[asterisk-dev] pjsip vs ca path

Mark Michelson mmichelson at digium.com
Mon Dec 1 09:21:27 CST 2014

On 11/25/2014 02:46 PM, James Cloos wrote:
> Now that 13 has hit sid, I've started converting to pjsip.
> Chan_sip supports one's preference of a ca path or ca file, but
> res_pjsip does not.  At least not on the 13 branch.
> Is that intentional, or an oversight?
> If not intentional, will a patch to fix be accepted for 13,
> only for trunk?
> -JimC

For res_pjsip, we're using the mechanisms that PJSIP exposes in its TLS 
transport. Since a CA path option is not exposed, the option to provide 
one in pjsip.conf does not exist. If you want to provide a patch, that's 
totally fine, but the patch would need to be made against PJProject 
instead of Asterisk.

Doing a quick search, it looks like the change to make would be in 
pjlib/src/pj/ssl_sock_ossl.c. The pj_ssl_cert_t would need to be 
modified to have a CA path. The functions used to get and set 
pj_ssl_cert_t would need to be modified to take a CA path into account. 
And finally, the create_ssl() function would need to pass the configured 
CA path into SSL_CTX_load_verify_locations().

More information about the asterisk-dev mailing list