* sslprivatekey option added to manager.conf and http.conf. Adds the ability
to specify a separate .pem file to hold a private key. By default sslcert
is used to hold both the public and private key.
+ * Options in manager.conf and http.conf with the 'ssl' prefix have been replaced
+ for options containing the 'tls' prefix. For example, 'sslenable' is now
+ 'tlsenable'. This has been done in effort to keep ssl and tls options consistent
+ across all .conf files. All affected sample.conf files have been modified to
+ reflect this change. Previous options such as 'sslenable' still work,
+ but options with the 'tls' prefix are preferred.
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2 -------------
------------------------------------------------------------------------------
if (!ast_jb_read_conf(&global_jbconf, v->name, v->value))
continue;
+ /* handle tls conf */
+ if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
+ continue;
+ }
+
if (!strcasecmp(v->name, "context")) {
ast_copy_string(sip_cfg.default_context, v->value, sizeof(sip_cfg.default_context));
} else if (!strcasecmp(v->name, "subscribecontext")) {
ast_copy_string(sip_cfg.default_subscribecontext, v->value, sizeof(sip_cfg.default_subscribecontext));
- } else if (!strcasecmp(v->name, "callcounter")) {
+ } else if (!strcasecmp(v->name, "callcounter")) {
global_callcounter = ast_true(v->value) ? 1 : 0;
- } else if (!strcasecmp(v->name, "allowguest")) {
+ } else if (!strcasecmp(v->name, "allowguest")) {
sip_cfg.allowguest = ast_true(v->value) ? 1 : 0;
} else if (!strcasecmp(v->name, "realm")) {
ast_copy_string(sip_cfg.realm, v->value, sizeof(sip_cfg.realm));
} else if (!strcasecmp(v->name, "allowtransfer")) {
sip_cfg.allowtransfer = ast_true(v->value) ? TRANSFER_OPENFORALL : TRANSFER_CLOSED;
} else if (!strcasecmp(v->name, "rtcachefriends")) {
- ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS);
+ ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS);
} else if (!strcasecmp(v->name, "rtsavesysname")) {
sip_cfg.rtsave_sysname = ast_true(v->value);
} else if (!strcasecmp(v->name, "rtupdate")) {
while ((trans = strsep(&val, ","))) {
trans = ast_skip_blanks(trans);
- if (!strncasecmp(trans, "udp", 3))
+ if (!strncasecmp(trans, "udp", 3))
default_transports |= SIP_TRANSPORT_UDP;
else if (!strncasecmp(trans, "tcp", 3))
default_transports |= SIP_TRANSPORT_TCP;
ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
sip_tcp_desc.local_address.sin_family = family;
ast_debug(2, "Setting TCP socket address to %s\n", v->value);
- } else if (!strcasecmp(v->name, "tlsenable")) {
- default_tls_cfg.enabled = ast_true(v->value) ? TRUE : FALSE;
- sip_tls_desc.local_address.sin_family = AF_INET;
- } else if (!strcasecmp(v->name, "tlscertfile")) {
- ast_free(default_tls_cfg.certfile);
- default_tls_cfg.certfile = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "tlsprivatekey")) {
- ast_free(default_tls_cfg.pvtfile);
- default_tls_cfg.pvtfile = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "tlscipher")) {
- ast_free(default_tls_cfg.cipher);
- default_tls_cfg.cipher = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "tlscafile")) {
- ast_free(default_tls_cfg.cafile);
- default_tls_cfg.cafile = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "tlscapath")) {
- ast_free(default_tls_cfg.capath);
- default_tls_cfg.capath = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "tlsverifyclient")) {
- ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_VERIFY_CLIENT);
- } else if (!strcasecmp(v->name, "tlsdontverifyserver")) {
- ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_DONT_VERIFY_SERVER);
- } else if (!strcasecmp(v->name, "tlsbindaddr")) {
- if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.local_address))
- ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
} else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) {
global_dynamic_exclude_static = ast_true(v->value);
} else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {
i = 0;
ast_set2_flag(&global_flags[1], i || ast_true(v->value), SIP_PAGE2_RTAUTOCLEAR);
} else if (!strcasecmp(v->name, "usereqphone")) {
- ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE);
+ ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE);
} else if (!strcasecmp(v->name, "relaxdtmf")) {
global_relaxdtmf = ast_true(v->value);
} else if (!strcasecmp(v->name, "vmexten")) {
;redirect = / /static/config/cfgbasic.html
;
; HTTPS support. In addition to enabled=yes, you need to
-; explicitly enable ssl, define the port to use,
+; explicitly enable tls, define the port to use,
; and have a certificate somewhere.
-; sslenable=yes ; enable ssl - default no.
-; sslbindport=4433 ; port to use - default is 8089
-; sslbindaddr=0.0.0.0 ; address to bind to - default is bindaddr.
-;
-;
-; sslcert=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
-; sslprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
-; If no path is given for sslcert or sslprivatekey, default is to look in current
-; directory. If no sslprivatekey is given, default is to search sslcert for private key.
+;tlsenable=yes ; enable tls - default no.
+;tlsbindport=4433 ; port to use - default is 8089
+;tlsbindaddr=0.0.0.0 ; address to bind to - default is bindaddr.
+;
+;tlscertfile=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
+;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
+; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
+; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
;
; To produce a certificate you can e.g. use openssl. This places both the cert and
; private in same .pem file.
;
; openssl s_client -connect my_host:5039
;
-; sslenable=no ; set to YES to enable it
-; sslbindport=5039 ; the port to bind to
-; sslbindaddr=0.0.0.0 ; address to bind to, default to bindaddr
-; sslcert=/tmp/asterisk.pem ; path to the certificate.
-; sslprivatekey=/tmp/private.pem ; path to the private key, if no private given,
- ; if no sslprivatekey is given, default is to search
- ; sslcert for private key.
-; sslcipher=<cipher string> ; string specifying which SSL ciphers to use or not use
-
+;tlsenable=no ; set to YES to enable it
+;tlsbindport=5039 ; the port to bind to
+;tlsbindaddr=0.0.0.0 ; address to bind to, default to bindaddr
+;tlscertfile=/tmp/asterisk.pem ; path to the certificate.
+;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
+ ; if no tlsprivatekey is given, default is to search
+ ; tlscertfile for private key.
+;tlscipher=<cipher string> ; string specifying which SSL ciphers to use or not use
;
;allowmultiplelogin = yes ; IF set to no, rejects manager logins that are already in use.
; ; The default is yes.
void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc);
int ast_ssl_setup(struct ast_tls_config *cfg);
+/*!
+ * \brief Used to parse conf files containing tls/ssl options.
+ */
+int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value);
+
HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, const void *buf, size_t count);
struct hostent *hp;
struct ast_hostent ahp;
char newprefix[MAX_PREFIX] = "";
- int have_sslbindaddr = 0;
struct http_uri_redirect *redirect;
struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
if (cfg) {
v = ast_variable_browse(cfg, "general");
for (; v; v = v->next) {
+
+ /* handle tls conf */
+ if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+ continue;
+ }
+
if (!strcasecmp(v->name, "enabled")) {
enabled = ast_true(v->value);
- } else if (!strcasecmp(v->name, "sslenable")) {
- http_tls_cfg.enabled = ast_true(v->value);
- } else if (!strcasecmp(v->name, "sslbindport")) {
- https_desc.local_address.sin_port = htons(atoi(v->value));
- } else if (!strcasecmp(v->name, "sslcert")) {
- ast_free(http_tls_cfg.certfile);
- http_tls_cfg.certfile = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "sslprivatekey")) {
- ast_free(http_tls_cfg.pvtfile);
- http_tls_cfg.pvtfile = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "sslcipher")) {
- ast_free(http_tls_cfg.cipher);
- http_tls_cfg.cipher = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "enablestatic")) {
newenablestatic = ast_true(v->value);
} else if (!strcasecmp(v->name, "bindport")) {
http_desc.local_address.sin_port = htons(atoi(v->value));
- } else if (!strcasecmp(v->name, "sslbindaddr")) {
- if ((hp = ast_gethostbyname(v->value, &ahp))) {
- memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr));
- have_sslbindaddr = 1;
- } else {
- ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value);
- }
} else if (!strcasecmp(v->name, "bindaddr")) {
if ((hp = ast_gethostbyname(v->value, &ahp))) {
memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr));
ast_config_destroy(cfg);
}
-
- if (!have_sslbindaddr) {
+ /* if the https addres has not been set, default is the same as non secure http */
+ if (!https_desc.local_address.sin_addr.s_addr) {
https_desc.local_address.sin_addr = http_desc.local_address.sin_addr;
}
if (enabled) {
const char *val;
char *cat = NULL;
int newhttptimeout = 60;
- int have_sslbindaddr = 0;
- struct hostent *hp;
- struct ast_hostent ahp;
struct ast_manager_user *user = NULL;
struct ast_variable *var;
struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {
val = var->value;
- if (!strcasecmp(var->name, "sslenable")) {
- ami_tls_cfg.enabled = ast_true(val);
- } else if (!strcasecmp(var->name, "sslbindport")) {
- amis_desc.local_address.sin_port = htons(atoi(val));
- } else if (!strcasecmp(var->name, "sslbindaddr")) {
- if ((hp = ast_gethostbyname(val, &ahp))) {
- memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr));
- have_sslbindaddr = 1;
- } else {
- ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val);
- }
- } else if (!strcasecmp(var->name, "sslcert")) {
- ast_free(ami_tls_cfg.certfile);
- ami_tls_cfg.certfile = ast_strdup(val);
- } else if (!strcasecmp(var->name, "sslprivatekey")) {
- ast_free(ami_tls_cfg.pvtfile);
- ami_tls_cfg.pvtfile = ast_strdup(val);
- } else if (!strcasecmp(var->name, "sslcipher")) {
- ast_free(ami_tls_cfg.cipher);
- ami_tls_cfg.cipher = ast_strdup(val);
- } else if (!strcasecmp(var->name, "enabled")) {
+
+ if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
+ continue;
+ }
+
+ if (!strcasecmp(var->name, "enabled")) {
manager_enabled = ast_true(val);
} else if (!strcasecmp(var->name, "block-sockets")) {
block_sockets = ast_true(val);
if (manager_enabled) {
ami_desc.local_address.sin_family = AF_INET;
}
- if (!have_sslbindaddr) {
+ /* if the amis address has not been set, default is the same as non secure ami */
+ if (!amis_desc.local_address.sin_addr.s_addr) {
amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr;
}
if (ami_tls_cfg.enabled) {
desc->accept_fd = -1;
ast_debug(2, "Stopped server :: %s\n", desc->name);
}
+
+int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
+{
+ if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
+ tls_cfg->enabled = ast_true(value) ? 1 : 0;
+ tls_desc->local_address.sin_family = AF_INET;
+ } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert")) {
+ ast_free(tls_cfg->certfile);
+ tls_cfg->certfile = ast_strdup(value);
+ } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
+ ast_free(tls_cfg->pvtfile);
+ tls_cfg->pvtfile = ast_strdup(value);
+ } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
+ ast_free(tls_cfg->cipher);
+ tls_cfg->cipher = ast_strdup(value);
+ } else if (!strcasecmp(varname, "tlscafile")) {
+ ast_free(tls_cfg->cafile);
+ tls_cfg->cafile = ast_strdup(value);
+ } else if (!strcasecmp(varname, "tlscapath")) {
+ ast_free(tls_cfg->capath);
+ tls_cfg->capath = ast_strdup(value);
+ } else if (!strcasecmp(varname, "tlsverifyclient")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
+ } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
+ } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
+ if (ast_parse_arg(value, PARSE_INADDR, &tls_desc->local_address))
+ ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
+ } else if (!strcasecmp(varname, "tlsbindport") || !strcasecmp(varname, "sslbindport")) {
+ tls_desc->local_address.sin_port = htons(atoi(value));
+ } else {
+ return -1;
+ }
+
+ return 0;
+}
projects / thirdparty / asterisk.git / commitdiff
