf.sample | 6 | ||||
-rw-r--r-- | main/tcptls.c | 2 |
2 files changed, 5 insertions, 3 deletions
diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample index 6c7bad92a..46af79043 100644 --- a/configs/sip.conf.sample +++ b/configs/sip.conf.sample @@ -539,8 +539,10 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; ;------------------------ TLS settings ------------------------------------------------------------ -;tlscertfile=</path/to/certificate.pem> ; Certificate file (*.pem format only) to use for TLS connections - ; default is to look for "asterisk.pem" in current directory +;tlscertfile=</path/to/certificate.pem> ; Certificate chain (*.pem format only) to use for TLS connections + ; The certificates must be sorted starting with the subject's certificate + ; and followed by intermediate CA certificates if applicable. + ; Default is to look for "asterisk.pem" in current directory ;tlsprivatekey=</path/to/private.pem> ; Private key file (*.pem format only) for TLS connections. ; If no tlsprivatekey is specified, tlscertfile is searched for diff --git a/main/tcptls.c b/main/tcptls.c index bfa355985..e07f1f1a0 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -393,7 +393,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) if (!ast_strlen_zero(cfg->certfile)) { char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile; - if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) { + if (SSL_CTX_use_certificate_chain_file(cfg->ssl_ctx, cfg->certfile) == 0) { if (!client) { /* Clients don't need a certificate, but if its setup we can use it */ ast_verb(0, "SSL error loading cert file. <%s>\n", cfg->certfile); |