[asterisk-dev] pjsip vs ca path
Mark Michelson
mmichelson at digium.com
Mon Dec 1 09:21:27 CST 2014
On 11/25/2014 02:46 PM, James Cloos wrote:
> Now that 13 has hit sid, I've started converting to pjsip.
>
> Chan_sip supports one's preference of a ca path or ca file, but
> res_pjsip does not. At least not on the 13 branch.
>
> Is that intentional, or an oversight?
>
> If not intentional, will a patch to fix be accepted for 13,
> only for trunk?
>
> -JimC
For res_pjsip, we're using the mechanisms that PJSIP exposes in its TLS
transport. Since a CA path option is not exposed, the option to provide
one in pjsip.conf does not exist. If you want to provide a patch, that's
totally fine, but the patch would need to be made against PJProject
instead of Asterisk.
Doing a quick search, it looks like the change to make would be in
pjlib/src/pj/ssl_sock_ossl.c. The pj_ssl_cert_t would need to be
modified to have a CA path. The functions used to get and set
pj_ssl_cert_t would need to be modified to take a CA path into account.
And finally, the create_ssl() function would need to pass the configured
CA path into SSL_CTX_load_verify_locations().
More information about the asterisk-dev
mailing list