[asterisk-dev] pjsip vs ca path

Mark Michelson mmichelson at digium.com
Mon Dec 1 12:47:47 CST 2014

On 12/01/2014 09:24 AM, Olle E. Johansson wrote:
> On 01 Dec 2014, at 16:21, Mark Michelson <mmichelson at digium.com> wrote:
>> On 11/25/2014 02:46 PM, James Cloos wrote:
>>> Now that 13 has hit sid, I've started converting to pjsip.
>>> Chan_sip supports one's preference of a ca path or ca file, but
>>> res_pjsip does not.  At least not on the 13 branch.
>>> Is that intentional, or an oversight?
>>> If not intentional, will a patch to fix be accepted for 13,
>>> only for trunk?
>>> -JimC
>> For res_pjsip, we're using the mechanisms that PJSIP exposes in its TLS transport. Since a CA path option is not exposed, the option to provide one in pjsip.conf does not exist. If you want to provide a patch, that's totally fine, but the patch would need to be made against PJProject instead of Asterisk.
>> Doing a quick search, it looks like the change to make would be in pjlib/src/pj/ssl_sock_ossl.c. The pj_ssl_cert_t would need to be modified to have a CA path. The functions used to get and set pj_ssl_cert_t would need to be modified to take a CA path into account. And finally, the create_ssl() function would need to pass the configured CA path into SSL_CTX_load_verify_locations().
> If you have no CA path - how does the CHAN_PJSIP verify TLS certificates?
> /O

PJProject requires you to specify a file that has all CA certificates 
listed in that one file. PJProject currently calls 
SSL_CTX_load_verify_locations() [1] with this file as the second 
parameter and a NULL third parameter. If PJProject exposed a method to 
specify a directory where individual CA certificates lived, then 
PJProject could pass that directory as the third parameter to the function.

[1] https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html

More information about the asterisk-dev mailing list