[Asterisk-code-review] tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA)... (asterisk[master])

Alexander Traud asteriskteam at digium.com
Sun May 10 10:10:00 CDT 2015 

Alexander Traud has uploaded a new change for review.

  https://gerrit.asterisk.org/431

Change subject: tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket.
......................................................................

tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket.

When a client connects via SSL/TLS, the server uses a RSA key-pair usually.
However, more such algorithms exist like DSA and ECDSA, and if the server socket
setups a certificate for either one of those, it would loose compatibility to
RSA-only clients. Now, the server socket can be configured with up to one RSA,
ECDSA and DSA key each. For example, if a client is not compatible with SHA-2
hashed certificates like Nokia mobile phones, the server socket still can use
RSA/SHA-1 for legacy clients and ECDSA/SHA-2 for everyone else.

ASTERISK-24815 #close
Reported by: Alexander Traud
patches:
  tls_rsa_ecc_dsa.patch uploaded by Alexander Traud (License 6520)

Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a
---
M configs/samples/pjsip.conf.sample
M configs/samples/sip.conf.sample
M main/tcptls.c
3 files changed, 38 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/31/431/2

diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample
index 5e37571..905824d 100644
--- a/configs/samples/pjsip.conf.sample
+++ b/configs/samples/pjsip.conf.sample
@@ -765,7 +765,13 @@
                 ; (default: "")
 ;cert_file=     ; Certificate file for endpoint TLS ONLY
                 ; Will read .crt or .pem file but only uses cert,
-                ; a .key file must be specified via priv_key_file
+                ; a .key file must be specified via priv_key_file. Since
+                ; PJProject version 2.5: If the file name ends in _rsa, for
+                ; example "asterisk_rsa.pem", the files "asterisk_dsa.pem"
+                ; and/or "asterisk_ecc.pem" are looked-up (certificate, inter-
+                ; mediates, private key), to support multiple algorithms for 
+                ; server authentication (RSA, DSA, ECDSA). If the chains are 
+                ; different, at least OpenSSL 1.0.2 is required.
                 ; (default: "")
 ;cipher=        ; Preferred cryptography cipher names TLS ONLY (default: "")
 ;domain=        ; Domain the transport comes from (default: "")
diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample
index e52fa6d..8f55974 100644
--- a/configs/samples/sip.conf.sample
+++ b/configs/samples/sip.conf.sample
@@ -561,7 +561,12 @@
 ;------------------------ TLS settings ------------------------------------------------------------
 ;tlscertfile=</path/to/certificate.pem> ; Certificate chain (*.pem format only) to use for TLS connections
                                         ; The certificates must be sorted starting with the subject's certificate
-                                        ; and followed by intermediate CA certificates if applicable.
+                                        ; and followed by intermediate CA certificates if applicable. If the
+                                        ; file name ends in _rsa, for example "asterisk_rsa.pem", the files
+                                        ; "asterisk_dsa.pem" and/or "asterisk_ecc.pem" are looked-up
+                                        ; (certificate, intermediates, private key), to support multiple
+                                        ; algorithms for server authentication (RSA, DSA, ECDSA). If the chains
+                                        ; are different, at least OpenSSL 1.0.2 is required.
                                         ; Default is to look for "asterisk.pem" in current directory
 
 ;tlsprivatekey=</path/to/private.pem> ; Private key file (*.pem format only) for TLS connections.
diff --git a/main/tcptls.c b/main/tcptls.c
index 0b06d22..63340a5 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -752,6 +752,20 @@
 	return NULL;
 }
 
+static void __ssl_setup_certs(struct ast_tls_config *cfg, const size_t cert_file_len, const char *key_type_extension, const char *key_type)
+{
+	char *cert_file = ast_strdupa(cfg->certfile);
+
+	memcpy(cert_file + cert_file_len - 8, key_type_extension, 5);
+	if (access(cert_file, F_OK) == 0) {
+		if (SSL_CTX_use_certificate_chain_file(cfg->ssl_ctx, cert_file) == 0) {
+			ast_log(LOG_ERROR, "TLS/SSL error loading %s cert file. <%s>\n", key_type, cert_file);
+		} else {
+			SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cert_file, SSL_FILETYPE_PEM);
+		}
+	}
+}
+
 static int __ssl_setup(struct ast_tls_config *cfg, int client)
 {
 #ifndef DO_SSL
@@ -839,6 +853,17 @@
 				return 0;
 			}
 		}
+		if (!client) {
+			size_t certfile_len = strlen(cfg->certfile);
+
+			/* expects a file name which contains _rsa. like asterisk_rsa.pem
+			 * ignores any 3-character file-extension like .pem, .cer, .crt
+			 */
+			if (certfile_len >= 8 && !strncmp(cfg->certfile + certfile_len - 8, "_rsa.", 5)) {
+				__ssl_setup_certs(cfg, certfile_len, "_ecc.", "ECC");
+				__ssl_setup_certs(cfg, certfile_len, "_dsa.", "DSA");
+			}
+		}
 	}
 	if (!ast_strlen_zero(cfg->cipher)) {
 		if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {

-- 
To view, visit https://gerrit.asterisk.org/431
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a
Gerrit-PatchSet: 2
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>

More information about the asterisk-code-review mailing list