diff options
-rw-r--r-- | CHANGES | 6 | ||||
-rw-r--r-- | channels/chan_sip.c | 40 | ||||
-rw-r--r-- | configs/http.conf.sample | 19 | ||||
-rw-r--r-- | configs/manager.conf.sample | 17 | ||||
-rw-r--r-- | include/asterisk/tcptls.h | 5 | ||||
-rw-r--r-- | main/http.c | 31 | ||||
-rw-r--r-- | main/manager.c | 33 | ||||
-rw-r--r-- | main/tcptls.c | 36 |
8 files changed, 90 insertions, 97 deletions
@@ -107,6 +107,12 @@ Asterisk Manager Interface * sslprivatekey option added to manager.conf and http.conf. Adds the ability to specify a separate .pem file to hold a private key. By default sslcert is used to hold both the public and private key. + * Options in manager.conf and http.conf with the 'ssl' prefix have been replaced + for options containing the 'tls' prefix. For example, 'sslenable' is now + 'tlsenable'. This has been done in effort to keep ssl and tls options consistent + across all .conf files. All affected sample.conf files have been modified to + reflect this change. Previous options such as 'sslenable' still work, + but options with the 'tls' prefix are preferred. ------------------------------------------------------------------------------ --- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2 ------------- ------------------------------------------------------------------------------ diff --git a/channels/chan_sip.c b/channels/chan_sip.c index e904b27cb..d4aab4a8a 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -23943,13 +23943,18 @@ static int reload_config(enum channelreloadreason reason) if (!ast_jb_read_conf(&global_jbconf, v->name, v->value)) continue; + /* handle tls conf */ + if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) { + continue; + } + if (!strcasecmp(v->name, "context")) { ast_copy_string(sip_cfg.default_context, v->value, sizeof(sip_cfg.default_context)); } else if (!strcasecmp(v->name, "subscribecontext")) { ast_copy_string(sip_cfg.default_subscribecontext, v->value, sizeof(sip_cfg.default_subscribecontext)); - } else if (!strcasecmp(v->name, "callcounter")) { + } else if (!strcasecmp(v->name, "callcounter")) { global_callcounter = ast_true(v->value) ? 1 : 0; - } else if (!strcasecmp(v->name, "allowguest")) { + } else if (!strcasecmp(v->name, "allowguest")) { sip_cfg.allowguest = ast_true(v->value) ? 1 : 0; } else if (!strcasecmp(v->name, "realm")) { ast_copy_string(sip_cfg.realm, v->value, sizeof(sip_cfg.realm)); @@ -23967,7 +23972,7 @@ static int reload_config(enum channelreloadreason reason) } else if (!strcasecmp(v->name, "allowtransfer")) { sip_cfg.allowtransfer = ast_true(v->value) ? TRANSFER_OPENFORALL : TRANSFER_CLOSED; } else if (!strcasecmp(v->name, "rtcachefriends")) { - ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS); + ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS); } else if (!strcasecmp(v->name, "rtsavesysname")) { sip_cfg.rtsave_sysname = ast_true(v->value); } else if (!strcasecmp(v->name, "rtupdate")) { @@ -23990,7 +23995,7 @@ static int reload_config(enum channelreloadreason reason) while ((trans = strsep(&val, ","))) { trans = ast_skip_blanks(trans); - if (!strncasecmp(trans, "udp", 3)) + if (!strncasecmp(trans, "udp", 3)) default_transports |= SIP_TRANSPORT_UDP; else if (!strncasecmp(trans, "tcp", 3)) default_transports |= SIP_TRANSPORT_TCP; @@ -24011,31 +24016,6 @@ static int reload_config(enum channelreloadreason reason) ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config); sip_tcp_desc.local_address.sin_family = family; ast_debug(2, "Setting TCP socket address to %s\n", v->value); - } else if (!strcasecmp(v->name, "tlsenable")) { - default_tls_cfg.enabled = ast_true(v->value) ? TRUE : FALSE; - sip_tls_desc.local_address.sin_family = AF_INET; - } else if (!strcasecmp(v->name, "tlscertfile")) { - ast_free(default_tls_cfg.certfile); - default_tls_cfg.certfile = ast_strdup(v->value); - } else if (!strcasecmp(v->name, "tlsprivatekey")) { - ast_free(default_tls_cfg.pvtfile); - default_tls_cfg.pvtfile = ast_strdup(v->value); - } else if (!strcasecmp(v->name, "tlscipher")) { - ast_free(default_tls_cfg.cipher); - default_tls_cfg.cipher = ast_strdup(v->value); - } else if (!strcasecmp(v->name, "tlscafile")) { - ast_free(default_tls_cfg.cafile); - default_tls_cfg.cafile = ast_strdup(v->value); - } else if (!strcasecmp(v->name, "tlscapath")) { - ast_free(default_tls_cfg.capath); - default_tls_cfg.capath = ast_strdup(v->value); - } else if (!strcasecmp(v->name, "tlsverifyclient")) { - ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_VERIFY_CLIENT); - } else if (!strcasecmp(v->name, "tlsdontverifyserver")) { - ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_DONT_VERIFY_SERVER); - } else if (!strcasecmp(v->name, "tlsbindaddr")) { - if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.local_address)) - ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config); } else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) { global_dynamic_exclude_static = ast_true(v->value); } else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) { @@ -24052,7 +24032,7 @@ static int reload_config(enum channelreloadreason reason) i = 0; ast_set2_flag(&global_flags[1], i || ast_true(v->value), SIP_PAGE2_RTAUTOCLEAR); } else if (!strcasecmp(v->name, "usereqphone")) { - ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE); + ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE); } else if (!strcasecmp(v->name, "relaxdtmf")) { global_relaxdtmf = ast_true(v->value); } else if (!strcasecmp(v->name, "vmexten")) { diff --git a/configs/http.conf.sample b/configs/http.conf.sample index 9d3769712..a47a2d653 100644 --- a/configs/http.conf.sample +++ b/configs/http.conf.sample @@ -46,17 +46,16 @@ bindaddr=127.0.0.1 ;redirect = / /static/config/cfgbasic.html ; ; HTTPS support. In addition to enabled=yes, you need to -; explicitly enable ssl, define the port to use, +; explicitly enable tls, define the port to use, ; and have a certificate somewhere. -; sslenable=yes ; enable ssl - default no. -; sslbindport=4433 ; port to use - default is 8089 -; sslbindaddr=0.0.0.0 ; address to bind to - default is bindaddr. -; -; -; sslcert=</path/to/certificate.pem> ; path to the certificate file (*.pem) only. -; sslprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only. -; If no path is given for sslcert or sslprivatekey, default is to look in current -; directory. If no sslprivatekey is given, default is to search sslcert for private key. +;tlsenable=yes ; enable tls - default no. +;tlsbindport=4433 ; port to use - default is 8089 +;tlsbindaddr=0.0.0.0 ; address to bind to - default is bindaddr. +; +;tlscertfile=</path/to/certificate.pem> ; path to the certificate file (*.pem) only. +;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only. +; If no path is given for tlscertfile or tlsprivatekey, default is to look in current +; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key. ; ; To produce a certificate you can e.g. use openssl. This places both the cert and ; private in same .pem file. diff --git a/configs/manager.conf.sample b/configs/manager.conf.sample index 39585c1de..425ce4ca2 100644 --- a/configs/manager.conf.sample +++ b/configs/manager.conf.sample @@ -39,15 +39,14 @@ bindaddr = 0.0.0.0 ; ; openssl s_client -connect my_host:5039 ; -; sslenable=no ; set to YES to enable it -; sslbindport=5039 ; the port to bind to -; sslbindaddr=0.0.0.0 ; address to bind to, default to bindaddr -; sslcert=/tmp/asterisk.pem ; path to the certificate. -; sslprivatekey=/tmp/private.pem ; path to the private key, if no private given, - ; if no sslprivatekey is given, default is to search - ; sslcert for private key. -; sslcipher=<cipher string> ; string specifying which SSL ciphers to use or not use - +;tlsenable=no ; set to YES to enable it +;tlsbindport=5039 ; the port to bind to +;tlsbindaddr=0.0.0.0 ; address to bind to, default to bindaddr +;tlscertfile=/tmp/asterisk.pem ; path to the certificate. +;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given, + ; if no tlsprivatekey is given, default is to search + ; tlscertfile for private key. +;tlscipher=<cipher string> ; string specifying which SSL ciphers to use or not use ; ;allowmultiplelogin = yes ; IF set to no, rejects manager logins that are already in use. ; ; The default is yes. diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h index e811ab290..9496d9772 100644 --- a/include/asterisk/tcptls.h +++ b/include/asterisk/tcptls.h @@ -174,6 +174,11 @@ void ast_tcptls_server_start(struct ast_tcptls_session_args *desc); void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc); int ast_ssl_setup(struct ast_tls_config *cfg); +/*! + * \brief Used to parse conf files containing tls/ssl options. + */ +int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value); + HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count); HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, const void *buf, size_t count); diff --git a/main/http.c b/main/http.c index 595d6cbab..f99c03e91 100644 --- a/main/http.c +++ b/main/http.c @@ -983,7 +983,6 @@ static int __ast_http_load(int reload) struct hostent *hp; struct ast_hostent ahp; char newprefix[MAX_PREFIX] = ""; - int have_sslbindaddr = 0; struct http_uri_redirect *redirect; struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 }; @@ -1024,32 +1023,18 @@ static int __ast_http_load(int reload) if (cfg) { v = ast_variable_browse(cfg, "general"); for (; v; v = v->next) { + + /* handle tls conf */ + if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) { + continue; + } + if (!strcasecmp(v->name, "enabled")) { enabled = ast_true(v->value); - } else if (!strcasecmp(v->name, "sslenable")) { - http_tls_cfg.enabled = ast_true(v->value); - } else if (!strcasecmp(v->name, "sslbindport")) { - https_desc.local_address.sin_port = htons(atoi(v->value)); - } else if (!strcasecmp(v->name, "sslcert")) { - ast_free(http_tls_cfg.certfile); - http_tls_cfg.certfile = ast_strdup(v->value); - } else if (!strcasecmp(v->name, "sslprivatekey")) { - ast_free(http_tls_cfg.pvtfile); - http_tls_cfg.pvtfile = ast_strdup(v->value); - } else if (!strcasecmp(v->name, "sslcipher")) { - ast_free(http_tls_cfg.cipher); - http_tls_cfg.cipher = ast_strdup(v->value); } else if (!strcasecmp(v->name, "enablestatic")) { newenablestatic = ast_true(v->value); } else if (!strcasecmp(v->name, "bindport")) { http_desc.local_address.sin_port = htons(atoi(v->value)); - } else if (!strcasecmp(v->name, "sslbindaddr")) { - if ((hp = ast_gethostbyname(v->value, &ahp))) { - memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr)); - have_sslbindaddr = 1; - } else { - ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value); - } } else if (!strcasecmp(v->name, "bindaddr")) { if ((hp = ast_gethostbyname(v->value, &ahp))) { memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr)); @@ -1072,8 +1057,8 @@ static int __ast_http_load(int reload) ast_config_destroy(cfg); } - - if (!have_sslbindaddr) { + /* if the https addres has not been set, default is the same as non secure http */ + if (!https_desc.local_address.sin_addr.s_addr) { https_desc.local_address.sin_addr = http_desc.local_address.sin_addr; } if (enabled) { diff --git a/main/manager.c b/main/manager.c index a43f5518b..97d573c07 100644 --- a/main/manager.c +++ b/main/manager.c @@ -4719,9 +4719,6 @@ static int __init_manager(int reload) const char *val; char *cat = NULL; int newhttptimeout = 60; - int have_sslbindaddr = 0; - struct hostent *hp; - struct ast_hostent ahp; struct ast_manager_user *user = NULL; struct ast_variable *var; struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 }; @@ -4804,27 +4801,12 @@ static int __init_manager(int reload) for (var = ast_variable_browse(cfg, "general"); var; var = var->next) { val = var->value; - if (!strcasecmp(var->name, "sslenable")) { - ami_tls_cfg.enabled = ast_true(val); - } else if (!strcasecmp(var->name, "sslbindport")) { - amis_desc.local_address.sin_port = htons(atoi(val)); - } else if (!strcasecmp(var->name, "sslbindaddr")) { - if ((hp = ast_gethostbyname(val, &ahp))) { - memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr)); - have_sslbindaddr = 1; - } else { - ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val); - } - } else if (!strcasecmp(var->name, "sslcert")) { - ast_free(ami_tls_cfg.certfile); - ami_tls_cfg.certfile = ast_strdup(val); - } else if (!strcasecmp(var->name, "sslprivatekey")) { - ast_free(ami_tls_cfg.pvtfile); - ami_tls_cfg.pvtfile = ast_strdup(val); - } else if (!strcasecmp(var->name, "sslcipher")) { - ast_free(ami_tls_cfg.cipher); - ami_tls_cfg.cipher = ast_strdup(val); - } else if (!strcasecmp(var->name, "enabled")) { + + if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) { + continue; + } + + if (!strcasecmp(var->name, "enabled")) { manager_enabled = ast_true(val); } else if (!strcasecmp(var->name, "block-sockets")) { block_sockets = ast_true(val); @@ -4856,7 +4838,8 @@ static int __init_manager(int reload) if (manager_enabled) { ami_desc.local_address.sin_family = AF_INET; } - if (!have_sslbindaddr) { + /* if the amis address has not been set, default is the same as non secure ami */ + if (!amis_desc.local_address.sin_addr.s_addr) { amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr; } if (ami_tls_cfg.enabled) { diff --git a/main/tcptls.c b/main/tcptls.c index 5837668de..4609438f5 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -488,3 +488,39 @@ void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc) desc->accept_fd = -1; ast_debug(2, "Stopped server :: %s\n", desc->name); } + +int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value) +{ + if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) { + tls_cfg->enabled = ast_true(value) ? 1 : 0; + tls_desc->local_address.sin_family = AF_INET; + } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert")) { + ast_free(tls_cfg->certfile); + tls_cfg->certfile = ast_strdup(value); + } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) { + ast_free(tls_cfg->pvtfile); + tls_cfg->pvtfile = ast_strdup(value); + } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) { + ast_free(tls_cfg->cipher); + tls_cfg->cipher = ast_strdup(value); + } else if (!strcasecmp(varname, "tlscafile")) { + ast_free(tls_cfg->cafile); + tls_cfg->cafile = ast_strdup(value); + } else if (!strcasecmp(varname, "tlscapath")) { + ast_free(tls_cfg->capath); + tls_cfg->capath = ast_strdup(value); + } else if (!strcasecmp(varname, "tlsverifyclient")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT); + } else if (!strcasecmp(varname, "tlsdontverifyserver")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER); + } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) { + if (ast_parse_arg(value, PARSE_INADDR, &tls_desc->local_address)) + ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value); + } else if (!strcasecmp(varname, "tlsbindport") || !strcasecmp(varname, "sslbindport")) { + tls_desc->local_address.sin_port = htons(atoi(value)); + } else { + return -1; + } + + return 0; +} |