Add mechanism to set OpenSSL session timeout

In a sofia profile, you can now set the parameter tls-timeout to a
positive integer value which represents the maximum time in seconds
that OpenSSL will keep a TLS session (and its ephemeral keys) alive.

This value is passed to OpenSSL's SSL_CTX_set_timeout(3).

OpenSSL's default value is 300 seconds, but the relevant standard
(RFC 2246) suggests that much longer session lifetimes are
acceptable (it recommends values less than 24 hours).

Longer values can be useful for extending battery life on mobile
devices.

Signed-off-by: Travis Cross <tc@traviscross.com>

diff --git a/libs/sofia-sip/.update b/libs/sofia-sip/.update
index ade22984f2f44009e6a7bd305092cacb9a2eb6f7..cfded9d9e28e192072c0bb420dc30b8ddc04087c 100644 (file)
--- a/libs/sofia-sip/.update
+++ b/libs/sofia-sip/.update
@@ -1 +1 @@
-Thu May  3 16:30:20 CDT 2012
+Sat Jun  9 03:24:47 UTC 2012

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
index 6745cff1afcd41aa39d1d20b64f844822b103e06..3abbbcbac4c759cc5fc3bb1d727d30c928c3b449 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
@@ -198,6 +198,12 @@ enum tport_tls_verify_policy {
   TPTLS_VERIFY_SUBJECTS_ALL = 0xF,
 };
 
+TPORT_DLL extern tag_typedef_t tptag_tls_timeout;
+#define TPTAG_TLS_TIMEOUT(x) tptag_tls_timeout, tag_uint_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_timeout_ref;
+#define TPTAG_TLS_TIMEOUT_REF(x) tptag_tls_timeout_ref, tag_uint_vr(&(x))
+
 TPORT_DLL extern tag_typedef_t tptag_tls_passphrase;
 #define TPTAG_TLS_PASSPHRASE(x)  tptag_tls_passphrase, tag_str_v(x)
 

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
index c10958a41f8d6a593a143e0b4a346b544c15c8bd..495eaaf997ed5d5e5dfff71b6409a60b018a5187 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
@@ -280,6 +280,19 @@ tag_typedef_t tptag_compartment = PTRTAG_TYPEDEF(compartment);
  */
 tag_typedef_t tptag_tls_version = UINTTAG_TYPEDEF(tls_version);
 
+/**@def TPTAG_TLS_TIMEOUT(x)
+ *
+ * Sets the maximum TLS session lifetime in seconds.
+ *
+ * The default value is 300 seconds.
+ *
+ * Use with tport_tbind(), nua_create(), nta_agent_create(),
+ * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create().
+ *
+ * @NEW_UNRELEASED.
+ */
+tag_typedef_t tptag_tls_timeout = UINTTAG_TYPEDEF(tls_timeout);
+
 /**@def TPTAG_TLS_VERIFY_PEER(x)
  * @par Depreciated:
  *    Alias for TPTAG_TLS_VERIFY_POLICY(TPTLS_VERIFY_IN|TPTLS_VERIFY_OUT)

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
index 2fffbde1104ada6455d6d389ef3d8a577d44d0c9..2facb30d0df526887091eaa9c1d111ce9e77993f 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
@@ -311,6 +311,8 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
     return -1;
   }
 
+  SSL_CTX_set_timeout(tls->ctx, ti->timeout);
+
   /* Set callback if we have a passphrase */
   if (ti->passphrase != NULL) {
     SSL_CTX_set_default_passwd_cb(tls->ctx, passwd_cb);

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
index dbf6517196f0f811c8546d269f189145a682290c..702dcc90400c189406f21e98c941d150aab6411c 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
@@ -65,6 +65,7 @@ typedef struct tls_issues_s {
                          */
   int   version;       /* For tls1, version is 1. When ssl3/ssl2 is
                         * used, it is 0. */
+  unsigned timeout;    /* Maximum session lifetime in seconds */
 } tls_issues_t;
 
 typedef struct tport_tls_s {

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
index 24f5d1b0fb01f0f0616b57f336958c96e9b626e4..cd2ac9a9b6e8e63f5bfdeca275a0454d0966b47d 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
@@ -181,6 +181,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
   char *tbf = NULL;
   char const *path = NULL;
   unsigned tls_version = 1;
+  unsigned tls_timeout = 300;
   unsigned tls_verify = 0;
   char const *passphrase = NULL;
   unsigned tls_policy = TPTLS_VERIFY_NONE;
@@ -198,6 +199,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
   tl_gets(tags,
          TPTAG_CERTIFICATE_REF(path),
          TPTAG_TLS_VERSION_REF(tls_version),
+         TPTAG_TLS_TIMEOUT_REF(tls_timeout),
          TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
          TPTAG_TLS_PASSPHRASE_REF(passphrase),
          TPTAG_TLS_VERIFY_POLICY_REF(tls_policy),
@@ -224,6 +226,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
     ti.cert = ti.key;
     ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
     ti.version = tls_version;
+    ti.timeout = tls_timeout;
     ti.CApath = su_strdup(autohome, path);
 
     SU_DEBUG_9(("%s(%p): tls key = %s\n", __func__, (void *)pri, ti.key));

diff --git a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
index 2e66602f1b8dd854f51f859a3a9764a98f1e7552..39c53d56d442a8b7c5c8f5880b593a2eab983e9f 100644 (file)
--- a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
+++ b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
@@ -242,6 +242,8 @@
         <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not
              work with TLSv1 -->
         <param name="tls-version" value="$${sip_tls_version}"/>
+        <!-- TLS maximum session lifetime -->
+        <!-- <param name="tls-timeout" value="300"/> -->
 
         <!-- turn on auto-flush during bridge (skip timer sleep when the socket
              already has data) (reduces delay on latent connections default

diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index 8379c4bf93871e33d7f0911fa9acb0bde9790c19..6345e354c5cd16bdcdbcfcc8057d07ae46f2c8d7 100644 (file)
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -596,6 +596,7 @@ struct sofia_profile {
        switch_port_t sip_port;
        switch_port_t tls_sip_port;
        int tls_version;
+       unsigned int tls_timeout;
        char *inbound_codec_string;
        char *outbound_codec_string;
        int running;

diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index 13e632af9f6128f7d35508aeea54458f2cf65768..799e6ed21e3003ffec3ac1c022aaf16533bbb79f 100644 (file)
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -2071,6 +2071,8 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
                                                                          TPTAG_TLS_VERIFY_SUBJECTS(profile->tls_verify_in_subjects)),
                                                          TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
                                                                         TPTAG_TLS_VERSION(profile->tls_version)),
+                                                         TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_timeout,
+                                                                        TPTAG_TLS_TIMEOUT(profile->tls_timeout)),
                                                          TAG_IF(!strchr(profile->sipip, ':'),
                                                                         NTATAG_UDP_MTU(65535)),
                                                          TAG_IF(sofia_test_pflag(profile, PFLAG_DISABLE_SRV),
@@ -3934,6 +3936,7 @@ switch_status_t config_sofia(int reload, char *profile_name)
                                profile->sip_force_expires = 0;
                                profile->sip_expires_max_deviation = 0;
                                profile->tls_version = 0;
+                               profile->tls_timeout = 300;
                                profile->mflags = MFLAG_REFER | MFLAG_REGISTER;
                                profile->server_rport_level = 1;
                                profile->client_rport_level = 1;
@@ -4754,6 +4757,9 @@ switch_status_t config_sofia(int reload, char *profile_name)
                                                } else {
                                                        profile->tls_version = 0;
                                                }
+                                       } else if (!strcasecmp(var, "tls-timeout")) {
+                                               int v = atoi(val);
+                                               profile->tls_timeout = v > 0 ? (unsigned int)v : 300;
                                        } else if (!strcasecmp(var, "timer-T1")) {
                                                int v = atoi(val);
                                                if (v > 0) {