diff options
author | Sean Bright <sean.bright@gmail.com> | 2017-09-29 14:50:17 +0000 |
---|---|---|
committer | Joshua Colp <jcolp@digium.com> | 2017-11-06 08:11:48 -0500 |
commit | 04d3785a798e984a5f5d43ec5f124a9b30a58b9e (patch) | |
tree | 06ac1ee5a7f04a5edf27e556e0825a31d9dd5c5f /configs | |
parent | be5b7b2076a577c2a994e752b152c5242fb29ce7 (diff) |
dtls: Add support for ephemeral DTLS certificates.
This mimics the behavior of Chrome and Firefox and creates an ephemeral
X.509 certificate for each DTLS session.
Currently, the only supported key type is ECDSA because of its faster
generation time, but other key types can be added in the future as
necessary.
ASTERISK-27395
Change-Id: I5122e5f4b83c6320cc17407a187fcf491daf30b4
Diffstat (limited to 'configs')
-rw-r--r-- | configs/samples/pjsip.conf.sample | 10 | ||||
-rw-r--r-- | configs/samples/sip.conf.sample | 2 |
2 files changed, 8 insertions, 4 deletions
diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample index 800ff0f44..302899a17 100644 --- a/configs/samples/pjsip.conf.sample +++ b/configs/samples/pjsip.conf.sample @@ -746,10 +746,12 @@ ; "no") ;dtls_rekey=0 ; Interval at which to renegotiate the TLS session and rekey ; the SRTP session (default: "0") -;dtls_cert_file= ; Path to certificate file to present to peer (default: - ; "") -;dtls_private_key= ; Path to private key for certificate file (default: - ; "") +;dtls_auto_generate_cert= ; Enable ephemeral DTLS certificate generation (default: + ; "no") +;dtls_cert_file= ; Path to certificate file to present to peer (default: + ; "") +;dtls_private_key= ; Path to private key for certificate file (default: + ; "") ;dtls_cipher= ; Cipher to use for DTLS negotiation (default: "") ;dtls_ca_file= ; Path to certificate authority certificate (default: "") ;dtls_ca_path= ; Path to a directory containing certificate authority diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample index 9b52ec06c..ace509759 100644 --- a/configs/samples/sip.conf.sample +++ b/configs/samples/sip.conf.sample @@ -1340,6 +1340,7 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; encryption ; description ; Used to provide a description of the peer in console output ; dtlsenable +; dtlsautogeneratecert ; dtlsverify ; dtlsrekey ; dtlscertfile @@ -1369,6 +1370,7 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; ; A value of 'certificate' will perform ONLY certficiate verification ; dtlsrekey = 60 ; Interval at which to renegotiate the TLS session and rekey the SRTP session ; ; If this is not set or the value provided is 0 rekeying will be disabled +; dtlsautogeneratecert = yes ; Enable ephemeral DTLS certificate generation. The default is 'no.' ; dtlscertfile = file ; Path to certificate file to present ; dtlsprivatekey = file ; Path to private key for certificate file ; dtlscipher = <SSL cipher string> ; Cipher to use for TLS negotiation |