From 04d3785a798e984a5f5d43ec5f124a9b30a58b9e Mon Sep 17 00:00:00 2001 From: Sean Bright Date: Fri, 29 Sep 2017 14:50:17 +0000 Subject: dtls: Add support for ephemeral DTLS certificates. This mimics the behavior of Chrome and Firefox and creates an ephemeral X.509 certificate for each DTLS session. Currently, the only supported key type is ECDSA because of its faster generation time, but other key types can be added in the future as necessary. ASTERISK-27395 Change-Id: I5122e5f4b83c6320cc17407a187fcf491daf30b4 --- res/res_pjsip.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'res/res_pjsip.c') diff --git a/res/res_pjsip.c b/res/res_pjsip.c index 7499ded3e..1b59b2834 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -772,6 +772,18 @@ If this is not set or the value provided is 0 rekeying will be disabled. + + Whether or not to automatically generate an ephemeral X.509 certificate + + + If enabled, Asterisk will generate an X.509 certificate for each DTLS session. + This option only applies if media_encryption is set + to dtls. This option will be automatically enabled if + webrtc is enabled and dtls_cert_file is + not specified. + + + Path to certificate file to present to peer @@ -1028,6 +1040,7 @@ use_received_transport. The following configuration settings also get defaulted as follows: media_encryption=dtls + dtls_auto_generate_cert=yes (if dtls_cert_file is not set) dtls_verify=fingerprint dtls_setup=actpass -- cgit v1.2.3