tcptls: Prevent unsupported options from being set

AMI, HTTP, and chan_sip all support TLS in some way, but none of them
support all the options that Asterisk's TLS core is capable of
interpreting. This prevents consumers of the TLS/SSL layer from setting
TLS/SSL options that they do not support.

This also gets tlsverifyclient closer to a working state by requesting
the client certificate when tlsverifyclient is set. Currently, there is
no consumer of main/tcptls.c in Asterisk that supports this feature and
so it can not be properly tested.

Review: https://reviewboard.asterisk.org/r/2370/
Reported-by: John Bigelow
Patch-by: Kinsey Moore
(closes issue AST-1093)
........

Merged revisions 383165 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 383166 from http://svn.asterisk.org/svn/asterisk/branches/11

git-svn-id: https://origsvn.digium.com/svn/asterisk/certified/branches/11.2@383208 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 8dd7304a7491727d4742ff031b66a6c47f5abbf7..9654f536ef94787b755cfe26c8c11aeffcc26515 100644 (file)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -31217,8 +31217,11 @@ static int reload_config(enum channelreloadreason reason)
                        continue;
                }
 
-               /* handle tls conf */
-               if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
+               /* handle tls conf, don't allow setting of tlsverifyclient as it isn't supported by chan_sip */
+               if (!strcasecmp(v->name, "tlsverifyclient")) {
+                       ast_log(LOG_WARNING, "Ignoring unsupported option 'tlsverifyclient'\n");
+                       continue;
+               } else if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
                        continue;
                }
 

diff --git a/main/http.c b/main/http.c
index 0553e6b465f34703a6be29ccdcdc6b9c15071866..1fa919bfbe5f2c0669fe322e160d2e82c6f2404d 100644 (file)
--- a/main/http.c
+++ b/main/http.c
@@ -1052,8 +1052,17 @@ static int __ast_http_load(int reload)
                v = ast_variable_browse(cfg, "general");
                for (; v; v = v->next) {
 
-                       /* handle tls conf */
-                       if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+                       /* read tls config options while preventing unsupported options from being set */
+                       if (strcasecmp(v->name, "tlscafile")
+                               && strcasecmp(v->name, "tlscapath")
+                               && strcasecmp(v->name, "tlscadir")
+                               && strcasecmp(v->name, "tlsverifyclient")
+                               && strcasecmp(v->name, "tlsdontverifyserver")
+                               && strcasecmp(v->name, "tlsclientmethod")
+                               && strcasecmp(v->name, "sslclientmethod")
+                               && strcasecmp(v->name, "tlscipher")
+                               && strcasecmp(v->name, "sslcipher")
+                               && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
                                continue;
                        }
 

diff --git a/main/manager.c b/main/manager.c
index 9f20a904bf90b68a2074e7c9cfda019bf7dba342..08e1331c8166726ec093d49ece481798123032e8 100644 (file)
--- a/main/manager.c
+++ b/main/manager.c
@@ -7487,7 +7487,15 @@ static int __init_manager(int reload, int by_external_config)
        for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {
                val = var->value;
 
-               if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
+               /* read tls config options while preventing unsupported options from being set */
+               if (strcasecmp(var->name, "tlscafile")
+                       && strcasecmp(var->name, "tlscapath")
+                       && strcasecmp(var->name, "tlscadir")
+                       && strcasecmp(var->name, "tlsverifyclient")
+                       && strcasecmp(var->name, "tlsdontverifyserver")
+                       && strcasecmp(var->name, "tlsclientmethod")
+                       && strcasecmp(var->name, "sslclientmethod")
+                       && !ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
                        continue;
                }
 

diff --git a/main/tcptls.c b/main/tcptls.c
index dffba1dcd3ad099348e8faa46ce5b331e23bbb6e..2b4842638583a951da25c522686ba979bd1bb4b4 100644 (file)
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -373,6 +373,11 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
                cfg->enabled = 0;
                return 0;
        }
+
+       SSL_CTX_set_verify(cfg->ssl_ctx,
+               ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
+               NULL);
+
        if (!ast_strlen_zero(cfg->certfile)) {
                char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
                if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {