* Added SIP_CODEC_OUTBOUND dialplan variable which can be used to set the codec
to be used for the outgoing call. It must be one of the codecs configured
for the device.
+ * Added tlsprivatekey option to sip.conf. This allows a separate .pem file
+ to be used for holding a private key. If tlsprivatekey is not specified,
+ tlscertfile is searched for both public and private key.
Applications
------------
--------------------------
* The Hangup action now accepts a Cause header which may be used to
set the channel's hangup cause.
-
+ * sslprivatekey option added to manager.conf and http.conf. Adds the ability
+ to specify a separate .pem file to hold a private key. By default sslcert
+ is used to hold both the public and private key.
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2 -------------
------------------------------------------------------------------------------
/* iterator->call = sip_destroy(iterator->call); */
}
ASTOBJ_UNLOCK(iterator);
-
} while(0));
/* Then, actually destroy users and registry */
ast_debug(4, "--------------- Done destroying registry list\n");
ao2_t_callback(peers, OBJ_NODATA, peer_markall_func, NULL, "callback to mark all peers");
}
-
+
/* Reset certificate handling for TLS sessions */
if (reason != CHANNEL_MODULE_LOAD) {
ast_free(default_tls_cfg.certfile);
+ ast_free(default_tls_cfg.pvtfile);
ast_free(default_tls_cfg.cipher);
ast_free(default_tls_cfg.cafile);
ast_free(default_tls_cfg.capath);
}
default_tls_cfg.certfile = ast_strdup(AST_CERTFILE); /*XXX Not sure if this is useful */
+ default_tls_cfg.pvtfile = ast_strdup("");
default_tls_cfg.cipher = ast_strdup("");
default_tls_cfg.cafile = ast_strdup("");
default_tls_cfg.capath = ast_strdup("");
-
/* Initialize copy of current global_regcontext for later use in removing stale contexts */
ast_copy_string(oldcontexts, global_regcontext, sizeof(oldcontexts));
oldregcontext = oldcontexts;
} else if (!strcasecmp(v->name, "tlscertfile")) {
ast_free(default_tls_cfg.certfile);
default_tls_cfg.certfile = ast_strdup(v->value);
+ } else if (!strcasecmp(v->name, "tlsprivatekey")) {
+ ast_free(default_tls_cfg.pvtfile);
+ default_tls_cfg.pvtfile = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "tlscipher")) {
ast_free(default_tls_cfg.cipher);
default_tls_cfg.cipher = ast_strdup(v->value);
if (default_tls_cfg.certfile)
ast_free(default_tls_cfg.certfile);
+ if (default_tls_cfg.pvtfile)
+ ast_free(default_tls_cfg.pvtfile);
if (default_tls_cfg.cipher)
ast_free(default_tls_cfg.cipher);
if (default_tls_cfg.cafile)
; sslbindport=4433 ; port to use - default is 8089
; sslbindaddr=0.0.0.0 ; address to bind to - default is bindaddr.
;
-; sslcert=/tmp/foo.pem ; path to the certificate
;
-; To produce a certificate you can e.g. use openssl
-; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
+; sslcert=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
+; sslprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
+; If no path is given for sslcert or sslprivatekey, default is to look in current
+; directory. If no sslprivatekey is given, default is to search sslcert for private key.
+;
+; To produce a certificate you can e.g. use openssl. This places both the cert and
+; private in same .pem file.
+; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
;
-
; The post_mappings section maps URLs to real paths on the filesystem. If a
; POST is done from within an authenticated manager session to one of the
; configured POST mappings, then any files in the POST will be placed in the
; sslbindport=5039 ; the port to bind to
; sslbindaddr=0.0.0.0 ; address to bind to, default to bindaddr
; sslcert=/tmp/asterisk.pem ; path to the certificate.
+; sslprivatekey=/tmp/private.pem ; path to the private key, if no private given,
+ ; if no sslprivatekey is given, default is to search
+ ; sslcert for private key.
; sslcipher=<cipher string> ; string specifying which SSL ciphers to use or not use
-
;
;allowmultiplelogin = yes ; IF set to no, rejects manager logins that are already in use.
; ; The default is yes.
; Remember that the IP address must match the common name (hostname) in the
; certificate, so you don't want to bind a TLS socket to multiple IP addresses.
-;tlscertfile=asterisk.pem ; Certificate file (*.pem only) to use for TLS connections
- ; default is to look for "asterisk.pem" in current directory
+;tlscertfile=</path/to/certificate.pem> ; Certificate file (*.pem only) to use for TLS connections
+ ; default is to look for "asterisk.pem" in current directory
+
+;tlsprivatekey=</path/to/private.pem> ; Private key file (*.pem only) for TLS connections.
+ ; If no tlsprivatekey is specified, tlscertfile is searched for
+ ; for both public and private key.
;tlscafile=</path/to/certificate>
; If the server your connecting to uses a self signed certificate
-; you should have their certificate installed here so the code can
+; you should have their certificate installed here so the code can
; verify the authenticity of their certificate.
;tlscadir=</path/to/ca/dir>
struct ast_tls_config {
int enabled;
char *certfile;
+ char *pvtfile;
char *cipher;
char *cafile;
char *capath;
ast_free(http_tls_cfg.certfile);
}
http_tls_cfg.certfile = ast_strdup(AST_CERTFILE);
+
+ if (http_tls_cfg.pvtfile) {
+ ast_free(http_tls_cfg.pvtfile);
+ }
+ http_tls_cfg.pvtfile = ast_strdup("");
+
if (http_tls_cfg.cipher) {
ast_free(http_tls_cfg.cipher);
}
} else if (!strcasecmp(v->name, "sslcert")) {
ast_free(http_tls_cfg.certfile);
http_tls_cfg.certfile = ast_strdup(v->value);
+ } else if (!strcasecmp(v->name, "sslprivatekey")) {
+ ast_free(http_tls_cfg.pvtfile);
+ http_tls_cfg.pvtfile = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "sslcipher")) {
ast_free(http_tls_cfg.cipher);
http_tls_cfg.cipher = ast_strdup(v->value);
ast_free(ami_tls_cfg.certfile);
}
ami_tls_cfg.certfile = ast_strdup(AST_CERTFILE);
+ if (ami_tls_cfg.pvtfile) {
+ ast_free(ami_tls_cfg.pvtfile);
+ }
+ ami_tls_cfg.pvtfile = ast_strdup("");
if (ami_tls_cfg.cipher) {
ast_free(ami_tls_cfg.cipher);
}
} else if (!strcasecmp(var->name, "sslcert")) {
ast_free(ami_tls_cfg.certfile);
ami_tls_cfg.certfile = ast_strdup(val);
+ } else if (!strcasecmp(var->name, "sslprivatekey")) {
+ ast_free(ami_tls_cfg.pvtfile);
+ ami_tls_cfg.pvtfile = ast_strdup(val);
} else if (!strcasecmp(var->name, "sslcipher")) {
ast_free(ami_tls_cfg.cipher);
ami_tls_cfg.cipher = ast_strdup(val);
return 0;
}
if (!ast_strlen_zero(cfg->certfile)) {
- if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0 ||
- SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0 ||
- SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 ) {
+ char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
+ if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
if (!client) {
/* Clients don't need a certificate, but if its setup we can use it */
- ast_verb(0, "SSL cert error <%s>", cfg->certfile);
+ ast_verb(0, "SSL error loading cert file. <%s>", cfg->certfile);
+ sleep(2);
+ cfg->enabled = 0;
+ return 0;
+ }
+ }
+ if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
+ if (!client) {
+ /* Clients don't need a private key, but if its setup we can use it */
+ ast_verb(0, "SSL error loading private key file. <%s>", tmpprivate);
sleep(2);
cfg->enabled = 0;
return 0;
projects / thirdparty / asterisk.git / commitdiff
