[asterisk-commits] kmoore: branch certified-11.2 r383208 - in /certified/branches/11.2: ./ chann...

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Fri Mar 15 08:37:11 CDT 2013


Author: kmoore
Date: Fri Mar 15 08:37:07 2013
New Revision: 383208

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=383208
Log:
tcptls: Prevent unsupported options from being set

AMI, HTTP, and chan_sip all support TLS in some way, but none of them
support all the options that Asterisk's TLS core is capable of
interpreting. This prevents consumers of the TLS/SSL layer from setting
TLS/SSL options that they do not support.

This also gets tlsverifyclient closer to a working state by requesting
the client certificate when tlsverifyclient is set. Currently, there is
no consumer of main/tcptls.c in Asterisk that supports this feature and
so it can not be properly tested.

Review: https://reviewboard.asterisk.org/r/2370/
Reported-by: John Bigelow
Patch-by: Kinsey Moore
(closes issue AST-1093)
........

Merged revisions 383165 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 383166 from http://svn.asterisk.org/svn/asterisk/branches/11

Modified:
    certified/branches/11.2/   (props changed)
    certified/branches/11.2/channels/chan_sip.c
    certified/branches/11.2/main/http.c
    certified/branches/11.2/main/manager.c
    certified/branches/11.2/main/tcptls.c

Propchange: certified/branches/11.2/
------------------------------------------------------------------------------
--- branch-11-merged (original)
+++ branch-11-merged Fri Mar 15 08:37:07 2013
@@ -1,1 +1,1 @@
-/branches/11:378038,378121,378287,378321,378409-378411,378459,378582,378687,378690,378984,379513,379790,380465,380698,380869,380892,380894,380974,381306,381594,381613,381702,381737,382385,382390,382573,382617
+/branches/11:378038,378121,378287,378321,378409-378411,378459,378582,378687,378690,378984,379513,379790,380465,380698,380869,380892,380894,380974,381306,381594,381613,381702,381737,382385,382390,382573,382617,383166

Modified: certified/branches/11.2/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/11.2/channels/chan_sip.c?view=diff&rev=383208&r1=383207&r2=383208
==============================================================================
--- certified/branches/11.2/channels/chan_sip.c (original)
+++ certified/branches/11.2/channels/chan_sip.c Fri Mar 15 08:37:07 2013
@@ -31217,8 +31217,11 @@
 			continue;
 		}
 
-		/* handle tls conf */
-		if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
+		/* handle tls conf, don't allow setting of tlsverifyclient as it isn't supported by chan_sip */
+		if (!strcasecmp(v->name, "tlsverifyclient")) {
+			ast_log(LOG_WARNING, "Ignoring unsupported option 'tlsverifyclient'\n");
+			continue;
+		} else if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
 			continue;
 		}
 

Modified: certified/branches/11.2/main/http.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/11.2/main/http.c?view=diff&rev=383208&r1=383207&r2=383208
==============================================================================
--- certified/branches/11.2/main/http.c (original)
+++ certified/branches/11.2/main/http.c Fri Mar 15 08:37:07 2013
@@ -1052,8 +1052,17 @@
 		v = ast_variable_browse(cfg, "general");
 		for (; v; v = v->next) {
 
-			/* handle tls conf */
-			if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+			/* read tls config options while preventing unsupported options from being set */
+			if (strcasecmp(v->name, "tlscafile")
+				&& strcasecmp(v->name, "tlscapath")
+				&& strcasecmp(v->name, "tlscadir")
+				&& strcasecmp(v->name, "tlsverifyclient")
+				&& strcasecmp(v->name, "tlsdontverifyserver")
+				&& strcasecmp(v->name, "tlsclientmethod")
+				&& strcasecmp(v->name, "sslclientmethod")
+				&& strcasecmp(v->name, "tlscipher")
+				&& strcasecmp(v->name, "sslcipher")
+				&& !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
 				continue;
 			}
 

Modified: certified/branches/11.2/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/11.2/main/manager.c?view=diff&rev=383208&r1=383207&r2=383208
==============================================================================
--- certified/branches/11.2/main/manager.c (original)
+++ certified/branches/11.2/main/manager.c Fri Mar 15 08:37:07 2013
@@ -7487,7 +7487,15 @@
 	for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {
 		val = var->value;
 
-		if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
+		/* read tls config options while preventing unsupported options from being set */
+		if (strcasecmp(var->name, "tlscafile")
+			&& strcasecmp(var->name, "tlscapath")
+			&& strcasecmp(var->name, "tlscadir")
+			&& strcasecmp(var->name, "tlsverifyclient")
+			&& strcasecmp(var->name, "tlsdontverifyserver")
+			&& strcasecmp(var->name, "tlsclientmethod")
+			&& strcasecmp(var->name, "sslclientmethod")
+			&& !ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
 			continue;
 		}
 

Modified: certified/branches/11.2/main/tcptls.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/11.2/main/tcptls.c?view=diff&rev=383208&r1=383207&r2=383208
==============================================================================
--- certified/branches/11.2/main/tcptls.c (original)
+++ certified/branches/11.2/main/tcptls.c Fri Mar 15 08:37:07 2013
@@ -373,6 +373,11 @@
 		cfg->enabled = 0;
 		return 0;
 	}
+
+	SSL_CTX_set_verify(cfg->ssl_ctx,
+		ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
+		NULL);
+
 	if (!ast_strlen_zero(cfg->certfile)) {
 		char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
 		if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {




More information about the asterisk-commits mailing list