[asterisk-commits] sip to pjsip: Map the TLS method correctly. (asterisk[14])

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Aug 18 11:47:18 CDT 2016 

Joshua Colp has submitted this change and it was merged.

Change subject: sip_to_pjsip: Map the TLS method correctly.
......................................................................


sip_to_pjsip: Map the TLS method correctly.

When using the migration script sip_to_pjsip.py and tlsclientmethod is not set
in sip.conf, the default value of chan_sip (sslv23) is copied to pjsip.conf, to
overwrite the default of the PJProject (tlsv1). This makes sure, res_pjsip is
offering/using not just TLSv1.0 but TLSv1.2 as well.

ASTERISK-22374

Change-Id: Ie530a3dae9926ae14f3920a21be1e2edb15bda4f
---
M contrib/scripts/sip_to_pjsip/sip_to_pjsip.py
1 file changed, 18 insertions(+), 7 deletions(-)

Approvals:
  George Joseph: Looks good to me, but someone else must approve
  Joshua Colp: Looks good to me, approved; Verified



diff --git a/contrib/scripts/sip_to_pjsip/sip_to_pjsip.py b/contrib/scripts/sip_to_pjsip/sip_to_pjsip.py
index 8909216..a9bc78e 100755
--- a/contrib/scripts/sip_to_pjsip/sip_to_pjsip.py
+++ b/contrib/scripts/sip_to_pjsip/sip_to_pjsip.py
@@ -731,11 +731,6 @@
                   'transport')
 
 
-def set_tls_method(val, pjsip, nmapped):
-    """Sets method based on sip.conf tlsclientmethod or sslclientmethod"""
-    set_value('method', val, 'transport-tls', pjsip, nmapped, 'transport')
-
-
 def create_tls(sip, pjsip, nmapped):
     """
     Creates a 'transport-tls' section in pjsip.conf based on the following
@@ -759,8 +754,7 @@
         (['tlscipher', 'sslcipher'], set_tls_cipher),
         (['tlscafile'], set_tls_cafile),
         (['tlsverifyclient'], set_tls_verifyclient),
-        (['tlsdontverifyserver'], set_tls_verifyserver),
-        (['tlsclientmethod', 'sslclientmethod'], set_tls_method)
+        (['tlsdontverifyserver'], set_tls_verifyserver)
     ]
 
     try:
@@ -780,6 +774,23 @@
         except LookupError:
             pass
 
+    try:
+        method = sip.multi_get('general', ['tlsclientmethod', 'sslclientmethod'])[0]
+        print 'In chan_sip, you specified the TLS version. With chan_sip, this was just for outbound client connections. In chan_pjsip, this value is for client and server. Instead, consider not to specify \'tlsclientmethod\' for chan_sip and \'method = sslv23\' for chan_pjsip.'
+    except LookupError:
+        """
+        OpenSSL emerged during the 90s. SSLv2 and SSLv3 were the only
+        existing methods at that time. The OpenSSL project continued. And as
+        of today (OpenSSL 1.0.2) this does not start SSLv2 and SSLv3 anymore
+        but TLSv1.0 and v1.2. Or stated differently: This method should
+        have been called 'method = secure' or 'method = automatic' back in
+        the 90s. The PJProject did not realize this and uses 'tlsv1' as
+        default when unspecified, which disables TLSv1.2. chan_sip used
+        'sslv23' as default when unspecified, which gives TLSv1.0 and v1.2.
+        """
+        method = 'sslv23'
+    set_value('method', val, 'transport-tls', pjsip, nmapped, 'transport')
+
     set_transport_common('transport-tls', pjsip, nmapped)
     try:
         extern_addr = sip.multi_get('general', ['externaddr', 'externip',

-- 
To view, visit https://gerrit.asterisk.org/3634
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ie530a3dae9926ae14f3920a21be1e2edb15bda4f
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: 14
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>

More information about the asterisk-commits mailing list