[asterisk-dev] pjsip vs ca path
Olle E. Johansson
oej at edvina.net
Mon Dec 1 09:24:24 CST 2014
On 01 Dec 2014, at 16:21, Mark Michelson <mmichelson at digium.com> wrote:
> On 11/25/2014 02:46 PM, James Cloos wrote:
>> Now that 13 has hit sid, I've started converting to pjsip.
>> Chan_sip supports one's preference of a ca path or ca file, but
>> res_pjsip does not. At least not on the 13 branch.
>> Is that intentional, or an oversight?
>> If not intentional, will a patch to fix be accepted for 13,
>> only for trunk?
> For res_pjsip, we're using the mechanisms that PJSIP exposes in its TLS transport. Since a CA path option is not exposed, the option to provide one in pjsip.conf does not exist. If you want to provide a patch, that's totally fine, but the patch would need to be made against PJProject instead of Asterisk.
> Doing a quick search, it looks like the change to make would be in pjlib/src/pj/ssl_sock_ossl.c. The pj_ssl_cert_t would need to be modified to have a CA path. The functions used to get and set pj_ssl_cert_t would need to be modified to take a CA path into account. And finally, the create_ssl() function would need to pass the configured CA path into SSL_CTX_load_verify_locations().
If you have no CA path - how does the CHAN_PJSIP verify TLS certificates?
More information about the asterisk-dev