[asterisk-commits] tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA)... (asterisk[master])
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Fri May 15 09:38:57 CDT 2015
Joshua Colp has submitted this change and it was merged.
Change subject: tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket.
......................................................................
tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket.
When a client connects to a server via SSL/TLS, the server commonly utilizes an
RSA key-pair. However, other such algorithms exist (i.e. DSA and ECDSA), and if
the server socket is configured with a certificate for either one of those, it
would lose its compatibility with RSA-only clients.
Now, the server socket can be configured with up to one RSA, ECDSA and DSA key
each. For example, if a client is not compatible with SHA-2 hashed certificates
like Nokia mobile phones, the server socket still can use RSA/SHA-1 for legacy
clients and ECDSA/SHA-2 for everyone else.
ASTERISK-24815 #close
Reported by: Alexander Traud
patches:
tls_rsa_ecc_dsa.patch uploaded by Alexander Traud (License 6520)
Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a
---
M configs/samples/pjsip.conf.sample
M configs/samples/sip.conf.sample
M main/tcptls.c
3 files changed, 40 insertions(+), 2 deletions(-)
Approvals:
Richard Mudgett: Looks good to me, but someone else must approve
Joshua Colp: Looks good to me, approved; Verified
diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample
index 5e37571..276e214 100644
--- a/configs/samples/pjsip.conf.sample
+++ b/configs/samples/pjsip.conf.sample
@@ -765,7 +765,13 @@
; (default: "")
;cert_file= ; Certificate file for endpoint TLS ONLY
; Will read .crt or .pem file but only uses cert,
- ; a .key file must be specified via priv_key_file
+ ; a .key file must be specified via priv_key_file.
+ ; Since PJProject version 2.5: If the file name ends in _rsa,
+ ; for example "asterisk_rsa.pem", the files "asterisk_dsa.pem"
+ ; and/or "asterisk_ecc.pem" are loaded (certificate, inter-
+ ; mediates, private key), to support multiple algorithms for
+ ; server authentication (RSA, DSA, ECDSA). If the chains are
+ ; different, at least OpenSSL 1.0.2 is required.
; (default: "")
;cipher= ; Preferred cryptography cipher names TLS ONLY (default: "")
;domain= ; Domain the transport comes from (default: "")
diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample
index e52fa6d..71e3fb7 100644
--- a/configs/samples/sip.conf.sample
+++ b/configs/samples/sip.conf.sample
@@ -561,7 +561,12 @@
;------------------------ TLS settings ------------------------------------------------------------
;tlscertfile=</path/to/certificate.pem> ; Certificate chain (*.pem format only) to use for TLS connections
; The certificates must be sorted starting with the subject's certificate
- ; and followed by intermediate CA certificates if applicable.
+ ; and followed by intermediate CA certificates if applicable. If the
+ ; file name ends in _rsa, for example "asterisk_rsa.pem", the files
+ ; "asterisk_dsa.pem" and/or "asterisk_ecc.pem" are loaded
+ ; (certificate, intermediates, private key), to support multiple
+ ; algorithms for server authentication (RSA, DSA, ECDSA). If the chains
+ ; are different, at least OpenSSL 1.0.2 is required.
; Default is to look for "asterisk.pem" in current directory
;tlsprivatekey=</path/to/private.pem> ; Private key file (*.pem format only) for TLS connections.
diff --git a/main/tcptls.c b/main/tcptls.c
index 0b06d22..8af8501 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -752,6 +752,22 @@
return NULL;
}
+static void __ssl_setup_certs(struct ast_tls_config *cfg, const size_t cert_file_len, const char *key_type_extension, const char *key_type)
+{
+ char *cert_file = ast_strdupa(cfg->certfile);
+
+ memcpy(cert_file + cert_file_len - 8, key_type_extension, 5);
+ if (access(cert_file, F_OK) == 0) {
+ if (SSL_CTX_use_certificate_chain_file(cfg->ssl_ctx, cert_file) == 0) {
+ ast_log(LOG_WARNING, "TLS/SSL error loading public %s key (certificate) from <%s>.\n", key_type, cert_file);
+ } else if (SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cert_file, SSL_FILETYPE_PEM) == 0) {
+ ast_log(LOG_WARNING, "TLS/SSL error loading private %s key from <%s>.\n", key_type, cert_file);
+ } else if (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0) {
+ ast_log(LOG_WARNING, "TLS/SSL error matching private %s key and certificate in <%s>.\n", key_type, cert_file);
+ }
+ }
+}
+
static int __ssl_setup(struct ast_tls_config *cfg, int client)
{
#ifndef DO_SSL
@@ -839,6 +855,17 @@
return 0;
}
}
+ if (!client) {
+ size_t certfile_len = strlen(cfg->certfile);
+
+ /* expects a file name which contains _rsa. like asterisk_rsa.pem
+ * ignores any 3-character file-extension like .pem, .cer, .crt
+ */
+ if (certfile_len >= 8 && !strncmp(cfg->certfile + certfile_len - 8, "_rsa.", 5)) {
+ __ssl_setup_certs(cfg, certfile_len, "_ecc.", "ECC");
+ __ssl_setup_certs(cfg, certfile_len, "_dsa.", "DSA");
+ }
+ }
}
if (!ast_strlen_zero(cfg->cipher)) {
if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
--
To view, visit https://gerrit.asterisk.org/431
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a
Gerrit-PatchSet: 6
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Ashley Sanders <asanders at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>
More information about the asterisk-commits
mailing list