[svn-commits] mmichelson: branch 1.8 r353770 - in /branches/1.8: ./ configs/ include/asteri...

SVN commits to the Digium repositories svn-commits at lists.digium.com
Thu Feb 2 10:58:50 CST 2012 

Author: mmichelson
Date: Thu Feb  2 10:58:44 2012
New Revision: 353770

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=353770
Log:
Fix TLS port binding behavior as well as reload behavior:

* Removes references to tlsbindport from http.conf.sample and manager.conf.sample
* Properly bind to port specified in tlsbindaddr, using the default port if specified.
* On a reload, properly close socket if the service has been disabled.

A note has been added to UPGRADE.txt to indicate how ports must be set for TLS.

(closes issue ASTERISK-16959)
reported by Olaf Holthausen

(closes issue ASTERISK-19201)
reported by Chris Mylonas

(closes issue ASTERISK-19204)
reported by Chris Mylonas

Review: https://reviewboard.asterisk.org/r/1709


Modified:
    branches/1.8/UPGRADE.txt
    branches/1.8/configs/http.conf.sample
    branches/1.8/configs/manager.conf.sample
    branches/1.8/include/asterisk/manager.h
    branches/1.8/main/http.c
    branches/1.8/main/manager.c

Modified: branches/1.8/UPGRADE.txt
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/UPGRADE.txt?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/UPGRADE.txt (original)
+++ branches/1.8/UPGRADE.txt Thu Feb  2 10:58:44 2012
@@ -20,6 +20,12 @@
 
 From 1.6.2 to 1.8:
 
+* When using TLS with Manager and the HTTP server, the desired port
+  must be specified in the tlsbindaddr setting. If no port is specified,
+  then the default port will be used. See the sample config file to know
+  the default ports. Settings like "sslbindport" and "tlsbindport" have
+  no effect.
+
 * chan_sip no longer sets HASH(SIP_CAUSE,<chan name>) on channels by default.
   This must now be enabled by setting 'sipstorecause' to 'yes' in sip.conf.
   This carries a performance penalty.

Modified: branches/1.8/configs/http.conf.sample
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/configs/http.conf.sample?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/configs/http.conf.sample (original)
+++ branches/1.8/configs/http.conf.sample Thu Feb  2 10:58:44 2012
@@ -54,8 +54,7 @@
 ; explicitly enable tls, define the port to use,
 ; and have a certificate somewhere.
 ;tlsenable=yes          ; enable tls - default no.
-;tlsbindport=4433       ; port to use - default is 8089
-;tlsbindaddr=0.0.0.0    ; address to bind to - default is bindaddr.
+;tlsbindaddr=0.0.0.0:8089    ; address and port to bind to - default is bindaddr and port 8089.
 ;
 ;tlscertfile=</path/to/certificate.pem>  ; path to the certificate file (*.pem) only.
 ;tlsprivatekey=</path/to/private.pem>    ; path to private key file (*.pem) only.

Modified: branches/1.8/configs/manager.conf.sample
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/configs/manager.conf.sample?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/configs/manager.conf.sample (original)
+++ branches/1.8/configs/manager.conf.sample Thu Feb  2 10:58:44 2012
@@ -33,8 +33,7 @@
 ;	openssl s_client -connect my_host:5039
 ;
 ;tlsenable=no		; set to YES to enable it
-;tlsbindport=5039		; the port to bind to
-;tlsbindaddr=0.0.0.0		; address to bind to, default to bindaddr
+;tlsbindaddr=0.0.0.0:5039		; address and port to bind to, default to bindaddr and port 5039
 ;tlscertfile=/tmp/asterisk.pem	; path to the certificate.
 ;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
                                 ; if no tlsprivatekey is given, default is to search

Modified: branches/1.8/include/asterisk/manager.h
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/include/asterisk/manager.h?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/include/asterisk/manager.h (original)
+++ branches/1.8/include/asterisk/manager.h Thu Feb  2 10:58:44 2012
@@ -56,6 +56,7 @@
 
 #define AMI_VERSION                     "1.1"
 #define DEFAULT_MANAGER_PORT 5038	/* Default port for Asterisk management via TCP */
+#define DEFAULT_MANAGER_TLS_PORT 5039	/* Default port for Asterisk management via TCP */
 
 /*! \name Constant return values
  *\note Currently, returning anything other than zero causes the session to terminate.

Modified: branches/1.8/main/http.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/http.c?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/main/http.c (original)
+++ branches/1.8/main/http.c Thu Feb  2 10:58:44 2012
@@ -60,6 +60,9 @@
 
 #define MAX_PREFIX 80
 #define DEFAULT_SESSION_LIMIT 100
+
+#define DEFAULT_HTTP_PORT 8080
+#define DEFAULT_HTTPS_PORT 8089
 
 /* See http.h for more information about the SSL implementation */
 #if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE))
@@ -1022,20 +1025,18 @@
 	struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
 	struct sockaddr_in tmp = {0,};
 	struct sockaddr_in tmp2 = {0,};
+	int http_tls_was_enabled = 0;
 
 	cfg = ast_config_load2("http.conf", "http", config_flags);
 	if (cfg == CONFIG_STATUS_FILEMISSING || cfg == CONFIG_STATUS_FILEUNCHANGED || cfg == CONFIG_STATUS_FILEINVALID) {
 		return 0;
 	}
 
-	/* default values */
+	http_tls_was_enabled = (reload && http_tls_cfg.enabled);
+
 	tmp.sin_family = AF_INET;
-	tmp.sin_port = htons(8088);
+	tmp.sin_port = htons(DEFAULT_HTTP_PORT);
 	ast_sockaddr_from_sin(&http_desc.local_address, &tmp);
-
-	tmp2.sin_family = AF_INET;
-	tmp2.sin_port = htons(8089);
-	ast_sockaddr_from_sin(&https_desc.local_address, &tmp2);
 
 	http_tls_cfg.enabled = 0;
 	if (http_tls_cfg.certfile) {
@@ -1058,6 +1059,8 @@
 		ast_free(redirect);
 	}
 	AST_RWLIST_UNLOCK(&uri_redirects);
+
+	ast_sockaddr_setnull(&https_desc.local_address);
 
 	if (cfg) {
 		v = ast_variable_browse(cfg, "general");
@@ -1107,13 +1110,16 @@
 
 		ast_config_destroy(cfg);
 	}
-	/* if the https addres has not been set, default is the same as non secure http */
+	/* if the https address has not been set, default is the same as non secure http */
 	ast_sockaddr_to_sin(&http_desc.local_address, &tmp);
 	ast_sockaddr_to_sin(&https_desc.local_address, &tmp2);
 	if (!tmp2.sin_addr.s_addr) {
 		tmp2.sin_addr = tmp.sin_addr;
-		ast_sockaddr_from_sin(&https_desc.local_address, &tmp2);
-	}
+	}
+	if (!tmp2.sin_port) {
+		tmp2.sin_port = htons(DEFAULT_HTTPS_PORT);
+	}
+	ast_sockaddr_from_sin(&https_desc.local_address, &tmp2);
 	if (!enabled) {
 		ast_sockaddr_setnull(&http_desc.local_address);
 		ast_sockaddr_setnull(&https_desc.local_address);
@@ -1123,7 +1129,10 @@
 	}
 	enablestatic = newenablestatic;
 	ast_tcptls_server_start(&http_desc);
-	if (ast_ssl_setup(https_desc.tls_cfg)) {
+	/* If https was enabled previously but now is not, then stop the service */
+	if (http_tls_was_enabled && !http_tls_cfg.enabled) {
+		ast_tcptls_server_stop(&https_desc);
+	} else if (ast_ssl_setup(https_desc.tls_cfg)) {
 		ast_tcptls_server_start(&https_desc);
 	}
 

Modified: branches/1.8/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/manager.c?view=diff&rev=353770&r1=353769&r2=353770
==============================================================================
--- branches/1.8/main/manager.c (original)
+++ branches/1.8/main/manager.c Thu Feb  2 10:58:44 2012
@@ -6491,6 +6491,7 @@
 	char a1_hash[256];
 	struct sockaddr_in ami_desc_local_address_tmp = { 0, };
 	struct sockaddr_in amis_desc_local_address_tmp = { 0, };
+	int tls_was_enabled = 0;
 
 	if (!registered) {
 		/* Register default actions */
@@ -6556,10 +6557,15 @@
 
 	/* default values */
 	ast_copy_string(global_realm, S_OR(ast_config_AST_SYSTEM_NAME, DEFAULT_REALM), sizeof(global_realm));
-	memset(&ami_desc.local_address, 0, sizeof(struct sockaddr_in));
-	memset(&amis_desc.local_address, 0, sizeof(amis_desc.local_address));
-	amis_desc_local_address_tmp.sin_port = htons(5039);
+	ast_sockaddr_setnull(&ami_desc.local_address);
+	ast_sockaddr_setnull(&amis_desc.local_address);
+
+	ami_desc_local_address_tmp.sin_family = AF_INET;
+	amis_desc_local_address_tmp.sin_family = AF_INET;
+
 	ami_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_PORT);
+
+	tls_was_enabled = (reload && ami_tls_cfg.enabled);
 
 	ami_tls_cfg.enabled = 0;
 	if (ami_tls_cfg.certfile) {
@@ -6634,13 +6640,16 @@
 		}
 	}
 
-	ami_desc_local_address_tmp.sin_family = AF_INET;
-	amis_desc_local_address_tmp.sin_family = AF_INET;
+	ast_sockaddr_to_sin(&amis_desc.local_address, &amis_desc_local_address_tmp);
 
 	/* if the amis address has not been set, default is the same as non secure ami */
 	if (!amis_desc_local_address_tmp.sin_addr.s_addr) {
 		amis_desc_local_address_tmp.sin_addr =
 		    ami_desc_local_address_tmp.sin_addr;
+	}
+
+	if (!amis_desc_local_address_tmp.sin_port) {
+		amis_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_TLS_PORT);
 	}
 
 	if (manager_enabled) {
@@ -6897,7 +6906,9 @@
 	manager_event(EVENT_FLAG_SYSTEM, "Reload", "Module: Manager\r\nStatus: %s\r\nMessage: Manager reload Requested\r\n", manager_enabled ? "Enabled" : "Disabled");
 
 	ast_tcptls_server_start(&ami_desc);
-	if (ast_ssl_setup(amis_desc.tls_cfg)) {
+	if (tls_was_enabled && !ami_tls_cfg.enabled) {
+		ast_tcptls_server_stop(&amis_desc);
+	} else if (ast_ssl_setup(amis_desc.tls_cfg)) {
 		ast_tcptls_server_start(&amis_desc);
 	}
 	return 0;

More information about the svn-commits mailing list