From: Joshua Colp Date: Mon, 2 Jul 2018 23:44:53 +0000 (-0300) Subject: pjsip: Clarify certificate configuration for Websocket. X-Git-Tag: 15.5.0-rc1~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c333eef78e14e0525fadf06fe6612e713026898a;p=thirdparty%2Fasterisk.git pjsip: Clarify certificate configuration for Websocket. The Websocket transport uses the built-in HTTP server. As a result the TLS configuration is done in http.conf and not in pjsip.conf. This change adds a warning if this is configured in pjsip.conf and also clarifies in the sample configuration file. Change-Id: I187d994d328c3ed274b6754fd4c2a4955bdc6dd9 --- diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample index 9b64001663..5ec7a63270 100644 --- a/configs/samples/pjsip.conf.sample +++ b/configs/samples/pjsip.conf.sample @@ -862,10 +862,13 @@ ;==========================TRANSPORT SECTION OPTIONS========================= ;[transport] ; SYNOPSIS: SIP Transport +; ;async_operations=1 ; Number of simultaneous Asynchronous Operations ; (default: "1") ;bind= ; IP Address and optional port to bind to for this transport (default: ; "") +; Note that for the Websocket transport the TLS configuration is configured +; in http.conf and is applied for all HTTPS traffic. ;ca_list_file= ; File containing a list of certificates to read TLS ONLY ; (default: "") ;ca_list_path= ; Path to directory containing certificates to read TLS ONLY. @@ -883,6 +886,13 @@ ; different, at least OpenSSL 1.0.2 is required. ; (default: "") ;cipher= ; Preferred cryptography cipher names TLS ONLY (default: "") +;method= ; Method of SSL transport TLS ONLY (default: "") +;priv_key_file= ; Private key file TLS ONLY (default: "") +;verify_client= ; Require verification of client certificate TLS ONLY (default: + ; "") +;verify_server= ; Require verification of server certificate TLS ONLY (default: + ; "") +;require_client_cert= ; Require client certificate TLS ONLY (default: "") ;domain= ; Domain the transport comes from (default: "") ;external_media_address= ; External IP address to use in RTP handling ; (default: "") @@ -890,17 +900,10 @@ ; "") ;external_signaling_port=0 ; External port for SIP signalling (default: ; "0") -;method= ; Method of SSL transport TLS ONLY (default: "") ;local_net= ; Network to consider local used for NAT purposes (default: "") ;password= ; Password required for transport (default: "") -;priv_key_file= ; Private key file TLS ONLY (default: "") ;protocol=udp ; Protocol to use for SIP traffic (default: "udp") -;require_client_cert= ; Require client certificate TLS ONLY (default: "") ;type= ; Must be of type transport (default: "") -;verify_client= ; Require verification of client certificate TLS ONLY (default: - ; "") -;verify_server= ; Require verification of server certificate TLS ONLY (default: - ; "") ;tos=0 ; Enable TOS for the signalling sent over this transport (default: "0") ;cos=0 ; Enable COS for the signalling sent over this transport (default: "0") ;websocket_write_timeout=100 ; Default write timeout to set on websocket diff --git a/res/res_pjsip.c b/res/res_pjsip.c index 1f9e1269a4..14d1252cac 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -1211,13 +1211,13 @@ IP Address and optional port to bind to for this transport - File containing a list of certificates to read (TLS ONLY) + File containing a list of certificates to read (TLS ONLY, not WSS) - Path to directory containing a list of certificates to read (TLS ONLY) + Path to directory containing a list of certificates to read (TLS ONLY, not WSS) - Certificate file for endpoint (TLS ONLY) + Certificate file for endpoint (TLS ONLY, not WSS) A path to a .crt or .pem file can be provided. However, only the certificate is read from the file, not the private key. @@ -1226,7 +1226,7 @@ - Preferred cryptography cipher names (TLS ONLY) + Preferred cryptography cipher names (TLS ONLY, not WSS) Comma separated list of cipher names or numeric equivalents. Numeric equivalents can be either decimal or hexadecimal (0xX). @@ -1258,7 +1258,7 @@ External port for SIP signalling - Method of SSL transport (TLS ONLY) + Method of SSL transport (TLS ONLY, not WSS) @@ -1285,7 +1285,7 @@ Password required for transport - Private key file (TLS ONLY) + Private key file (TLS ONLY, not WSS) Protocol to use for SIP traffic @@ -1300,16 +1300,16 @@ - Require client certificate (TLS ONLY) + Require client certificate (TLS ONLY, not WSS) Must be of type 'transport'. - Require verification of client certificate (TLS ONLY) + Require verification of client certificate (TLS ONLY, not WSS) - Require verification of server certificate (TLS ONLY) + Require verification of server certificate (TLS ONLY, not WSS) Enable TOS for the signalling sent over this transport diff --git a/res/res_pjsip/config_transport.c b/res/res_pjsip/config_transport.c index 55ef3c5d89..3ad4dcc42a 100644 --- a/res/res_pjsip/config_transport.c +++ b/res/res_pjsip/config_transport.c @@ -650,6 +650,9 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj) } else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) { if (transport->cos || transport->tos) { ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n"); + } else if (!ast_strlen_zero(transport->ca_list_file) || !ast_strlen_zero(transport->ca_list_path) || + !ast_strlen_zero(transport->cert_file) || !ast_strlen_zero(transport->privkey_file)) { + ast_log(LOG_WARNING, "TLS certificate values ignored for websocket transport as they are configured in http.conf\n"); } res = PJ_SUCCESS; }