8 files changed, 90 insertions, 97 deletions

diff --git a/CHANGES b/CHANGES
index bb9239e8b..69debbd7c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -107,6 +107,12 @@ Asterisk Manager Interface
  * sslprivatekey option added to manager.conf and http.conf.  Adds the ability
    to specify a separate .pem file to hold a private key.  By default sslcert
    is used to hold both the public and private key.
+ * Options in manager.conf and http.conf with the 'ssl' prefix have been replaced
+   for options containing the 'tls' prefix.  For example, 'sslenable' is now
+   'tlsenable'.  This has been done in effort to keep ssl and tls options consistent
+   across all .conf files. All affected sample.conf files have been modified to
+   reflect this change.  Previous options such as 'sslenable' still work,
+   but options with the 'tls' prefix are preferred.
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2  -------------
 ------------------------------------------------------------------------------
diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index e904b27cb..d4aab4a8a 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -23943,13 +23943,18 @@ static int reload_config(enum channelreloadreason reason)
 		if (!ast_jb_read_conf(&global_jbconf, v->name, v->value))
 			continue;
 
+		/* handle tls conf */
+		if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
+			continue;
+		}
+
 		if (!strcasecmp(v->name, "context")) {
 			ast_copy_string(sip_cfg.default_context, v->value, sizeof(sip_cfg.default_context));
 		} else if (!strcasecmp(v->name, "subscribecontext")) {
 			ast_copy_string(sip_cfg.default_subscribecontext, v->value, sizeof(sip_cfg.default_subscribecontext));
-  		} else if (!strcasecmp(v->name, "callcounter")) {
+		} else if (!strcasecmp(v->name, "callcounter")) {
 			global_callcounter = ast_true(v->value) ? 1 : 0;
-  		} else if (!strcasecmp(v->name, "allowguest")) {
+		} else if (!strcasecmp(v->name, "allowguest")) {
 			sip_cfg.allowguest = ast_true(v->value) ? 1 : 0;
 		} else if (!strcasecmp(v->name, "realm")) {
 			ast_copy_string(sip_cfg.realm, v->value, sizeof(sip_cfg.realm));
@@ -23967,7 +23972,7 @@ static int reload_config(enum channelreloadreason reason)
 		} else if (!strcasecmp(v->name, "allowtransfer")) {
 			sip_cfg.allowtransfer = ast_true(v->value) ? TRANSFER_OPENFORALL : TRANSFER_CLOSED;
 		} else if (!strcasecmp(v->name, "rtcachefriends")) {
-			ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS);	
+			ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS);
 		} else if (!strcasecmp(v->name, "rtsavesysname")) {
 			sip_cfg.rtsave_sysname = ast_true(v->value);
 		} else if (!strcasecmp(v->name, "rtupdate")) {
@@ -23990,7 +23995,7 @@ static int reload_config(enum channelreloadreason reason)
 			while ((trans = strsep(&val, ","))) {
 				trans = ast_skip_blanks(trans);
 
-				if (!strncasecmp(trans, "udp", 3)) 
+				if (!strncasecmp(trans, "udp", 3))
 					default_transports |= SIP_TRANSPORT_UDP;
 				else if (!strncasecmp(trans, "tcp", 3))
 					default_transports |= SIP_TRANSPORT_TCP;
@@ -24011,31 +24016,6 @@ static int reload_config(enum channelreloadreason reason)
 				ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
 			sip_tcp_desc.local_address.sin_family = family;
 			ast_debug(2, "Setting TCP socket address to %s\n", v->value);
-		} else if (!strcasecmp(v->name, "tlsenable")) {
-			default_tls_cfg.enabled = ast_true(v->value) ? TRUE : FALSE;
-			sip_tls_desc.local_address.sin_family = AF_INET;
-		} else if (!strcasecmp(v->name, "tlscertfile")) {
-			ast_free(default_tls_cfg.certfile);
-			default_tls_cfg.certfile = ast_strdup(v->value);
-		} else if (!strcasecmp(v->name, "tlsprivatekey")) {
-			ast_free(default_tls_cfg.pvtfile);
-			default_tls_cfg.pvtfile = ast_strdup(v->value);
-		} else if (!strcasecmp(v->name, "tlscipher")) {
-			ast_free(default_tls_cfg.cipher);
-			default_tls_cfg.cipher = ast_strdup(v->value);
-		} else if (!strcasecmp(v->name, "tlscafile")) {
-			ast_free(default_tls_cfg.cafile);
-			default_tls_cfg.cafile = ast_strdup(v->value);
-		} else if (!strcasecmp(v->name, "tlscapath")) {
-			ast_free(default_tls_cfg.capath);
-			default_tls_cfg.capath = ast_strdup(v->value);
-		} else if (!strcasecmp(v->name, "tlsverifyclient")) {
-			ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_VERIFY_CLIENT);	
-		} else if (!strcasecmp(v->name, "tlsdontverifyserver")) {
-			ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_DONT_VERIFY_SERVER);	
-		} else if (!strcasecmp(v->name, "tlsbindaddr")) {
-			if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.local_address))
-				ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
 		} else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) {
 			global_dynamic_exclude_static = ast_true(v->value);
 		} else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {
@@ -24052,7 +24032,7 @@ static int reload_config(enum channelreloadreason reason)
 				i = 0;
 			ast_set2_flag(&global_flags[1], i || ast_true(v->value), SIP_PAGE2_RTAUTOCLEAR);
 		} else if (!strcasecmp(v->name, "usereqphone")) {
-			ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE);	
+			ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE);
 		} else if (!strcasecmp(v->name, "relaxdtmf")) {
 			global_relaxdtmf = ast_true(v->value);
 		} else if (!strcasecmp(v->name, "vmexten")) {
diff --git a/configs/http.conf.sample b/configs/http.conf.sample
index 9d3769712..a47a2d653 100644
--- a/configs/http.conf.sample
+++ b/configs/http.conf.sample
@@ -46,17 +46,16 @@ bindaddr=127.0.0.1
 ;redirect = / /static/config/cfgbasic.html
 ;
 ; HTTPS support. In addition to enabled=yes, you need to
-; explicitly enable ssl, define the port to use,
+; explicitly enable tls, define the port to use,
 ; and have a certificate somewhere.
-; sslenable=yes		; enable ssl - default no.
-; sslbindport=4433	; port to use - default is 8089
-; sslbindaddr=0.0.0.0	; address to bind to - default is bindaddr.
-;
-;
-; sslcert=</path/to/certificate.pem>   ; path to the certificate file (*.pem) only.
-; sslprivatekey=</path/to/private.pem>    ; path to private key file (*.pem) only.
-; If no path is given for sslcert or sslprivatekey, default is to look in current
-; directory. If no sslprivatekey is given, default is to search sslcert for private key.
+;tlsenable=yes          ; enable tls - default no.
+;tlsbindport=4433       ; port to use - default is 8089
+;tlsbindaddr=0.0.0.0    ; address to bind to - default is bindaddr.
+;
+;tlscertfile=</path/to/certificate.pem>  ; path to the certificate file (*.pem) only.
+;tlsprivatekey=</path/to/private.pem>    ; path to private key file (*.pem) only.
+; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
+; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
 ;
 ; To produce a certificate you can e.g. use openssl. This places both the cert and
 ; private in same .pem file.
diff --git a/configs/manager.conf.sample b/configs/manager.conf.sample
index 39585c1de..425ce4ca2 100644
--- a/configs/manager.conf.sample
+++ b/configs/manager.conf.sample
@@ -39,15 +39,14 @@ bindaddr = 0.0.0.0
 ;
 ;	openssl s_client -connect my_host:5039
 ;
-;   sslenable=no		; set to YES to enable it
-;   sslbindport=5039		; the port to bind to
-;   sslbindaddr=0.0.0.0		; address to bind to, default to bindaddr
-;   sslcert=/tmp/asterisk.pem	; path to the certificate.
-;   sslprivatekey=/tmp/private.pem ; path to the private key, if no private given,
-                                   ; if no sslprivatekey is given, default is to search
-								   ; sslcert for private key.
-;   sslcipher=<cipher string>   ; string specifying which SSL ciphers to use or not use
-
+;tlsenable=no		; set to YES to enable it
+;tlsbindport=5039		; the port to bind to
+;tlsbindaddr=0.0.0.0		; address to bind to, default to bindaddr
+;tlscertfile=/tmp/asterisk.pem	; path to the certificate.
+;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
+                                ; if no tlsprivatekey is given, default is to search
+								; tlscertfile for private key.
+;tlscipher=<cipher string>      ; string specifying which SSL ciphers to use or not use
 ;
 ;allowmultiplelogin = yes		; IF set to no, rejects manager logins that are already in use.
 ;                               ; The default is yes.
diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
index e811ab290..9496d9772 100644
--- a/include/asterisk/tcptls.h
+++ b/include/asterisk/tcptls.h
@@ -174,6 +174,11 @@ void ast_tcptls_server_start(struct ast_tcptls_session_args *desc);
 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc);
 int ast_ssl_setup(struct ast_tls_config *cfg);
 
+/*!
+ * \brief Used to parse conf files containing tls/ssl options.
+ */
+int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value);
+
 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, const void *buf, size_t count);
 
diff --git a/main/http.c b/main/http.c
index 595d6cbab..f99c03e91 100644
--- a/main/http.c
+++ b/main/http.c
@@ -983,7 +983,6 @@ static int __ast_http_load(int reload)
 	struct hostent *hp;
 	struct ast_hostent ahp;
 	char newprefix[MAX_PREFIX] = "";
-	int have_sslbindaddr = 0;
 	struct http_uri_redirect *redirect;
 	struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
 
@@ -1024,32 +1023,18 @@ static int __ast_http_load(int reload)
 	if (cfg) {
 		v = ast_variable_browse(cfg, "general");
 		for (; v; v = v->next) {
+
+			/* handle tls conf */
+			if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+				continue;
+			}
+
 			if (!strcasecmp(v->name, "enabled")) {
 				enabled = ast_true(v->value);
-			} else if (!strcasecmp(v->name, "sslenable")) {
-				http_tls_cfg.enabled = ast_true(v->value);
-			} else if (!strcasecmp(v->name, "sslbindport")) {
-				https_desc.local_address.sin_port = htons(atoi(v->value));
-			} else if (!strcasecmp(v->name, "sslcert")) {
-				ast_free(http_tls_cfg.certfile);
-				http_tls_cfg.certfile = ast_strdup(v->value);
-			} else if (!strcasecmp(v->name, "sslprivatekey")) {
-				ast_free(http_tls_cfg.pvtfile);
-				http_tls_cfg.pvtfile = ast_strdup(v->value);
-			} else if (!strcasecmp(v->name, "sslcipher")) {
-				ast_free(http_tls_cfg.cipher);
-				http_tls_cfg.cipher = ast_strdup(v->value);
 			} else if (!strcasecmp(v->name, "enablestatic")) {
 				newenablestatic = ast_true(v->value);
 			} else if (!strcasecmp(v->name, "bindport")) {
 				http_desc.local_address.sin_port = htons(atoi(v->value));
-			} else if (!strcasecmp(v->name, "sslbindaddr")) {
-				if ((hp = ast_gethostbyname(v->value, &ahp))) {
-					memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr));
-					have_sslbindaddr = 1;
-				} else {
-					ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value);
-				}
 			} else if (!strcasecmp(v->name, "bindaddr")) {
 				if ((hp = ast_gethostbyname(v->value, &ahp))) {
 					memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr));
@@ -1072,8 +1057,8 @@ static int __ast_http_load(int reload)
 
 		ast_config_destroy(cfg);
 	}
-
-	if (!have_sslbindaddr) {
+	/* if the https addres has not been set, default is the same as non secure http */
+	if (!https_desc.local_address.sin_addr.s_addr) {
 		https_desc.local_address.sin_addr = http_desc.local_address.sin_addr;
 	}
 	if (enabled) {
diff --git a/main/manager.c b/main/manager.c
index a43f5518b..97d573c07 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -4719,9 +4719,6 @@ static int __init_manager(int reload)
 	const char *val;
 	char *cat = NULL;
 	int newhttptimeout = 60;
-	int have_sslbindaddr = 0;
-	struct hostent *hp;
-	struct ast_hostent ahp;
 	struct ast_manager_user *user = NULL;
 	struct ast_variable *var;
 	struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
@@ -4804,27 +4801,12 @@ static int __init_manager(int reload)
 
 	for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {
 		val = var->value;
-		if (!strcasecmp(var->name, "sslenable")) {
-			ami_tls_cfg.enabled = ast_true(val);
-		} else if (!strcasecmp(var->name, "sslbindport")) {
-			amis_desc.local_address.sin_port = htons(atoi(val));
-		} else if (!strcasecmp(var->name, "sslbindaddr")) {
-			if ((hp = ast_gethostbyname(val, &ahp))) {
-				memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr));
-				have_sslbindaddr = 1;
-			} else {
-				ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val);
-			}
-		} else if (!strcasecmp(var->name, "sslcert")) {
-			ast_free(ami_tls_cfg.certfile);
-			ami_tls_cfg.certfile = ast_strdup(val);
-		} else if (!strcasecmp(var->name, "sslprivatekey")) {
-			ast_free(ami_tls_cfg.pvtfile);
-			ami_tls_cfg.pvtfile = ast_strdup(val);
-		} else if (!strcasecmp(var->name, "sslcipher")) {
-			ast_free(ami_tls_cfg.cipher);
-			ami_tls_cfg.cipher = ast_strdup(val);
-		} else if (!strcasecmp(var->name, "enabled")) {
+
+		if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
+			continue;
+		}
+
+		if (!strcasecmp(var->name, "enabled")) {
 			manager_enabled = ast_true(val);
 		} else if (!strcasecmp(var->name, "block-sockets")) {
 			block_sockets = ast_true(val);
@@ -4856,7 +4838,8 @@ static int __init_manager(int reload)
 	if (manager_enabled) {
 		ami_desc.local_address.sin_family = AF_INET;
 	}
-	if (!have_sslbindaddr) {
+	/* if the amis address has not been set, default is the same as non secure ami */
+	if (!amis_desc.local_address.sin_addr.s_addr) {
 		amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr;
 	}
 	if (ami_tls_cfg.enabled) {
diff --git a/main/tcptls.c b/main/tcptls.c
index 5837668de..4609438f5 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -488,3 +488,39 @@ void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
 	desc->accept_fd = -1;
 	ast_debug(2, "Stopped server :: %s\n", desc->name);
 }
+
+int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
+{
+	if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
+		tls_cfg->enabled = ast_true(value) ? 1 : 0;
+		tls_desc->local_address.sin_family = AF_INET;
+	} else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert")) {
+		ast_free(tls_cfg->certfile);
+		tls_cfg->certfile = ast_strdup(value);
+	} else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
+		ast_free(tls_cfg->pvtfile);
+		tls_cfg->pvtfile = ast_strdup(value);
+	} else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
+		ast_free(tls_cfg->cipher);
+		tls_cfg->cipher = ast_strdup(value);
+	} else if (!strcasecmp(varname, "tlscafile")) {
+		ast_free(tls_cfg->cafile);
+		tls_cfg->cafile = ast_strdup(value);
+	} else if (!strcasecmp(varname, "tlscapath")) {
+		ast_free(tls_cfg->capath);
+		tls_cfg->capath = ast_strdup(value);
+	} else if (!strcasecmp(varname, "tlsverifyclient")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
+	} else if (!strcasecmp(varname, "tlsdontverifyserver")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
+	} else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
+		if (ast_parse_arg(value, PARSE_INADDR, &tls_desc->local_address))
+			ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
+	} else if (!strcasecmp(varname, "tlsbindport") || !strcasecmp(varname, "sslbindport")) {
+		tls_desc->local_address.sin_port = htons(atoi(value));
+	} else {
+		return -1;
+	}
+
+	return 0;
+}