[asterisk-commits] dvossel: trunk r190545 - in /trunk: ./ channels/ configs/ include/asterisk/ m...

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Fri Apr 24 16:22:47 CDT 2009


Author: dvossel
Date: Fri Apr 24 16:22:31 2009
New Revision: 190545

URL: http://svn.digium.com/svn-view/asterisk?view=rev&rev=190545
Log:
TLS/SSL private key option

Adds option to specify a private key .pem file when configuring TLS or SSL in AMI, HTTP, and SIP.  Before this, the certificate file was used for both the public and private key.  It is possible for this file to hold both, but most configurations allow for a separate private key file to be specified.  Clarified in .conf files how these options are to be used.  The current conf files do not explain how the private key is handled at all, so without knowledge of Asterisk's TLS implementation, it would be hard to know for sure what was going on or how to set it up.

Review: http://reviewboard.digium.com/r/234/

Modified:
    trunk/CHANGES
    trunk/channels/chan_sip.c
    trunk/configs/http.conf.sample
    trunk/configs/manager.conf.sample
    trunk/configs/sip.conf.sample
    trunk/include/asterisk/tcptls.h
    trunk/main/http.c
    trunk/main/manager.c
    trunk/main/tcptls.c

Modified: trunk/CHANGES
URL: http://svn.digium.com/svn-view/asterisk/trunk/CHANGES?view=diff&rev=190545&r1=190544&r2=190545
==============================================================================
--- trunk/CHANGES (original)
+++ trunk/CHANGES Fri Apr 24 16:22:31 2009
@@ -20,6 +20,9 @@
  * Added SIP_CODEC_OUTBOUND dialplan variable which can be used to set the codec
    to be used for the outgoing call. It must be one of the codecs configured
    for the device.
+ * Added tlsprivatekey option to sip.conf.  This allows a separate .pem file
+   to be used for holding a private key.  If tlsprivatekey is not specified,
+   tlscertfile is searched for both public and private key.
 
 Applications
 ------------
@@ -96,7 +99,9 @@
 --------------------------
  * The Hangup action now accepts a Cause header which may be used to
    set the channel's hangup cause.
-
+ * sslprivatekey option added to manager.conf and http.conf.  Adds the ability
+   to specify a separate .pem file to hold a private key.  By default sslcert
+   is used to hold both the public and private key.
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2  -------------
 ------------------------------------------------------------------------------

Modified: trunk/channels/chan_sip.c
URL: http://svn.digium.com/svn-view/asterisk/trunk/channels/chan_sip.c?view=diff&rev=190545&r1=190544&r2=190545
==============================================================================
--- trunk/channels/chan_sip.c (original)
+++ trunk/channels/chan_sip.c Fri Apr 24 16:22:31 2009
@@ -23785,7 +23785,6 @@
 					/* iterator->call = sip_destroy(iterator->call); */
 				}
 				ASTOBJ_UNLOCK(iterator);
-				
 		} while(0));
 
 		/* Then, actually destroy users and registry */
@@ -23793,20 +23792,21 @@
 		ast_debug(4, "--------------- Done destroying registry list\n");
 		ao2_t_callback(peers, OBJ_NODATA, peer_markall_func, NULL, "callback to mark all peers");
 	}
-	
+
 	/* Reset certificate handling for TLS sessions */
 	if (reason != CHANNEL_MODULE_LOAD) {
 		ast_free(default_tls_cfg.certfile);
+		ast_free(default_tls_cfg.pvtfile);
 		ast_free(default_tls_cfg.cipher);
 		ast_free(default_tls_cfg.cafile);
 		ast_free(default_tls_cfg.capath);
 	}
 	default_tls_cfg.certfile = ast_strdup(AST_CERTFILE); /*XXX Not sure if this is useful */
+	default_tls_cfg.pvtfile = ast_strdup("");
 	default_tls_cfg.cipher = ast_strdup("");
 	default_tls_cfg.cafile = ast_strdup("");
 	default_tls_cfg.capath = ast_strdup("");
 
-	
 	/* Initialize copy of current global_regcontext for later use in removing stale contexts */
 	ast_copy_string(oldcontexts, global_regcontext, sizeof(oldcontexts));
 	oldregcontext = oldcontexts;
@@ -24017,6 +24017,9 @@
 		} else if (!strcasecmp(v->name, "tlscertfile")) {
 			ast_free(default_tls_cfg.certfile);
 			default_tls_cfg.certfile = ast_strdup(v->value);
+		} else if (!strcasecmp(v->name, "tlsprivatekey")) {
+			ast_free(default_tls_cfg.pvtfile);
+			default_tls_cfg.pvtfile = ast_strdup(v->value);
 		} else if (!strcasecmp(v->name, "tlscipher")) {
 			ast_free(default_tls_cfg.cipher);
 			default_tls_cfg.cipher = ast_strdup(v->value);
@@ -25367,6 +25370,8 @@
 
 	if (default_tls_cfg.certfile)
 		ast_free(default_tls_cfg.certfile);
+	if (default_tls_cfg.pvtfile)
+		ast_free(default_tls_cfg.pvtfile);
 	if (default_tls_cfg.cipher)
 		ast_free(default_tls_cfg.cipher);
 	if (default_tls_cfg.cafile)

Modified: trunk/configs/http.conf.sample
URL: http://svn.digium.com/svn-view/asterisk/trunk/configs/http.conf.sample?view=diff&rev=190545&r1=190544&r2=190545
==============================================================================
--- trunk/configs/http.conf.sample (original)
+++ trunk/configs/http.conf.sample Fri Apr 24 16:22:31 2009
@@ -52,12 +52,16 @@
 ; sslbindport=4433	; port to use - default is 8089
 ; sslbindaddr=0.0.0.0	; address to bind to - default is bindaddr.
 ;
-; sslcert=/tmp/foo.pem	; path to the certificate
 ;
-; To produce a certificate you can e.g. use openssl
-;	openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
+; sslcert=</path/to/certificate.pem>   ; path to the certificate file (*.pem) only.
+; sslprivatekey=</path/to/private.pem>    ; path to private key file (*.pem) only.
+; If no path is given for sslcert or sslprivatekey, default is to look in current
+; directory. If no sslprivatekey is given, default is to search sslcert for private key.
 ;
-
+; To produce a certificate you can e.g. use openssl. This places both the cert and
+; private in same .pem file.
+; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
+;
 ; The post_mappings section maps URLs to real paths on the filesystem.  If a
 ; POST is done from within an authenticated manager session to one of the
 ; configured POST mappings, then any files in the POST will be placed in the

Modified: trunk/configs/manager.conf.sample
URL: http://svn.digium.com/svn-view/asterisk/trunk/configs/manager.conf.sample?view=diff&rev=190545&r1=190544&r2=190545
==============================================================================
--- trunk/configs/manager.conf.sample (original)
+++ trunk/configs/manager.conf.sample Fri Apr 24 16:22:31 2009
@@ -43,8 +43,10 @@
 ;   sslbindport=5039		; the port to bind to
 ;   sslbindaddr=0.0.0.0		; address to bind to, default to bindaddr
 ;   sslcert=/tmp/asterisk.pem	; path to the certificate.
+;   sslprivatekey=/tmp/private.pem ; path to the private key, if no private given,
+                                   ; if no sslprivatekey is given, default is to search
+								   ; sslcert for private key.
 ;   sslcipher=<cipher string>   ; string specifying which SSL ciphers to use or not use
-
 
 ;
 ;allowmultiplelogin = yes		; IF set to no, rejects manager logins that are already in use.

Modified: trunk/configs/sip.conf.sample
URL: http://svn.digium.com/svn-view/asterisk/trunk/configs/sip.conf.sample?view=diff&rev=190545&r1=190544&r2=190545
==============================================================================
--- trunk/configs/sip.conf.sample (original)
+++ trunk/configs/sip.conf.sample Fri Apr 24 16:22:31 2009
@@ -117,12 +117,16 @@
                                 ; Remember that the IP address must match the common name (hostname) in the
                                 ; certificate, so you don't want to bind a TLS socket to multiple IP addresses.
 
-;tlscertfile=asterisk.pem       ; Certificate file (*.pem only) to use for TLS connections 
-                                ; default is to look for "asterisk.pem" in current directory
+;tlscertfile=</path/to/certificate.pem> ; Certificate file (*.pem only) to use for TLS connections
+                                        ; default is to look for "asterisk.pem" in current directory
+
+;tlsprivatekey=</path/to/private.pem> ; Private key file (*.pem only) for TLS connections.
+                                      ; If no tlsprivatekey is specified, tlscertfile is searched for
+                                      ; for both public and private key.
 
 ;tlscafile=</path/to/certificate>
 ;        If the server your connecting to uses a self signed certificate
-;        you should have their certificate installed here so the code can 
+;        you should have their certificate installed here so the code can
 ;        verify the authenticity of their certificate.
 
 ;tlscadir=</path/to/ca/dir>

Modified: trunk/include/asterisk/tcptls.h
URL: http://svn.digium.com/svn-view/asterisk/trunk/include/asterisk/tcptls.h?view=diff&rev=190545&r1=190544&r2=190545
==============================================================================
--- trunk/include/asterisk/tcptls.h (original)
+++ trunk/include/asterisk/tcptls.h Fri Apr 24 16:22:31 2009
@@ -78,6 +78,7 @@
 struct ast_tls_config {
 	int enabled;
 	char *certfile;
+	char *pvtfile;
 	char *cipher;
 	char *cafile;
 	char *capath;

Modified: trunk/main/http.c
URL: http://svn.digium.com/svn-view/asterisk/trunk/main/http.c?view=diff&rev=190545&r1=190544&r2=190545
==============================================================================
--- trunk/main/http.c (original)
+++ trunk/main/http.c Fri Apr 24 16:22:31 2009
@@ -1004,6 +1004,12 @@
 		ast_free(http_tls_cfg.certfile);
 	}
 	http_tls_cfg.certfile = ast_strdup(AST_CERTFILE);
+
+	if (http_tls_cfg.pvtfile) {
+		ast_free(http_tls_cfg.pvtfile);
+	}
+	http_tls_cfg.pvtfile = ast_strdup("");
+
 	if (http_tls_cfg.cipher) {
 		ast_free(http_tls_cfg.cipher);
 	}
@@ -1027,6 +1033,9 @@
 			} else if (!strcasecmp(v->name, "sslcert")) {
 				ast_free(http_tls_cfg.certfile);
 				http_tls_cfg.certfile = ast_strdup(v->value);
+			} else if (!strcasecmp(v->name, "sslprivatekey")) {
+				ast_free(http_tls_cfg.pvtfile);
+				http_tls_cfg.pvtfile = ast_strdup(v->value);
 			} else if (!strcasecmp(v->name, "sslcipher")) {
 				ast_free(http_tls_cfg.cipher);
 				http_tls_cfg.cipher = ast_strdup(v->value);

Modified: trunk/main/manager.c
URL: http://svn.digium.com/svn-view/asterisk/trunk/main/manager.c?view=diff&rev=190545&r1=190544&r2=190545
==============================================================================
--- trunk/main/manager.c (original)
+++ trunk/main/manager.c Fri Apr 24 16:22:31 2009
@@ -4791,6 +4791,10 @@
 		ast_free(ami_tls_cfg.certfile);
 	}
 	ami_tls_cfg.certfile = ast_strdup(AST_CERTFILE);
+	if (ami_tls_cfg.pvtfile) {
+		ast_free(ami_tls_cfg.pvtfile);
+	}
+	ami_tls_cfg.pvtfile = ast_strdup("");
 	if (ami_tls_cfg.cipher) {
 		ast_free(ami_tls_cfg.cipher);
 	}
@@ -4812,6 +4816,9 @@
 		} else if (!strcasecmp(var->name, "sslcert")) {
 			ast_free(ami_tls_cfg.certfile);
 			ami_tls_cfg.certfile = ast_strdup(val);
+		} else if (!strcasecmp(var->name, "sslprivatekey")) {
+			ast_free(ami_tls_cfg.pvtfile);
+			ami_tls_cfg.pvtfile = ast_strdup(val);
 		} else if (!strcasecmp(var->name, "sslcipher")) {
 			ast_free(ami_tls_cfg.cipher);
 			ami_tls_cfg.cipher = ast_strdup(val);

Modified: trunk/main/tcptls.c
URL: http://svn.digium.com/svn-view/asterisk/trunk/main/tcptls.c?view=diff&rev=190545&r1=190544&r2=190545
==============================================================================
--- trunk/main/tcptls.c (original)
+++ trunk/main/tcptls.c Fri Apr 24 16:22:31 2009
@@ -289,12 +289,20 @@
 		return 0;
 	}
 	if (!ast_strlen_zero(cfg->certfile)) {
-		if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0 ||
-		    SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0 ||
-		    SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 ) {
+		char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
+		if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
 			if (!client) {
 				/* Clients don't need a certificate, but if its setup we can use it */
-				ast_verb(0, "SSL cert error <%s>", cfg->certfile);
+				ast_verb(0, "SSL error loading cert file. <%s>", cfg->certfile);
+				sleep(2);
+				cfg->enabled = 0;
+				return 0;
+			}
+		}
+		if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
+			if (!client) {
+				/* Clients don't need a private key, but if its setup we can use it */
+				ast_verb(0, "SSL error loading private key file. <%s>", tmpprivate);
 				sleep(2);
 				cfg->enabled = 0;
 				return 0;




More information about the asterisk-commits mailing list