From: Kinsey Moore Date: Fri, 15 Mar 2013 13:37:07 +0000 (+0000) Subject: tcptls: Prevent unsupported options from being set X-Git-Tag: certified/11.2-cert1-rc2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=269c40f002a936f9a3f6b03d247cbbaae6d6db6b;p=thirdparty%2Fasterisk.git tcptls: Prevent unsupported options from being set AMI, HTTP, and chan_sip all support TLS in some way, but none of them support all the options that Asterisk's TLS core is capable of interpreting. This prevents consumers of the TLS/SSL layer from setting TLS/SSL options that they do not support. This also gets tlsverifyclient closer to a working state by requesting the client certificate when tlsverifyclient is set. Currently, there is no consumer of main/tcptls.c in Asterisk that supports this feature and so it can not be properly tested. Review: https://reviewboard.asterisk.org/r/2370/ Reported-by: John Bigelow Patch-by: Kinsey Moore (closes issue AST-1093) ........ Merged revisions 383165 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 383166 from http://svn.asterisk.org/svn/asterisk/branches/11 git-svn-id: https://origsvn.digium.com/svn/asterisk/certified/branches/11.2@383208 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/channels/chan_sip.c b/channels/chan_sip.c index 8dd7304a74..9654f536ef 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -31217,8 +31217,11 @@ static int reload_config(enum channelreloadreason reason) continue; } - /* handle tls conf */ - if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) { + /* handle tls conf, don't allow setting of tlsverifyclient as it isn't supported by chan_sip */ + if (!strcasecmp(v->name, "tlsverifyclient")) { + ast_log(LOG_WARNING, "Ignoring unsupported option 'tlsverifyclient'\n"); + continue; + } else if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) { continue; } diff --git a/main/http.c b/main/http.c index 0553e6b465..1fa919bfbe 100644 --- a/main/http.c +++ b/main/http.c @@ -1052,8 +1052,17 @@ static int __ast_http_load(int reload) v = ast_variable_browse(cfg, "general"); for (; v; v = v->next) { - /* handle tls conf */ - if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) { + /* read tls config options while preventing unsupported options from being set */ + if (strcasecmp(v->name, "tlscafile") + && strcasecmp(v->name, "tlscapath") + && strcasecmp(v->name, "tlscadir") + && strcasecmp(v->name, "tlsverifyclient") + && strcasecmp(v->name, "tlsdontverifyserver") + && strcasecmp(v->name, "tlsclientmethod") + && strcasecmp(v->name, "sslclientmethod") + && strcasecmp(v->name, "tlscipher") + && strcasecmp(v->name, "sslcipher") + && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) { continue; } diff --git a/main/manager.c b/main/manager.c index 9f20a904bf..08e1331c81 100644 --- a/main/manager.c +++ b/main/manager.c @@ -7487,7 +7487,15 @@ static int __init_manager(int reload, int by_external_config) for (var = ast_variable_browse(cfg, "general"); var; var = var->next) { val = var->value; - if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) { + /* read tls config options while preventing unsupported options from being set */ + if (strcasecmp(var->name, "tlscafile") + && strcasecmp(var->name, "tlscapath") + && strcasecmp(var->name, "tlscadir") + && strcasecmp(var->name, "tlsverifyclient") + && strcasecmp(var->name, "tlsdontverifyserver") + && strcasecmp(var->name, "tlsclientmethod") + && strcasecmp(var->name, "sslclientmethod") + && !ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) { continue; } diff --git a/main/tcptls.c b/main/tcptls.c index dffba1dcd3..2b48426385 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -373,6 +373,11 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) cfg->enabled = 0; return 0; } + + SSL_CTX_set_verify(cfg->ssl_ctx, + ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE, + NULL); + if (!ast_strlen_zero(cfg->certfile)) { char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile; if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {