[asterisk-bugs] [JIRA] (ASTERISK-26604) chan_sip: sip reload doesn't apply changes to tlscertfile, tlsciphers, etc.
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Tue Nov 15 15:52:10 CST 2016
[ https://issues.asterisk.org/jira/browse/ASTERISK-26604?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=233757#comment-233757 ]
Asterisk Team commented on ASTERISK-26604:
------------------------------------------
Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.
A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.
Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
> chan_sip: sip reload doesn't apply changes to tlscertfile, tlsciphers, etc.
> ---------------------------------------------------------------------------
>
> Key: ASTERISK-26604
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-26604
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Channels/chan_sip/TCP-TLS
> Affects Versions: 13.12.2, 14.1.2
> Reporter: Michael Kuron
> Severity: Minor
>
> {{sip reload}} currently doesn't apply changes made to {{tlscertfile}}, {{tlsciphers}}, or any of the other TLS-related _sip.conf_ parameters unless {{tlsbindaddr}} was also changed. This means that, in order to replace the SSL certificate, you need to perform {{module reload chan_sip}}, thus disconnecting all current SIP connections.
> _main/tcptls.c_ contains an explicit check for whether the bind address was changed and if it wasn't, it skips closing the old socket and creating a new one. Removing this check for TLS would solve the problem. Alternatively, one could store all TLS-related parameters inside {{ast_tcptls_session_args::tls_cfg}} and compare whether they have changed, but this would add half a dozen or more strings to that struct. Also, we would need to additionally store a hash or last-modified time stamp of all files loaded ({{tlscertfile}}, {{tlsprivkey}}, etc.) as they may have changed on-disk but still be the same file. I am not aware of any negative implications of simply unconditionally restarting the TLS socket, however.
> If this problem was fixed, one could replace an SSL certificate without impacting established connections. This is particularly useful in environments using Let's Encrypt, where the certificate needs to be replaced every other month and one typically automates that process.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list