<param name="tls-sip-port" value="$${external_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<param name="tls-cert-dir" value="$${external_ssl_dir}"/>
+ <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
+ <param name="tls-passphrase" value=""/>
<!-- Don't verify the date on TLS certificates -->
<param name="tls-no-verify-date" value="false"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
- <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
+ <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>
+ <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
+ <param name="tls-verify-in-subjects" value=""/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
- <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
- <param name="tls-passphrase" value=""/>
</settings>
</profile>
<param name="tls-sip-port" value="$${internal_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
+ <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
+ <param name="tls-passphrase" value=""/>
<!-- Don't verify the date on TLS certificates -->
<param name="tls-no-verify-date" value="false"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
- <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
+ <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>
+ <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
+ <param name="tls-verify-in-subjects" value=""/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
- <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
- <param name="tls-passphrase" value=""/>
<!-- turn on auto-flush during bridge (skip timer sleep when the socket already has data)
(reduces delay on latent connections default true, must be disabled explicitly)-->
#include <sofia-sip/auth_module.h>
#include <sofia-sip/su_md5.h>
#include <sofia-sip/su_log.h>
+#include <sofia-sip/su_strlst.h>
#include <sofia-sip/nea.h>
#include <sofia-sip/msg_addr.h>
#include <sofia-sip/tport_tag.h>
enum tport_tls_verify_policy tls_verify_policy;
int tls_verify_depth;
char *tls_passphrase;
+ char *tls_verify_in_subjects_str;
+ su_strlst_t *tls_verify_in_subjects;
};
struct private_object {
}
}
+ /* We have to init the verify_subjects here as during config stage profile->home isn't setup, it should be freed when profile->home is freed */
+ if ( (profile->tls_verify_policy & TPTLS_VERIFY_SUBJECTS_IN) && profile->tls_verify_in_subjects_str && ! profile->tls_verify_in_subjects) {
+ profile->tls_verify_in_subjects = su_strlst_dup_split((su_home_t *)profile->nua, profile->tls_verify_in_subjects_str, "|");
+ }
+
profile->nua = nua_create(profile->s_root, /* Event loop */
sofia_event_callback, /* Callback for processing events */
profile, /* Additional data to pass to callback */
TPTAG_TLS_VERIFY_DEPTH(profile->tls_verify_depth)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
TPTAG_TLS_VERIFY_DATE(! profile->tls_no_verify_date)),
+ TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_verify_in_subjects,
+ TPTAG_TLS_VERIFY_SUBJECTS(profile->tls_verify_in_subjects)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
TPTAG_TLS_VERSION(profile->tls_version)),
TAG_IF(!strchr(profile->sipip, ':'),
sofia_profile_start_failure(NULL, xprofilename);
goto done;
}
+ profile->tls_verify_policy = TPTLS_VERIFY_NONE;
+ /* lib default */
+ profile->tls_verify_depth = 2;
switch_mutex_init(&profile->gw_mutex, SWITCH_MUTEX_NESTED, pool);
profile->tls_cert_dir = switch_core_strdup(profile->pool, val);
} else if (!strcasecmp(var, "tls-passphrase")) {
profile->tls_passphrase = switch_core_strdup(profile->pool, val);
+ } else if (!strcasecmp(var, "tls-verify-in-subjects")) {
+ profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
} else if (!strcasecmp(var, "tls-version")) {
if (!strcasecmp(val, "tlsv1")) {
}
enum tport_tls_verify_policy sofia_glue_str2tls_verify_policy(const char * str){
- if (!strcasecmp(str, "in")) {
- return TPTLS_VERIFY_IN;
- } else if (!strcasecmp(str, "out")) {
- return TPTLS_VERIFY_OUT;
- } else if (!strcasecmp(str, "all")) {
- return TPTLS_VERIFY_ALL;
- } else if (!strcasecmp(str, "subjects_in")) {
- return TPTLS_VERIFY_SUBJECTS_IN;
- } else if (!strcasecmp(str, "subjects_out")) {
- return TPTLS_VERIFY_SUBJECTS_OUT;
- } else if (!strcasecmp(str, "subjects_all")) {
- return TPTLS_VERIFY_SUBJECTS_ALL;
- }
-
- return TPTLS_VERIFY_NONE;
+ char *ptr_next;
+ int len;
+ enum tport_tls_verify_policy ret;
+ char *ptr_cur = (char *) str;
+ ret = TPTLS_VERIFY_NONE;
+
+ while (ptr_cur) {
+ if ((ptr_next = strchr(ptr_cur, '|'))) {
+ len = ptr_next++ - ptr_cur;
+ } else {
+ len = strlen(ptr_cur);
+ }
+ if (!strncasecmp(ptr_cur, "in",len)) {
+ ret |= TPTLS_VERIFY_IN;
+ } else if (!strncasecmp(ptr_cur, "out",len)) {
+ ret |= TPTLS_VERIFY_OUT;
+ } else if (!strncasecmp(ptr_cur, "all",len)) {
+ ret |= TPTLS_VERIFY_ALL;
+ } else if (!strncasecmp(ptr_cur, "subjects_in",len)) {
+ ret |= TPTLS_VERIFY_SUBJECTS_IN;
+ } else if (!strncasecmp(ptr_cur, "subjects_out",len)) {
+ ret |= TPTLS_VERIFY_SUBJECTS_OUT;
+ } else if (!strncasecmp(ptr_cur, "subjects_all",len)) {
+ ret |= TPTLS_VERIFY_SUBJECTS_ALL;
+ }
+ ptr_cur = ptr_next;
+ }
+ return ret;
}
char *sofia_glue_find_parameter_value(switch_core_session_t *session, const char *str, const char *param)
projects / thirdparty / freeswitch.git / commitdiff
