<p>Jenkins2 <strong>merged</strong> this change.</p><p><a href="https://gerrit.asterisk.org/9327">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Richard Mudgett: Looks good to me, approved
Jenkins2: Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">pjsip: Clarify certificate configuration for Websocket.<br><br>The Websocket transport uses the built-in HTTP server. As a result<br>the TLS configuration is done in http.conf and not in pjsip.conf.<br><br>This change adds a warning if this is configured in pjsip.conf and<br>also clarifies in the sample configuration file.<br><br>Change-Id: I187d994d328c3ed274b6754fd4c2a4955bdc6dd9<br>---<br>M configs/samples/pjsip.conf.sample<br>M res/res_pjsip.c<br>M res/res_pjsip/config_transport.c<br>3 files changed, 22 insertions(+), 16 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample</span><br><span>index 69576c1..a603a3e 100644</span><br><span>--- a/configs/samples/pjsip.conf.sample</span><br><span>+++ b/configs/samples/pjsip.conf.sample</span><br><span>@@ -842,10 +842,13 @@</span><br><span> ;==========================TRANSPORT SECTION OPTIONS=========================</span><br><span> ;[transport]</span><br><span> ; SYNOPSIS: SIP Transport</span><br><span style="color: hsl(120, 100%, 40%);">+;</span><br><span> ;async_operations=1 ; Number of simultaneous Asynchronous Operations</span><br><span> ; (default: "1")</span><br><span> ;bind= ; IP Address and optional port to bind to for this transport (default:</span><br><span> ; "")</span><br><span style="color: hsl(120, 100%, 40%);">+; Note that for the Websocket transport the TLS configuration is configured</span><br><span style="color: hsl(120, 100%, 40%);">+; in http.conf and is applied for all HTTPS traffic.</span><br><span> ;ca_list_file= ; File containing a list of certificates to read TLS ONLY</span><br><span> ; (default: "")</span><br><span> ;ca_list_path= ; Path to directory containing certificates to read TLS ONLY.</span><br><span>@@ -857,6 +860,13 @@</span><br><span> ; a .key file must be specified via priv_key_file</span><br><span> ; (default: "")</span><br><span> ;cipher= ; Preferred cryptography cipher names TLS ONLY (default: "")</span><br><span style="color: hsl(120, 100%, 40%);">+;method= ; Method of SSL transport TLS ONLY (default: "")</span><br><span style="color: hsl(120, 100%, 40%);">+;priv_key_file= ; Private key file TLS ONLY (default: "")</span><br><span style="color: hsl(120, 100%, 40%);">+;verify_client= ; Require verification of client certificate TLS ONLY (default:</span><br><span style="color: hsl(120, 100%, 40%);">+ ; "")</span><br><span style="color: hsl(120, 100%, 40%);">+;verify_server= ; Require verification of server certificate TLS ONLY (default:</span><br><span style="color: hsl(120, 100%, 40%);">+ ; "")</span><br><span style="color: hsl(120, 100%, 40%);">+;require_client_cert= ; Require client certificate TLS ONLY (default: "")</span><br><span> ;domain= ; Domain the transport comes from (default: "")</span><br><span> ;external_media_address= ; External IP address to use in RTP handling</span><br><span> ; (default: "")</span><br><span>@@ -864,17 +874,10 @@</span><br><span> ; "")</span><br><span> ;external_signaling_port=0 ; External port for SIP signalling (default:</span><br><span> ; "0")</span><br><span style="color: hsl(0, 100%, 40%);">-;method= ; Method of SSL transport TLS ONLY (default: "")</span><br><span> ;local_net= ; Network to consider local used for NAT purposes (default: "")</span><br><span> ;password= ; Password required for transport (default: "")</span><br><span style="color: hsl(0, 100%, 40%);">-;priv_key_file= ; Private key file TLS ONLY (default: "")</span><br><span> ;protocol=udp ; Protocol to use for SIP traffic (default: "udp")</span><br><span style="color: hsl(0, 100%, 40%);">-;require_client_cert= ; Require client certificate TLS ONLY (default: "")</span><br><span> ;type= ; Must be of type transport (default: "")</span><br><span style="color: hsl(0, 100%, 40%);">-;verify_client= ; Require verification of client certificate TLS ONLY (default:</span><br><span style="color: hsl(0, 100%, 40%);">- ; "")</span><br><span style="color: hsl(0, 100%, 40%);">-;verify_server= ; Require verification of server certificate TLS ONLY (default:</span><br><span style="color: hsl(0, 100%, 40%);">- ; "")</span><br><span> ;tos=0 ; Enable TOS for the signalling sent over this transport (default: "0")</span><br><span> ;cos=0 ; Enable COS for the signalling sent over this transport (default: "0")</span><br><span> ;websocket_write_timeout=100 ; Default write timeout to set on websocket</span><br><span>diff --git a/res/res_pjsip.c b/res/res_pjsip.c</span><br><span>index a82af0e..99abfb0 100644</span><br><span>--- a/res/res_pjsip.c</span><br><span>+++ b/res/res_pjsip.c</span><br><span>@@ -1158,13 +1158,13 @@</span><br><span> <synopsis>IP Address and optional port to bind to for this transport</synopsis></span><br><span> </configOption></span><br><span> <configOption name="ca_list_file"></span><br><span style="color: hsl(0, 100%, 40%);">- <synopsis>File containing a list of certificates to read (TLS ONLY)</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>File containing a list of certificates to read (TLS ONLY, not WSS)</synopsis></span><br><span> </configOption></span><br><span> <configOption name="ca_list_path"></span><br><span style="color: hsl(0, 100%, 40%);">- <synopsis>Path to directory containing a list of certificates to read (TLS ONLY)</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>Path to directory containing a list of certificates to read (TLS ONLY, not WSS)</synopsis></span><br><span> </configOption></span><br><span> <configOption name="cert_file"></span><br><span style="color: hsl(0, 100%, 40%);">- <synopsis>Certificate file for endpoint (TLS ONLY)</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>Certificate file for endpoint (TLS ONLY, not WSS)</synopsis></span><br><span> <description><para></span><br><span> A path to a .crt or .pem file can be provided. However, only</span><br><span> the certificate is read from the file, not the private key.</span><br><span>@@ -1173,7 +1173,7 @@</span><br><span> </para></description></span><br><span> </configOption></span><br><span> <configOption name="cipher"></span><br><span style="color: hsl(0, 100%, 40%);">- <synopsis>Preferred cryptography cipher names (TLS ONLY)</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>Preferred cryptography cipher names (TLS ONLY, not WSS)</synopsis></span><br><span> <description></span><br><span> <para>Comma separated list of cipher names or numeric equivalents.</span><br><span> Numeric equivalents can be either decimal or hexadecimal (0xX).</span><br><span>@@ -1205,7 +1205,7 @@</span><br><span> <synopsis>External port for SIP signalling</synopsis></span><br><span> </configOption></span><br><span> <configOption name="method"></span><br><span style="color: hsl(0, 100%, 40%);">- <synopsis>Method of SSL transport (TLS ONLY)</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>Method of SSL transport (TLS ONLY, not WSS)</synopsis></span><br><span> <description></span><br><span> <enumlist></span><br><span> <enum name="default"></span><br><span>@@ -1232,7 +1232,7 @@</span><br><span> <synopsis>Password required for transport</synopsis></span><br><span> </configOption></span><br><span> <configOption name="priv_key_file"></span><br><span style="color: hsl(0, 100%, 40%);">- <synopsis>Private key file (TLS ONLY)</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>Private key file (TLS ONLY, not WSS)</synopsis></span><br><span> </configOption></span><br><span> <configOption name="protocol" default="udp"></span><br><span> <synopsis>Protocol to use for SIP traffic</synopsis></span><br><span>@@ -1247,16 +1247,16 @@</span><br><span> </description></span><br><span> </configOption></span><br><span> <configOption name="require_client_cert" default="false"></span><br><span style="color: hsl(0, 100%, 40%);">- <synopsis>Require client certificate (TLS ONLY)</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>Require client certificate (TLS ONLY, not WSS)</synopsis></span><br><span> </configOption></span><br><span> <configOption name="type"></span><br><span> <synopsis>Must be of type 'transport'.</synopsis></span><br><span> </configOption></span><br><span> <configOption name="verify_client" default="false"></span><br><span style="color: hsl(0, 100%, 40%);">- <synopsis>Require verification of client certificate (TLS ONLY)</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>Require verification of client certificate (TLS ONLY, not WSS)</synopsis></span><br><span> </configOption></span><br><span> <configOption name="verify_server" default="false"></span><br><span style="color: hsl(0, 100%, 40%);">- <synopsis>Require verification of server certificate (TLS ONLY)</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>Require verification of server certificate (TLS ONLY, not WSS)</synopsis></span><br><span> </configOption></span><br><span> <configOption name="tos" default="false"></span><br><span> <synopsis>Enable TOS for the signalling sent over this transport</synopsis></span><br><span>diff --git a/res/res_pjsip/config_transport.c b/res/res_pjsip/config_transport.c</span><br><span>index 55ef3c5..3ad4dcc 100644</span><br><span>--- a/res/res_pjsip/config_transport.c</span><br><span>+++ b/res/res_pjsip/config_transport.c</span><br><span>@@ -650,6 +650,9 @@</span><br><span> } else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) {</span><br><span> if (transport->cos || transport->tos) {</span><br><span> ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ } else if (!ast_strlen_zero(transport->ca_list_file) || !ast_strlen_zero(transport->ca_list_path) ||</span><br><span style="color: hsl(120, 100%, 40%);">+ !ast_strlen_zero(transport->cert_file) || !ast_strlen_zero(transport->privkey_file)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_WARNING, "TLS certificate values ignored for websocket transport as they are configured in http.conf\n");</span><br><span> }</span><br><span> res = PJ_SUCCESS;</span><br><span> }</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/9327">change 9327</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/9327"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13 </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I187d994d328c3ed274b6754fd4c2a4955bdc6dd9 </div>
<div style="display:none"> Gerrit-Change-Number: 9327 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: Joshua Colp <jcolp@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins2 </div>
<div style="display:none"> Gerrit-Reviewer: Richard Mudgett <rmudgett@digium.com> </div>