[Asterisk-code-review] pjsip: Clarify certificate configuration for Websocket. (asterisk[15])
Jenkins2
asteriskteam at digium.com
Tue Jul 3 11:22:24 CDT 2018
Jenkins2 has submitted this change and it was merged. ( https://gerrit.asterisk.org/9328 )
Change subject: pjsip: Clarify certificate configuration for Websocket.
......................................................................
pjsip: Clarify certificate configuration for Websocket.
The Websocket transport uses the built-in HTTP server. As a result
the TLS configuration is done in http.conf and not in pjsip.conf.
This change adds a warning if this is configured in pjsip.conf and
also clarifies in the sample configuration file.
Change-Id: I187d994d328c3ed274b6754fd4c2a4955bdc6dd9
---
M configs/samples/pjsip.conf.sample
M res/res_pjsip.c
M res/res_pjsip/config_transport.c
3 files changed, 22 insertions(+), 16 deletions(-)
Approvals:
Richard Mudgett: Looks good to me, approved
Jenkins2: Approved for Submit
diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample
index 9b64001..5ec7a63 100644
--- a/configs/samples/pjsip.conf.sample
+++ b/configs/samples/pjsip.conf.sample
@@ -862,10 +862,13 @@
;==========================TRANSPORT SECTION OPTIONS=========================
;[transport]
; SYNOPSIS: SIP Transport
+;
;async_operations=1 ; Number of simultaneous Asynchronous Operations
; (default: "1")
;bind= ; IP Address and optional port to bind to for this transport (default:
; "")
+; Note that for the Websocket transport the TLS configuration is configured
+; in http.conf and is applied for all HTTPS traffic.
;ca_list_file= ; File containing a list of certificates to read TLS ONLY
; (default: "")
;ca_list_path= ; Path to directory containing certificates to read TLS ONLY.
@@ -883,6 +886,13 @@
; different, at least OpenSSL 1.0.2 is required.
; (default: "")
;cipher= ; Preferred cryptography cipher names TLS ONLY (default: "")
+;method= ; Method of SSL transport TLS ONLY (default: "")
+;priv_key_file= ; Private key file TLS ONLY (default: "")
+;verify_client= ; Require verification of client certificate TLS ONLY (default:
+ ; "")
+;verify_server= ; Require verification of server certificate TLS ONLY (default:
+ ; "")
+;require_client_cert= ; Require client certificate TLS ONLY (default: "")
;domain= ; Domain the transport comes from (default: "")
;external_media_address= ; External IP address to use in RTP handling
; (default: "")
@@ -890,17 +900,10 @@
; "")
;external_signaling_port=0 ; External port for SIP signalling (default:
; "0")
-;method= ; Method of SSL transport TLS ONLY (default: "")
;local_net= ; Network to consider local used for NAT purposes (default: "")
;password= ; Password required for transport (default: "")
-;priv_key_file= ; Private key file TLS ONLY (default: "")
;protocol=udp ; Protocol to use for SIP traffic (default: "udp")
-;require_client_cert= ; Require client certificate TLS ONLY (default: "")
;type= ; Must be of type transport (default: "")
-;verify_client= ; Require verification of client certificate TLS ONLY (default:
- ; "")
-;verify_server= ; Require verification of server certificate TLS ONLY (default:
- ; "")
;tos=0 ; Enable TOS for the signalling sent over this transport (default: "0")
;cos=0 ; Enable COS for the signalling sent over this transport (default: "0")
;websocket_write_timeout=100 ; Default write timeout to set on websocket
diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 1f9e126..14d1252 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -1211,13 +1211,13 @@
<synopsis>IP Address and optional port to bind to for this transport</synopsis>
</configOption>
<configOption name="ca_list_file">
- <synopsis>File containing a list of certificates to read (TLS ONLY)</synopsis>
+ <synopsis>File containing a list of certificates to read (TLS ONLY, not WSS)</synopsis>
</configOption>
<configOption name="ca_list_path">
- <synopsis>Path to directory containing a list of certificates to read (TLS ONLY)</synopsis>
+ <synopsis>Path to directory containing a list of certificates to read (TLS ONLY, not WSS)</synopsis>
</configOption>
<configOption name="cert_file">
- <synopsis>Certificate file for endpoint (TLS ONLY)</synopsis>
+ <synopsis>Certificate file for endpoint (TLS ONLY, not WSS)</synopsis>
<description><para>
A path to a .crt or .pem file can be provided. However, only
the certificate is read from the file, not the private key.
@@ -1226,7 +1226,7 @@
</para></description>
</configOption>
<configOption name="cipher">
- <synopsis>Preferred cryptography cipher names (TLS ONLY)</synopsis>
+ <synopsis>Preferred cryptography cipher names (TLS ONLY, not WSS)</synopsis>
<description>
<para>Comma separated list of cipher names or numeric equivalents.
Numeric equivalents can be either decimal or hexadecimal (0xX).
@@ -1258,7 +1258,7 @@
<synopsis>External port for SIP signalling</synopsis>
</configOption>
<configOption name="method">
- <synopsis>Method of SSL transport (TLS ONLY)</synopsis>
+ <synopsis>Method of SSL transport (TLS ONLY, not WSS)</synopsis>
<description>
<enumlist>
<enum name="default">
@@ -1285,7 +1285,7 @@
<synopsis>Password required for transport</synopsis>
</configOption>
<configOption name="priv_key_file">
- <synopsis>Private key file (TLS ONLY)</synopsis>
+ <synopsis>Private key file (TLS ONLY, not WSS)</synopsis>
</configOption>
<configOption name="protocol" default="udp">
<synopsis>Protocol to use for SIP traffic</synopsis>
@@ -1300,16 +1300,16 @@
</description>
</configOption>
<configOption name="require_client_cert" default="false">
- <synopsis>Require client certificate (TLS ONLY)</synopsis>
+ <synopsis>Require client certificate (TLS ONLY, not WSS)</synopsis>
</configOption>
<configOption name="type">
<synopsis>Must be of type 'transport'.</synopsis>
</configOption>
<configOption name="verify_client" default="false">
- <synopsis>Require verification of client certificate (TLS ONLY)</synopsis>
+ <synopsis>Require verification of client certificate (TLS ONLY, not WSS)</synopsis>
</configOption>
<configOption name="verify_server" default="false">
- <synopsis>Require verification of server certificate (TLS ONLY)</synopsis>
+ <synopsis>Require verification of server certificate (TLS ONLY, not WSS)</synopsis>
</configOption>
<configOption name="tos" default="false">
<synopsis>Enable TOS for the signalling sent over this transport</synopsis>
diff --git a/res/res_pjsip/config_transport.c b/res/res_pjsip/config_transport.c
index 55ef3c5..3ad4dcc 100644
--- a/res/res_pjsip/config_transport.c
+++ b/res/res_pjsip/config_transport.c
@@ -650,6 +650,9 @@
} else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) {
if (transport->cos || transport->tos) {
ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n");
+ } else if (!ast_strlen_zero(transport->ca_list_file) || !ast_strlen_zero(transport->ca_list_path) ||
+ !ast_strlen_zero(transport->cert_file) || !ast_strlen_zero(transport->privkey_file)) {
+ ast_log(LOG_WARNING, "TLS certificate values ignored for websocket transport as they are configured in http.conf\n");
}
res = PJ_SUCCESS;
}
--
To view, visit https://gerrit.asterisk.org/9328
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: 15
Gerrit-MessageType: merged
Gerrit-Change-Id: I187d994d328c3ed274b6754fd4c2a4955bdc6dd9
Gerrit-Change-Number: 9328
Gerrit-PatchSet: 2
Gerrit-Owner: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Jenkins2
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180703/7dac3535/attachment.html>
More information about the asterisk-code-review
mailing list