[svn-commits] mmichelson: branch 1.8 r353770 - in /branches/1.8: ./ configs/ include/asteri...
SVN commits to the Digium repositories
svn-commits at lists.digium.com
Thu Feb 2 10:58:50 CST 2012
Author: mmichelson
Date: Thu Feb 2 10:58:44 2012
New Revision: 353770
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=353770
Log:
Fix TLS port binding behavior as well as reload behavior:
* Removes references to tlsbindport from http.conf.sample and manager.conf.sample
* Properly bind to port specified in tlsbindaddr, using the default port if specified.
* On a reload, properly close socket if the service has been disabled.
A note has been added to UPGRADE.txt to indicate how ports must be set for TLS.
(closes issue ASTERISK-16959)
reported by Olaf Holthausen
(closes issue ASTERISK-19201)
reported by Chris Mylonas
(closes issue ASTERISK-19204)
reported by Chris Mylonas
Review: https://reviewboard.asterisk.org/r/1709
Modified:
branches/1.8/UPGRADE.txt
branches/1.8/configs/http.conf.sample
branches/1.8/configs/manager.conf.sample
branches/1.8/include/asterisk/manager.h
branches/1.8/main/http.c
branches/1.8/main/manager.c
Modified: branches/1.8/UPGRADE.txt
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/UPGRADE.txt?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/UPGRADE.txt (original)
+++ branches/1.8/UPGRADE.txt Thu Feb 2 10:58:44 2012
@@ -20,6 +20,12 @@
From 1.6.2 to 1.8:
+* When using TLS with Manager and the HTTP server, the desired port
+ must be specified in the tlsbindaddr setting. If no port is specified,
+ then the default port will be used. See the sample config file to know
+ the default ports. Settings like "sslbindport" and "tlsbindport" have
+ no effect.
+
* chan_sip no longer sets HASH(SIP_CAUSE,<chan name>) on channels by default.
This must now be enabled by setting 'sipstorecause' to 'yes' in sip.conf.
This carries a performance penalty.
Modified: branches/1.8/configs/http.conf.sample
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/configs/http.conf.sample?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/configs/http.conf.sample (original)
+++ branches/1.8/configs/http.conf.sample Thu Feb 2 10:58:44 2012
@@ -54,8 +54,7 @@
; explicitly enable tls, define the port to use,
; and have a certificate somewhere.
;tlsenable=yes ; enable tls - default no.
-;tlsbindport=4433 ; port to use - default is 8089
-;tlsbindaddr=0.0.0.0 ; address to bind to - default is bindaddr.
+;tlsbindaddr=0.0.0.0:8089 ; address and port to bind to - default is bindaddr and port 8089.
;
;tlscertfile=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
Modified: branches/1.8/configs/manager.conf.sample
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/configs/manager.conf.sample?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/configs/manager.conf.sample (original)
+++ branches/1.8/configs/manager.conf.sample Thu Feb 2 10:58:44 2012
@@ -33,8 +33,7 @@
; openssl s_client -connect my_host:5039
;
;tlsenable=no ; set to YES to enable it
-;tlsbindport=5039 ; the port to bind to
-;tlsbindaddr=0.0.0.0 ; address to bind to, default to bindaddr
+;tlsbindaddr=0.0.0.0:5039 ; address and port to bind to, default to bindaddr and port 5039
;tlscertfile=/tmp/asterisk.pem ; path to the certificate.
;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
; if no tlsprivatekey is given, default is to search
Modified: branches/1.8/include/asterisk/manager.h
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/include/asterisk/manager.h?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/include/asterisk/manager.h (original)
+++ branches/1.8/include/asterisk/manager.h Thu Feb 2 10:58:44 2012
@@ -56,6 +56,7 @@
#define AMI_VERSION "1.1"
#define DEFAULT_MANAGER_PORT 5038 /* Default port for Asterisk management via TCP */
+#define DEFAULT_MANAGER_TLS_PORT 5039 /* Default port for Asterisk management via TCP */
/*! \name Constant return values
*\note Currently, returning anything other than zero causes the session to terminate.
Modified: branches/1.8/main/http.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/http.c?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/main/http.c (original)
+++ branches/1.8/main/http.c Thu Feb 2 10:58:44 2012
@@ -60,6 +60,9 @@
#define MAX_PREFIX 80
#define DEFAULT_SESSION_LIMIT 100
+
+#define DEFAULT_HTTP_PORT 8080
+#define DEFAULT_HTTPS_PORT 8089
/* See http.h for more information about the SSL implementation */
#if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE))
@@ -1022,20 +1025,18 @@
struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
struct sockaddr_in tmp = {0,};
struct sockaddr_in tmp2 = {0,};
+ int http_tls_was_enabled = 0;
cfg = ast_config_load2("http.conf", "http", config_flags);
if (cfg == CONFIG_STATUS_FILEMISSING || cfg == CONFIG_STATUS_FILEUNCHANGED || cfg == CONFIG_STATUS_FILEINVALID) {
return 0;
}
- /* default values */
+ http_tls_was_enabled = (reload && http_tls_cfg.enabled);
+
tmp.sin_family = AF_INET;
- tmp.sin_port = htons(8088);
+ tmp.sin_port = htons(DEFAULT_HTTP_PORT);
ast_sockaddr_from_sin(&http_desc.local_address, &tmp);
-
- tmp2.sin_family = AF_INET;
- tmp2.sin_port = htons(8089);
- ast_sockaddr_from_sin(&https_desc.local_address, &tmp2);
http_tls_cfg.enabled = 0;
if (http_tls_cfg.certfile) {
@@ -1058,6 +1059,8 @@
ast_free(redirect);
}
AST_RWLIST_UNLOCK(&uri_redirects);
+
+ ast_sockaddr_setnull(&https_desc.local_address);
if (cfg) {
v = ast_variable_browse(cfg, "general");
@@ -1107,13 +1110,16 @@
ast_config_destroy(cfg);
}
- /* if the https addres has not been set, default is the same as non secure http */
+ /* if the https address has not been set, default is the same as non secure http */
ast_sockaddr_to_sin(&http_desc.local_address, &tmp);
ast_sockaddr_to_sin(&https_desc.local_address, &tmp2);
if (!tmp2.sin_addr.s_addr) {
tmp2.sin_addr = tmp.sin_addr;
- ast_sockaddr_from_sin(&https_desc.local_address, &tmp2);
- }
+ }
+ if (!tmp2.sin_port) {
+ tmp2.sin_port = htons(DEFAULT_HTTPS_PORT);
+ }
+ ast_sockaddr_from_sin(&https_desc.local_address, &tmp2);
if (!enabled) {
ast_sockaddr_setnull(&http_desc.local_address);
ast_sockaddr_setnull(&https_desc.local_address);
@@ -1123,7 +1129,10 @@
}
enablestatic = newenablestatic;
ast_tcptls_server_start(&http_desc);
- if (ast_ssl_setup(https_desc.tls_cfg)) {
+ /* If https was enabled previously but now is not, then stop the service */
+ if (http_tls_was_enabled && !http_tls_cfg.enabled) {
+ ast_tcptls_server_stop(&https_desc);
+ } else if (ast_ssl_setup(https_desc.tls_cfg)) {
ast_tcptls_server_start(&https_desc);
}
Modified: branches/1.8/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/manager.c?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/main/manager.c (original)
+++ branches/1.8/main/manager.c Thu Feb 2 10:58:44 2012
@@ -6491,6 +6491,7 @@
char a1_hash[256];
struct sockaddr_in ami_desc_local_address_tmp = { 0, };
struct sockaddr_in amis_desc_local_address_tmp = { 0, };
+ int tls_was_enabled = 0;
if (!registered) {
/* Register default actions */
@@ -6556,10 +6557,15 @@
/* default values */
ast_copy_string(global_realm, S_OR(ast_config_AST_SYSTEM_NAME, DEFAULT_REALM), sizeof(global_realm));
- memset(&ami_desc.local_address, 0, sizeof(struct sockaddr_in));
- memset(&amis_desc.local_address, 0, sizeof(amis_desc.local_address));
- amis_desc_local_address_tmp.sin_port = htons(5039);
+ ast_sockaddr_setnull(&ami_desc.local_address);
+ ast_sockaddr_setnull(&amis_desc.local_address);
+
+ ami_desc_local_address_tmp.sin_family = AF_INET;
+ amis_desc_local_address_tmp.sin_family = AF_INET;
+
ami_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_PORT);
+
+ tls_was_enabled = (reload && ami_tls_cfg.enabled);
ami_tls_cfg.enabled = 0;
if (ami_tls_cfg.certfile) {
@@ -6634,13 +6640,16 @@
}
}
- ami_desc_local_address_tmp.sin_family = AF_INET;
- amis_desc_local_address_tmp.sin_family = AF_INET;
+ ast_sockaddr_to_sin(&amis_desc.local_address, &amis_desc_local_address_tmp);
/* if the amis address has not been set, default is the same as non secure ami */
if (!amis_desc_local_address_tmp.sin_addr.s_addr) {
amis_desc_local_address_tmp.sin_addr =
ami_desc_local_address_tmp.sin_addr;
+ }
+
+ if (!amis_desc_local_address_tmp.sin_port) {
+ amis_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_TLS_PORT);
}
if (manager_enabled) {
@@ -6897,7 +6906,9 @@
manager_event(EVENT_FLAG_SYSTEM, "Reload", "Module: Manager\r\nStatus: %s\r\nMessage: Manager reload Requested\r\n", manager_enabled ? "Enabled" : "Disabled");
ast_tcptls_server_start(&ami_desc);
- if (ast_ssl_setup(amis_desc.tls_cfg)) {
+ if (tls_was_enabled && !ami_tls_cfg.enabled) {
+ ast_tcptls_server_stop(&amis_desc);
+ } else if (ast_ssl_setup(amis_desc.tls_cfg)) {
ast_tcptls_server_start(&amis_desc);
}
return 0;
More information about the svn-commits
mailing list