<html>

 <body>

  <div style="font-family: Verdana, Arial, Helvetica, Sans-Serif;">

   <table bgcolor="#f9f3c9" width="100%" cellpadding="8" style="border: 1px #c9c399 solid;">

    <tr>

     <td>

      This is an automatically generated e-mail. To reply, visit:

      <a href="https://reviewboard.asterisk.org/r/4441/">https://reviewboard.asterisk.org/r/4441/</a>

     </td>

    </tr>

   </table>

   <br />

<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">

 <p style="margin-top: 0;">On April 10th, 2015, 5:45 p.m. UTC, <b>rmudgett</b> wrote:</p>

 <blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">

<table width="100%" border="0" bgcolor="white" style="border: 1px solid #C0C0C0; border-collapse: collapse; margin: 2px padding: 2px;">

 <thead>

  <tr>

   <th colspan="4" bgcolor="#F0F0F0" style="border-bottom: 1px solid #C0C0C0; font-size: 9pt; padding: 4px 8px; text-align: left;">

    <a href="https://reviewboard.asterisk.org/r/4441/diff/2/?file=73366#file73366line841" style="color: black; font-weight: bold; text-decoration: underline;">trunk/main/tcptls.c</a>

    <span style="font-weight: normal;">

     (Diff revision 2)

    </span>

   </th>

  </tr>

 </thead>

 <tbody style="background-color: #e4d9cb; padding: 4px 8px; text-align: center;">

  <tr>

   <td colspan="4"><pre style="font-size: 8pt; line-height: 140%; margin: 0; ">static int __ssl_setup(struct ast_tls_config *cfg, int client)</pre></td>

  </tr>

 </tbody>

 <tbody>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">841</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="n">ecc_file</span> <span class="o">=</span> <span class="n">ast_strdupa</span><span class="p">(</span><span class="n">cfg</span><span class="o">-></span><span class="n">certfile</span><span class="p">);</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">842</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="n">memcpy</span><span class="p">(</span><span class="n">ecc_file</span> <span class="o">+</span> <span class="n">certfile_len</span> <span class="o">-</span> <span class="mi">8</span><span class="p">,</span> <span class="s">"_ecc."</span><span class="p">,</span> <span class="mi">5</span><span class="p">);</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">843</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="k">if</span> <span class="p">(</span><span class="n">access</span><span class="p">(</span><span class="n">ecc_file</span><span class="p">,</span> <span class="n">F_OK</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">844</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="k">if</span> <span class="p">(</span><span class="n">SSL_CTX_use_certificate_chain_file</span><span class="p">(</span><span class="n">cfg</span><span class="o">-></span><span class="n">ssl_ctx</span><span class="p">,</span> <span class="n">ecc_file</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">845</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="n">ast_log</span><span class="p">(</span><span class="n">LOG_ERROR</span><span class="p">,</span> <span class="s">"TLS/SSL error loading ECC cert file. <%s></span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">ecc_file</span><span class="p">);</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">846</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="p">}</span> <span class="k">else</span> <span class="p">{</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">847</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="n">SSL_CTX_use_PrivateKey_file</span><span class="p">(</span><span class="n">cfg</span><span class="o">-></span><span class="n">ssl_ctx</span><span class="p">,</span> <span class="n">ecc_file</span><span class="p">,</span> <span class="n">SSL_FILETYPE_PEM</span><span class="p">);</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">848</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="p">}</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">849</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="p">}</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">850</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="n">dsa_file</span> <span class="o">=</span> <span class="n">ast_strdupa</span><span class="p">(</span><span class="n">cfg</span><span class="o">-></span><span class="n">certfile</span><span class="p">);</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">851</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="n">memcpy</span><span class="p">(</span><span class="n">dsa_file</span> <span class="o">+</span> <span class="n">certfile_len</span> <span class="o">-</span> <span class="mi">8</span><span class="p">,</span> <span class="s">"_dsa."</span><span class="p">,</span> <span class="mi">5</span><span class="p">);</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">852</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="k">if</span> <span class="p">(</span><span class="n">access</span><span class="p">(</span><span class="n">dsa_file</span><span class="p">,</span> <span class="n">F_OK</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">853</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="k">if</span> <span class="p">(</span><span class="n">SSL_CTX_use_certificate_chain_file</span><span class="p">(</span><span class="n">cfg</span><span class="o">-></span><span class="n">ssl_ctx</span><span class="p">,</span> <span class="n">dsa_file</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">854</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="n">ast_log</span><span class="p">(</span><span class="n">LOG_ERROR</span><span class="p">,</span> <span class="s">"TLS/SSL error loading DSA cert file. <%s></span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">dsa_file</span><span class="p">);</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">855</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="p">}</span> <span class="k">else</span> <span class="p">{</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">856</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="n">SSL_CTX_use_PrivateKey_file</span><span class="p">(</span><span class="n">cfg</span><span class="o">-></span><span class="n">ssl_ctx</span><span class="p">,</span> <span class="n">dsa_file</span><span class="p">,</span> <span class="n">SSL_FILETYPE_PEM</span><span class="p">);</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">857</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="p">}</span></pre></td>

  </tr>

  <tr>

    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>

    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">858</font></th>

    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">   </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="tb">  </span><span class="p">}</span></pre></td>

  </tr>

 </tbody>

</table>

  <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">This is effectively the same code duplicated for ecc and dsa.  Make a subroutine that takes the variants as parameters:

sub(cfg->certfile, certfile_len, "ecc", "ECC")

Also the code is always attempting to use both cert files even if ecc works.</pre>

 </blockquote>

</blockquote>

<pre style="margin-left: 1em; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">You can have up to three certificates as in Apache HTTP. For example, Symantec offers RSA+DSA+ECC via the product VeriSign Secure Site Pro. Some TLS implementations benefit even from DSA, for example SChannel on Windows XP requires DSA to use PFS. Therefore, the code attempts to load both: ECC and DSA.</pre>

<br />

<p>- Alexander</p>

<br />

<p>On April 13th, 2015, 1:28 p.m. UTC, Alexander Traud wrote:</p>

<table bgcolor="#fefadf" width="100%" cellspacing="0" cellpadding="8" style="background-image: url('https://reviewboard.asterisk.org/static/rb/images/review_request_box_top_bg.ab6f3b1072c9.png'); background-position: left top; background-repeat: repeat-x; border: 1px black solid;">

 <tr>

  <td>

<div>Review request for Asterisk Developers.</div>

<div>By Alexander Traud.</div>

<p style="color: grey;"><i>Updated April 13, 2015, 1:28 p.m.</i></p>

<div style="margin-top: 1.5em;">

 <b style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Bugs: </b>

 <a href="https://issues.asterisk.org/jira/browse/ASTERISK-24815">ASTERISK-24815</a>

</div>

<div style="margin-top: 1.5em;">

 <b style="color: #575012; font-size: 10pt;">Repository: </b>

Asterisk

</div>

<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Description </h1>

 <table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">

 <tr>

  <td>

   <pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Already works for Asterisk as the client. Enables dual- (or triple-) certificates for Asterisk as the TLS server. When a client connects via SSL/TLS, the server uses a RSA key-pair usually. However, more such algorithms exist like DSA and ECDSA. If you go for one of those, you would loose compatibility to RSA-only clients. This patch allows you to provide up-to one RSA, ECDSA and DSA key each (= one key or two keys or three keys). Copied over from the Apache HTTP server project, added in version 2.4.8.

Usage:

tlscertfile=/etc/asterisk/example_rsa.pem

Then, the code of this patch picks that path, filename, and searches for files called example_ecc.pem and example_dsa.pem automatically.</pre>

  </td>

 </tr>

</table>

<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Testing </h1>

<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">

 <tr>

  <td>

   <pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">by developer, manually

This patch was tested in Ubuntu 14.04 LTS with a certificate from Comodo (ECC; chains-up to AddTrust and UTN) and RapidSSL (RSA; chains-up to GeoTrust and Equifax). TLS clients were CounterPath Bria (BlackBerry) and CSipSimple (Android). The test was done with OpenSSL 1.0.1 and OpenSSL 1.0.2. Both versions work as expected. However, if you use well-known (commercial) certificates, you might use different certificate chains. For this, you need at least OpenSSL 1.0.2. If you use your own certificate authority without a certificate chain, OpenSSL 1.0.1 is sufficient.

Because no new symbol of OpenSSL was used, I do not see a reason why this patch should not be compatible with older OpenSSL releases. Therefore, no if/def/version is introduced in this patch.</pre>

  </td>

 </tr>

</table>

<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Diffs</b> </h1>

<ul style="margin-left: 3em; padding-left: 0;">

 <li>trunk/main/tcptls.c <span style="color: grey">(434385)</span></li>

 <li>trunk/configs/samples/sip.conf.sample <span style="color: grey">(428526)</span></li>

</ul>

<p><a href="https://reviewboard.asterisk.org/r/4441/diff/" style="margin-left: 3em;">View Diff</a></p>

  </td>

 </tr>

</table>

  </div>

 </body>

</html>