From e55d1e47aa28f7f0477bbbb251bdabaddf640f9a Mon Sep 17 00:00:00 2001 From: Alexander Traud Date: Thu, 18 Aug 2016 15:19:15 +0200 Subject: sip_to_pjsip: Map the TLS method correctly. When using the migration script sip_to_pjsip.py and tlsclientmethod is not set in sip.conf, the default value of chan_sip (sslv23) is copied to pjsip.conf, to overwrite the default of the PJProject (tlsv1). This makes sure, res_pjsip is offering/using not just TLSv1.0 but TLSv1.2 as well. ASTERISK-22374 Change-Id: Ie530a3dae9926ae14f3920a21be1e2edb15bda4f --- contrib/scripts/sip_to_pjsip/sip_to_pjsip.py | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) (limited to 'contrib') diff --git a/contrib/scripts/sip_to_pjsip/sip_to_pjsip.py b/contrib/scripts/sip_to_pjsip/sip_to_pjsip.py index 890921673..a9bc78e3e 100755 --- a/contrib/scripts/sip_to_pjsip/sip_to_pjsip.py +++ b/contrib/scripts/sip_to_pjsip/sip_to_pjsip.py @@ -731,11 +731,6 @@ def set_tls_verifyserver(val, pjsip, nmapped): 'transport') -def set_tls_method(val, pjsip, nmapped): - """Sets method based on sip.conf tlsclientmethod or sslclientmethod""" - set_value('method', val, 'transport-tls', pjsip, nmapped, 'transport') - - def create_tls(sip, pjsip, nmapped): """ Creates a 'transport-tls' section in pjsip.conf based on the following @@ -759,8 +754,7 @@ def create_tls(sip, pjsip, nmapped): (['tlscipher', 'sslcipher'], set_tls_cipher), (['tlscafile'], set_tls_cafile), (['tlsverifyclient'], set_tls_verifyclient), - (['tlsdontverifyserver'], set_tls_verifyserver), - (['tlsclientmethod', 'sslclientmethod'], set_tls_method) + (['tlsdontverifyserver'], set_tls_verifyserver) ] try: @@ -780,6 +774,23 @@ def create_tls(sip, pjsip, nmapped): except LookupError: pass + try: + method = sip.multi_get('general', ['tlsclientmethod', 'sslclientmethod'])[0] + print 'In chan_sip, you specified the TLS version. With chan_sip, this was just for outbound client connections. In chan_pjsip, this value is for client and server. Instead, consider not to specify \'tlsclientmethod\' for chan_sip and \'method = sslv23\' for chan_pjsip.' + except LookupError: + """ + OpenSSL emerged during the 90s. SSLv2 and SSLv3 were the only + existing methods at that time. The OpenSSL project continued. And as + of today (OpenSSL 1.0.2) this does not start SSLv2 and SSLv3 anymore + but TLSv1.0 and v1.2. Or stated differently: This method should + have been called 'method = secure' or 'method = automatic' back in + the 90s. The PJProject did not realize this and uses 'tlsv1' as + default when unspecified, which disables TLSv1.2. chan_sip used + 'sslv23' as default when unspecified, which gives TLSv1.0 and v1.2. + """ + method = 'sslv23' + set_value('method', val, 'transport-tls', pjsip, nmapped, 'transport') + set_transport_common('transport-tls', pjsip, nmapped) try: extern_addr = sip.multi_get('general', ['externaddr', 'externip', -- cgit v1.2.3