* Removes references to tlsbindport from http.conf.sample and manager.conf.sample
* Properly bind to port specified in tlsbindaddr, using the default port if specified.
* On a reload, properly close socket if the service has been disabled.
A note has been added to UPGRADE.txt to indicate how ports must be set for TLS.
(closes issue ASTERISK-16959)
reported by Olaf Holthausen
(closes issue ASTERISK-19201)
reported by Chris Mylonas
(closes issue ASTERISK-19204)
reported by Chris Mylonas
Review: https://reviewboard.asterisk.org/r/1709
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@353770
65c4cc65-6c06-0410-ace0-
fbb531ad65f3
From 1.6.2 to 1.8:
+* When using TLS with Manager and the HTTP server, the desired port
+ must be specified in the tlsbindaddr setting. If no port is specified,
+ then the default port will be used. See the sample config file to know
+ the default ports. Settings like "sslbindport" and "tlsbindport" have
+ no effect.
+
* chan_sip no longer sets HASH(SIP_CAUSE,<chan name>) on channels by default.
This must now be enabled by setting 'sipstorecause' to 'yes' in sip.conf.
This carries a performance penalty.
; explicitly enable tls, define the port to use,
; and have a certificate somewhere.
;tlsenable=yes ; enable tls - default no.
-;tlsbindport=4433 ; port to use - default is 8089
-;tlsbindaddr=0.0.0.0 ; address to bind to - default is bindaddr.
+;tlsbindaddr=0.0.0.0:8089 ; address and port to bind to - default is bindaddr and port 8089.
;
;tlscertfile=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
; openssl s_client -connect my_host:5039
;
;tlsenable=no ; set to YES to enable it
-;tlsbindport=5039 ; the port to bind to
-;tlsbindaddr=0.0.0.0 ; address to bind to, default to bindaddr
+;tlsbindaddr=0.0.0.0:5039 ; address and port to bind to, default to bindaddr and port 5039
;tlscertfile=/tmp/asterisk.pem ; path to the certificate.
;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
; if no tlsprivatekey is given, default is to search
#define AMI_VERSION "1.1"
#define DEFAULT_MANAGER_PORT 5038 /* Default port for Asterisk management via TCP */
+#define DEFAULT_MANAGER_TLS_PORT 5039 /* Default port for Asterisk management via TCP */
/*! \name Constant return values
*\note Currently, returning anything other than zero causes the session to terminate.
#define MAX_PREFIX 80
#define DEFAULT_SESSION_LIMIT 100
+#define DEFAULT_HTTP_PORT 8080
+#define DEFAULT_HTTPS_PORT 8089
+
/* See http.h for more information about the SSL implementation */
#if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE))
#define DO_SSL /* comment in/out if you want to support ssl */
struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
struct sockaddr_in tmp = {0,};
struct sockaddr_in tmp2 = {0,};
+ int http_tls_was_enabled = 0;
cfg = ast_config_load2("http.conf", "http", config_flags);
if (cfg == CONFIG_STATUS_FILEMISSING || cfg == CONFIG_STATUS_FILEUNCHANGED || cfg == CONFIG_STATUS_FILEINVALID) {
return 0;
}
- /* default values */
+ http_tls_was_enabled = (reload && http_tls_cfg.enabled);
+
tmp.sin_family = AF_INET;
- tmp.sin_port = htons(8088);
+ tmp.sin_port = htons(DEFAULT_HTTP_PORT);
ast_sockaddr_from_sin(&http_desc.local_address, &tmp);
- tmp2.sin_family = AF_INET;
- tmp2.sin_port = htons(8089);
- ast_sockaddr_from_sin(&https_desc.local_address, &tmp2);
-
http_tls_cfg.enabled = 0;
if (http_tls_cfg.certfile) {
ast_free(http_tls_cfg.certfile);
}
AST_RWLIST_UNLOCK(&uri_redirects);
+ ast_sockaddr_setnull(&https_desc.local_address);
+
if (cfg) {
v = ast_variable_browse(cfg, "general");
for (; v; v = v->next) {
ast_config_destroy(cfg);
}
- /* if the https addres has not been set, default is the same as non secure http */
+ /* if the https address has not been set, default is the same as non secure http */
ast_sockaddr_to_sin(&http_desc.local_address, &tmp);
ast_sockaddr_to_sin(&https_desc.local_address, &tmp2);
if (!tmp2.sin_addr.s_addr) {
tmp2.sin_addr = tmp.sin_addr;
- ast_sockaddr_from_sin(&https_desc.local_address, &tmp2);
}
+ if (!tmp2.sin_port) {
+ tmp2.sin_port = htons(DEFAULT_HTTPS_PORT);
+ }
+ ast_sockaddr_from_sin(&https_desc.local_address, &tmp2);
if (!enabled) {
ast_sockaddr_setnull(&http_desc.local_address);
ast_sockaddr_setnull(&https_desc.local_address);
}
enablestatic = newenablestatic;
ast_tcptls_server_start(&http_desc);
- if (ast_ssl_setup(https_desc.tls_cfg)) {
+ /* If https was enabled previously but now is not, then stop the service */
+ if (http_tls_was_enabled && !http_tls_cfg.enabled) {
+ ast_tcptls_server_stop(&https_desc);
+ } else if (ast_ssl_setup(https_desc.tls_cfg)) {
ast_tcptls_server_start(&https_desc);
}
char a1_hash[256];
struct sockaddr_in ami_desc_local_address_tmp = { 0, };
struct sockaddr_in amis_desc_local_address_tmp = { 0, };
+ int tls_was_enabled = 0;
if (!registered) {
/* Register default actions */
/* default values */
ast_copy_string(global_realm, S_OR(ast_config_AST_SYSTEM_NAME, DEFAULT_REALM), sizeof(global_realm));
- memset(&ami_desc.local_address, 0, sizeof(struct sockaddr_in));
- memset(&amis_desc.local_address, 0, sizeof(amis_desc.local_address));
- amis_desc_local_address_tmp.sin_port = htons(5039);
+ ast_sockaddr_setnull(&ami_desc.local_address);
+ ast_sockaddr_setnull(&amis_desc.local_address);
+
+ ami_desc_local_address_tmp.sin_family = AF_INET;
+ amis_desc_local_address_tmp.sin_family = AF_INET;
+
ami_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_PORT);
+ tls_was_enabled = (reload && ami_tls_cfg.enabled);
+
ami_tls_cfg.enabled = 0;
if (ami_tls_cfg.certfile) {
ast_free(ami_tls_cfg.certfile);
}
}
- ami_desc_local_address_tmp.sin_family = AF_INET;
- amis_desc_local_address_tmp.sin_family = AF_INET;
+ ast_sockaddr_to_sin(&amis_desc.local_address, &amis_desc_local_address_tmp);
/* if the amis address has not been set, default is the same as non secure ami */
if (!amis_desc_local_address_tmp.sin_addr.s_addr) {
ami_desc_local_address_tmp.sin_addr;
}
+ if (!amis_desc_local_address_tmp.sin_port) {
+ amis_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_TLS_PORT);
+ }
+
if (manager_enabled) {
ast_sockaddr_from_sin(&ami_desc.local_address, &ami_desc_local_address_tmp);
ast_sockaddr_from_sin(&amis_desc.local_address, &amis_desc_local_address_tmp);
manager_event(EVENT_FLAG_SYSTEM, "Reload", "Module: Manager\r\nStatus: %s\r\nMessage: Manager reload Requested\r\n", manager_enabled ? "Enabled" : "Disabled");
ast_tcptls_server_start(&ami_desc);
- if (ast_ssl_setup(amis_desc.tls_cfg)) {
+ if (tls_was_enabled && !ami_tls_cfg.enabled) {
+ ast_tcptls_server_stop(&amis_desc);
+ } else if (ast_ssl_setup(amis_desc.tls_cfg)) {
ast_tcptls_server_start(&amis_desc);
}
return 0;
projects / thirdparty / asterisk.git / commitdiff
