<!-- TLS: disabled by default, set to "true" to enable -->
<param name="tls" value="$${external_ssl_enable}"/>
+ <!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
+ <param name="tls-only" value="false"/>
<!-- additional bind parameters for TLS -->
<param name="tls-bind-params" value="transport=tls"/>
<!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
<param name="tls-sip-port" value="$${external_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<param name="tls-cert-dir" value="$${external_ssl_dir}"/>
+ <!-- Don't verify the date on TLS certificates -->
+ <param name="tls-no-verify-date" value="false"/>
+ <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
+ <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
+ <param name="tls-verify-policy" value="none"/>
+ <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
+ <param name="tls-verify-depth" value="2"/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
<!-- TLS: disabled by default, set to "true" to enable -->
<param name="tls" value="$${internal_ssl_enable}"/>
+ <!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
+ <param name="tls-only" value="false"/>
<!-- additional bind parameters for TLS -->
<param name="tls-bind-params" value="transport=tls"/>
<!-- Port to listen on for TLS requests. (5061 will be used if unspecified) -->
<param name="tls-sip-port" value="$${internal_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
+ <!-- Don't verify the date on TLS certificates -->
+ <param name="tls-no-verify-date" value="false"/>
+ <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
+ <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
+ <param name="tls-verify-policy" value="none"/>
+ <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
+ <param name="tls-verify-depth" value="2"/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
if (profile->extsipip) {
stream->write_function(stream, "Ext-SIP-IP \t%s\n", profile->extsipip);
}
- stream->write_function(stream, "URL \t%s\n", switch_str_nil(profile->url));
- stream->write_function(stream, "BIND-URL \t%s\n", switch_str_nil(profile->bindurl));
+ if (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only) {
+ stream->write_function(stream, "URL \t%s\n", switch_str_nil(profile->url));
+ stream->write_function(stream, "BIND-URL \t%s\n", switch_str_nil(profile->bindurl));
+ }
if (sofia_test_pflag(profile, PFLAG_TLS)) {
stream->write_function(stream, "TLS-URL \t%s\n", switch_str_nil(profile->tls_url));
stream->write_function(stream, "TLS-BIND-URL \t%s\n", switch_str_nil(profile->tls_bindurl));
ac++;
stream->write_function(stream, "%25s\t%s\t %40s\t%s\n", vvar, " alias", profile->name, "ALIASED");
} else {
- stream->write_function(stream, "%25s\t%s\t %40s\t%s (%u)\n", profile->name, "profile", profile->url,
+ if (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only) {
+ stream->write_function(stream, "%25s\t%s\t %40s\t%s (%u)\n", profile->name, "profile", profile->url,
sofia_test_pflag(profile, PFLAG_RUNNING) ? "RUNNING" : "DOWN", profile->inuse);
+ }
if (sofia_test_pflag(profile, PFLAG_TLS)) {
stream->write_function(stream, "%25s\t%s\t %40s\t%s (%u) (TLS)\n", profile->name, "profile", profile->tls_url,
stream->write_function(stream, "<alias>\n<name>%s</name>\n<type>%s</type>\n<data>%s</data>\n<state>%s</state>\n</alias>\n", vvar, "alias",
profile->name, "ALIASED");
} else {
- stream->write_function(stream, "<profile>\n<name>%s</name>\n<type>%s</type>\n<data>%s</data>\n<state>%s (%u)</state>\n</profile>\n",
+ if (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only){
+ stream->write_function(stream, "<profile>\n<name>%s</name>\n<type>%s</type>\n<data>%s</data>\n<state>%s (%u)</state>\n</profile>\n",
profile->name, "profile", profile->url, sofia_test_pflag(profile, PFLAG_RUNNING) ? "RUNNING" : "DOWN",
profile->inuse);
+ }
if (sofia_test_pflag(profile, PFLAG_TLS)) {
stream->write_function(stream,
switch_mutex_t *gw_mutex;
uint32_t queued_events;
uint32_t cseq_base;
+ int tls_only;
+ int tls_no_verify_date;
+ enum tport_tls_verify_policy tls_verify_policy;
+ int tls_verify_depth;
char *tls_passphrase;
};
sofia_transport_t sofia_glue_via2transport(const sip_via_t * via);
sofia_transport_t sofia_glue_url2transport(const url_t *url);
sofia_transport_t sofia_glue_str2transport(const char *str);
+enum tport_tls_verify_policy sofia_glue_str2tls_verify_policy(const char * str);
const char *sofia_glue_transport2str(const sofia_transport_t tp);
char *sofia_glue_find_parameter(const char *str, const char *param);
supported = switch_core_sprintf(profile->pool, "%s%s%sprecondition, path, replaces", use_100rel ? "100rel, " : "", use_timer ? "timer, " : "", use_rfc_5626 ? "outbound, " : "");
if (sofia_test_pflag(profile, PFLAG_AUTO_NAT) && switch_nat_get_type()) {
- if (switch_nat_add_mapping(profile->sip_port, SWITCH_NAT_UDP, NULL, SWITCH_FALSE) == SWITCH_STATUS_SUCCESS) {
+ if ( (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only) && switch_nat_add_mapping(profile->sip_port, SWITCH_NAT_UDP, NULL, SWITCH_FALSE) == SWITCH_STATUS_SUCCESS) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Created UDP nat mapping for %s port %d\n", profile->name, profile->sip_port);
}
if (switch_nat_add_mapping(profile->sip_port, SWITCH_NAT_TCP, NULL, SWITCH_FALSE) == SWITCH_STATUS_SUCCESS) {
profile->nua = nua_create(profile->s_root, /* Event loop */
sofia_event_callback, /* Callback for processing events */
profile, /* Additional data to pass to callback */
- NUTAG_URL(profile->bindurl),
+ TAG_IF( ! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only, NUTAG_URL(profile->bindurl)),
NTATAG_USER_VIA(1),
TAG_IF(!strchr(profile->sipip, ':'),
SOATAG_AF(SOA_AF_IP4_ONLY)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_passphrase,
TPTAG_TLS_PASSPHRASE(profile->tls_passphrase)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
- TPTAG_TLS_VERIFY_POLICY(0)),
+ TPTAG_TLS_VERIFY_POLICY(profile->tls_verify_policy)),
+ TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
+ TPTAG_TLS_VERIFY_DEPTH(profile->tls_verify_depth)),
+ TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
+ TPTAG_TLS_VERIFY_DATE(! profile->tls_no_verify_date)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
TPTAG_TLS_VERSION(profile->tls_version)),
TAG_IF(!strchr(profile->sipip, ':'),
}
}
}
+ profile->tls_verify_policy = TPTLS_VERIFY_NONE;
+ /* lib default */
+ profile->tls_verify_depth = 2;
switch_event_destroy(&xml_params);
}
}
} else if (!strcasecmp(var, "tls-bind-params")) {
profile->tls_bind_params = switch_core_strdup(profile->pool, val);
+ } else if (!strcasecmp(var, "tls-only")) {
+ profile->tls_only = switch_true(val);
+ } else if (!strcasecmp(var, "tls-no-verify-date")) {
+ profile->tls_no_verify_date = switch_true(val);
+ } else if (!strcasecmp(var, "tls-verify-depth")) {
+ profile->tls_verify_depth = atoi(val);
+ } else if (!strcasecmp(var, "tls-verify-policy")) {
+ profile->tls_verify_policy = sofia_glue_str2tls_verify_policy(val);
} else if (!strcasecmp(var, "tls-sip-port")) {
if (!strcasecmp(val, "auto")) {
sofia_set_pflag(profile, PFLAG_AUTO_ASSIGN_TLS_PORT);
return SOFIA_TRANSPORT_UNKNOWN;
}
+enum tport_tls_verify_policy sofia_glue_str2tls_verify_policy(const char * str){
+ if (!strcasecmp(str, "in")) {
+ return TPTLS_VERIFY_IN;
+ } else if (!strcasecmp(str, "out")) {
+ return TPTLS_VERIFY_OUT;
+ } else if (!strcasecmp(str, "all")) {
+ return TPTLS_VERIFY_ALL;
+ } else if (!strcasecmp(str, "subjects_in")) {
+ return TPTLS_VERIFY_SUBJECTS_IN;
+ } else if (!strcasecmp(str, "subjects_out")) {
+ return TPTLS_VERIFY_SUBJECTS_OUT;
+ } else if (!strcasecmp(str, "subjects_all")) {
+ return TPTLS_VERIFY_SUBJECTS_ALL;
+ }
+
+ return TPTLS_VERIFY_NONE;
+}
+
char *sofia_glue_find_parameter_value(switch_core_session_t *session, const char *str, const char *param)
{
const char *param_ptr;
projects / thirdparty / freeswitch.git / commitdiff
