From 04d3785a798e984a5f5d43ec5f124a9b30a58b9e Mon Sep 17 00:00:00 2001 From: Sean Bright Date: Fri, 29 Sep 2017 14:50:17 +0000 Subject: dtls: Add support for ephemeral DTLS certificates. This mimics the behavior of Chrome and Firefox and creates an ephemeral X.509 certificate for each DTLS session. Currently, the only supported key type is ECDSA because of its faster generation time, but other key types can be added in the future as necessary. ASTERISK-27395 Change-Id: I5122e5f4b83c6320cc17407a187fcf491daf30b4 --- channels/chan_sip.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'channels') diff --git a/channels/chan_sip.c b/channels/chan_sip.c index fd780b61f..bd68ec096 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -31946,6 +31946,14 @@ static struct sip_peer *build_peer(const char *name, struct ast_variable *v_head } } + /* Validate DTLS configuration */ + if (ast_rtp_dtls_cfg_validate(&peer->dtls_cfg)) { + sip_unref_peer(peer, "Removing peer due to bad DTLS configuration"); + return NULL; + } + + /* SRB */ + /* Apply the encryption tag length to the DTLS configuration, in case DTLS is in use */ peer->dtls_cfg.suite = (ast_test_flag(&peer->flags[2], SIP_PAGE3_SRTP_TAG_32) ? AST_AES_CM_128_HMAC_SHA1_32 : AST_AES_CM_128_HMAC_SHA1_80); @@ -33145,6 +33153,11 @@ static int reload_config(enum channelreloadreason reason) } } + /* Validate DTLS configuration */ + if (ast_rtp_dtls_cfg_validate(&default_dtls_cfg)) { + return -1; + } + /* Override global defaults if setting found in general section */ ast_copy_flags(&global_flags[0], &setflags[0], mask[0].flags); ast_copy_flags(&global_flags[1], &setflags[1], mask[1].flags); -- cgit v1.2.3