diff options
author | Sean Bright <sean.bright@gmail.com> | 2017-09-29 14:50:17 +0000 |
---|---|---|
committer | Joshua Colp <jcolp@digium.com> | 2017-11-06 08:11:48 -0500 |
commit | 04d3785a798e984a5f5d43ec5f124a9b30a58b9e (patch) | |
tree | 06ac1ee5a7f04a5edf27e556e0825a31d9dd5c5f /channels | |
parent | be5b7b2076a577c2a994e752b152c5242fb29ce7 (diff) |
dtls: Add support for ephemeral DTLS certificates.
This mimics the behavior of Chrome and Firefox and creates an ephemeral
X.509 certificate for each DTLS session.
Currently, the only supported key type is ECDSA because of its faster
generation time, but other key types can be added in the future as
necessary.
ASTERISK-27395
Change-Id: I5122e5f4b83c6320cc17407a187fcf491daf30b4
Diffstat (limited to 'channels')
-rw-r--r-- | channels/chan_sip.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c index fd780b61f..bd68ec096 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -31946,6 +31946,14 @@ static struct sip_peer *build_peer(const char *name, struct ast_variable *v_head } } + /* Validate DTLS configuration */ + if (ast_rtp_dtls_cfg_validate(&peer->dtls_cfg)) { + sip_unref_peer(peer, "Removing peer due to bad DTLS configuration"); + return NULL; + } + + /* SRB */ + /* Apply the encryption tag length to the DTLS configuration, in case DTLS is in use */ peer->dtls_cfg.suite = (ast_test_flag(&peer->flags[2], SIP_PAGE3_SRTP_TAG_32) ? AST_AES_CM_128_HMAC_SHA1_32 : AST_AES_CM_128_HMAC_SHA1_80); @@ -33145,6 +33153,11 @@ static int reload_config(enum channelreloadreason reason) } } + /* Validate DTLS configuration */ + if (ast_rtp_dtls_cfg_validate(&default_dtls_cfg)) { + return -1; + } + /* Override global defaults if setting found in general section */ ast_copy_flags(&global_flags[0], &setflags[0], mask[0].flags); ast_copy_flags(&global_flags[1], &setflags[1], mask[1].flags); |