[asterisk-commits] kmoore: branch 1.8 r383165 - in /branches/1.8: channels/ main/
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Fri Mar 15 07:50:06 CDT 2013
Author: kmoore
Date: Fri Mar 15 07:49:59 2013
New Revision: 383165
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=383165
Log:
tcptls: Prevent unsupported options from being set
AMI, HTTP, and chan_sip all support TLS in some way, but none of them
support all the options that Asterisk's TLS core is capable of
interpreting. This prevents consumers of the TLS/SSL layer from setting
TLS/SSL options that they do not support.
This also gets tlsverifyclient closer to a working state by requesting
the client certificate when tlsverifyclient is set. Currently, there is
no consumer of main/tcptls.c in Asterisk that supports this feature and
so it can not be properly tested.
Review: https://reviewboard.asterisk.org/r/2370/
Reported-by: John Bigelow
Patch-by: Kinsey Moore
(closes issue AST-1093)
Modified:
branches/1.8/channels/chan_sip.c
branches/1.8/main/http.c
branches/1.8/main/manager.c
branches/1.8/main/tcptls.c
Modified: branches/1.8/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/channels/chan_sip.c?view=diff&rev=383165&r1=383164&r2=383165
==============================================================================
--- branches/1.8/channels/chan_sip.c (original)
+++ branches/1.8/channels/chan_sip.c Fri Mar 15 07:49:59 2013
@@ -28882,8 +28882,11 @@
if (!ast_jb_read_conf(&global_jbconf, v->name, v->value))
continue;
- /* handle tls conf */
- if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
+ /* handle tls conf, don't allow setting of tlsverifyclient as it isn't supported by chan_sip */
+ if (!strcasecmp(v->name, "tlsverifyclient")) {
+ ast_log(LOG_WARNING, "Ignoring unsupported option 'tlsverifyclient'\n");
+ continue;
+ } else if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
continue;
}
Modified: branches/1.8/main/http.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/http.c?view=diff&rev=383165&r1=383164&r2=383165
==============================================================================
--- branches/1.8/main/http.c (original)
+++ branches/1.8/main/http.c Fri Mar 15 07:49:59 2013
@@ -1076,8 +1076,17 @@
v = ast_variable_browse(cfg, "general");
for (; v; v = v->next) {
- /* handle tls conf */
- if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+ /* read tls config options while preventing unsupported options from being set */
+ if (strcasecmp(v->name, "tlscafile")
+ && strcasecmp(v->name, "tlscapath")
+ && strcasecmp(v->name, "tlscadir")
+ && strcasecmp(v->name, "tlsverifyclient")
+ && strcasecmp(v->name, "tlsdontverifyserver")
+ && strcasecmp(v->name, "tlsclientmethod")
+ && strcasecmp(v->name, "sslclientmethod")
+ && strcasecmp(v->name, "tlscipher")
+ && strcasecmp(v->name, "sslcipher")
+ && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
continue;
}
Modified: branches/1.8/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/manager.c?view=diff&rev=383165&r1=383164&r2=383165
==============================================================================
--- branches/1.8/main/manager.c (original)
+++ branches/1.8/main/manager.c Fri Mar 15 07:49:59 2013
@@ -6893,7 +6893,15 @@
for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {
val = var->value;
- if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
+ /* read tls config options while preventing unsupported options from being set */
+ if (strcasecmp(var->name, "tlscafile")
+ && strcasecmp(var->name, "tlscapath")
+ && strcasecmp(var->name, "tlscadir")
+ && strcasecmp(var->name, "tlsverifyclient")
+ && strcasecmp(var->name, "tlsdontverifyserver")
+ && strcasecmp(var->name, "tlsclientmethod")
+ && strcasecmp(var->name, "sslclientmethod")
+ && !ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
continue;
}
Modified: branches/1.8/main/tcptls.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/tcptls.c?view=diff&rev=383165&r1=383164&r2=383165
==============================================================================
--- branches/1.8/main/tcptls.c (original)
+++ branches/1.8/main/tcptls.c Fri Mar 15 07:49:59 2013
@@ -364,6 +364,11 @@
cfg->enabled = 0;
return 0;
}
+
+ SSL_CTX_set_verify(cfg->ssl_ctx,
+ ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
+ NULL);
+
if (!ast_strlen_zero(cfg->certfile)) {
char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
More information about the asterisk-commits
mailing list