tcptls: Prevent unsupported options from being set

AMI, HTTP, and chan_sip all support TLS in some way, but none of them
support all the options that Asterisk's TLS core is capable of
interpreting. This prevents consumers of the TLS/SSL layer from setting
TLS/SSL options that they do not support.

This also gets tlsverifyclient closer to a working state by requesting
the client certificate when tlsverifyclient is set. Currently, there is
no consumer of main/tcptls.c in Asterisk that supports this feature and
so it can not be properly tested.

Review: https://reviewboard.asterisk.org/r/2370/
Reported-by: John Bigelow
Patch-by: Kinsey Moore
(closes issue AST-1093)
........

Merged revisions 383165 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 383166 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@383167 65c4cc65-6c06-0410-ace0-fbb531ad65f3

1 files changed, 11 insertions, 2 deletions

diff --git a/main/http.c b/main/http.c
index fc2931290..73fb8bc92 100644
--- a/main/http.c
+++ b/main/http.c
@@ -1060,8 +1060,17 @@ static int __ast_http_load(int reload)
 		v = ast_variable_browse(cfg, "general");
 		for (; v; v = v->next) {
 
-			/* handle tls conf */
-			if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+			/* read tls config options while preventing unsupported options from being set */
+			if (strcasecmp(v->name, "tlscafile")
+				&& strcasecmp(v->name, "tlscapath")
+				&& strcasecmp(v->name, "tlscadir")
+				&& strcasecmp(v->name, "tlsverifyclient")
+				&& strcasecmp(v->name, "tlsdontverifyserver")
+				&& strcasecmp(v->name, "tlsclientmethod")
+				&& strcasecmp(v->name, "sslclientmethod")
+				&& strcasecmp(v->name, "tlscipher")
+				&& strcasecmp(v->name, "sslcipher")
+				&& !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
 				continue;
 			}