Consistent SSL/TLS options across conf files
authorDavid Vossel <dvossel@digium.com>
Wed, 29 Apr 2009 14:39:48 +0000 (14:39 +0000)
committerDavid Vossel <dvossel@digium.com>
Wed, 29 Apr 2009 14:39:48 +0000 (14:39 +0000)
ast_tls_read_conf() is a new api call for handling SSL/TLS options across all conf files.  Before this change, SSL/TLS options were not consistent.  http.conf and manager.conf required the 'ssl' prefix while sip.conf used options with the 'tls' prefix.  While the options had different names in different conf files, they all did the exact same thing.  Now, instead of mixing 'ssl' or 'tls' prefixes to do the same thing depending on what conf file you're in, all SSL/TLS options use the 'tls' prefix.  For example.  'sslenable' in http.conf and manager.conf is now 'tlsenable' which matches what already existed in sip.conf. Since this has the potential to break backwards compatibility, previous options containing the 'ssl' prefix still work, but they are no longer documented in the sample.conf files.  The change is noted in the CHANGES file though.

Review: http://reviewboard.digium.com/r/237/

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@191028 65c4cc65-6c06-0410-ace0-fbb531ad65f3

CHANGES
channels/chan_sip.c
configs/http.conf.sample
configs/manager.conf.sample
include/asterisk/tcptls.h
main/http.c
main/manager.c
main/tcptls.c

diff --git a/CHANGES b/CHANGES
index bb9239e..69debbd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -107,6 +107,12 @@ Asterisk Manager Interface
  * sslprivatekey option added to manager.conf and http.conf.  Adds the ability
    to specify a separate .pem file to hold a private key.  By default sslcert
    is used to hold both the public and private key.
+ * Options in manager.conf and http.conf with the 'ssl' prefix have been replaced
+   for options containing the 'tls' prefix.  For example, 'sslenable' is now
+   'tlsenable'.  This has been done in effort to keep ssl and tls options consistent
+   across all .conf files. All affected sample.conf files have been modified to
+   reflect this change.  Previous options such as 'sslenable' still work,
+   but options with the 'tls' prefix are preferred.
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2  -------------
 ------------------------------------------------------------------------------
index e904b27..d4aab4a 100644 (file)
@@ -23943,13 +23943,18 @@ static int reload_config(enum channelreloadreason reason)
                if (!ast_jb_read_conf(&global_jbconf, v->name, v->value))
                        continue;
 
+               /* handle tls conf */
+               if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
+                       continue;
+               }
+
                if (!strcasecmp(v->name, "context")) {
                        ast_copy_string(sip_cfg.default_context, v->value, sizeof(sip_cfg.default_context));
                } else if (!strcasecmp(v->name, "subscribecontext")) {
                        ast_copy_string(sip_cfg.default_subscribecontext, v->value, sizeof(sip_cfg.default_subscribecontext));
-               } else if (!strcasecmp(v->name, "callcounter")) {
+               } else if (!strcasecmp(v->name, "callcounter")) {
                        global_callcounter = ast_true(v->value) ? 1 : 0;
-               } else if (!strcasecmp(v->name, "allowguest")) {
+               } else if (!strcasecmp(v->name, "allowguest")) {
                        sip_cfg.allowguest = ast_true(v->value) ? 1 : 0;
                } else if (!strcasecmp(v->name, "realm")) {
                        ast_copy_string(sip_cfg.realm, v->value, sizeof(sip_cfg.realm));
@@ -23967,7 +23972,7 @@ static int reload_config(enum channelreloadreason reason)
                } else if (!strcasecmp(v->name, "allowtransfer")) {
                        sip_cfg.allowtransfer = ast_true(v->value) ? TRANSFER_OPENFORALL : TRANSFER_CLOSED;
                } else if (!strcasecmp(v->name, "rtcachefriends")) {
-                       ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS);  
+                       ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS);
                } else if (!strcasecmp(v->name, "rtsavesysname")) {
                        sip_cfg.rtsave_sysname = ast_true(v->value);
                } else if (!strcasecmp(v->name, "rtupdate")) {
@@ -23990,7 +23995,7 @@ static int reload_config(enum channelreloadreason reason)
                        while ((trans = strsep(&val, ","))) {
                                trans = ast_skip_blanks(trans);
 
-                               if (!strncasecmp(trans, "udp", 3)) 
+                               if (!strncasecmp(trans, "udp", 3))
                                        default_transports |= SIP_TRANSPORT_UDP;
                                else if (!strncasecmp(trans, "tcp", 3))
                                        default_transports |= SIP_TRANSPORT_TCP;
@@ -24011,31 +24016,6 @@ static int reload_config(enum channelreloadreason reason)
                                ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
                        sip_tcp_desc.local_address.sin_family = family;
                        ast_debug(2, "Setting TCP socket address to %s\n", v->value);
-               } else if (!strcasecmp(v->name, "tlsenable")) {
-                       default_tls_cfg.enabled = ast_true(v->value) ? TRUE : FALSE;
-                       sip_tls_desc.local_address.sin_family = AF_INET;
-               } else if (!strcasecmp(v->name, "tlscertfile")) {
-                       ast_free(default_tls_cfg.certfile);
-                       default_tls_cfg.certfile = ast_strdup(v->value);
-               } else if (!strcasecmp(v->name, "tlsprivatekey")) {
-                       ast_free(default_tls_cfg.pvtfile);
-                       default_tls_cfg.pvtfile = ast_strdup(v->value);
-               } else if (!strcasecmp(v->name, "tlscipher")) {
-                       ast_free(default_tls_cfg.cipher);
-                       default_tls_cfg.cipher = ast_strdup(v->value);
-               } else if (!strcasecmp(v->name, "tlscafile")) {
-                       ast_free(default_tls_cfg.cafile);
-                       default_tls_cfg.cafile = ast_strdup(v->value);
-               } else if (!strcasecmp(v->name, "tlscapath")) {
-                       ast_free(default_tls_cfg.capath);
-                       default_tls_cfg.capath = ast_strdup(v->value);
-               } else if (!strcasecmp(v->name, "tlsverifyclient")) {
-                       ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_VERIFY_CLIENT);       
-               } else if (!strcasecmp(v->name, "tlsdontverifyserver")) {
-                       ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_DONT_VERIFY_SERVER);  
-               } else if (!strcasecmp(v->name, "tlsbindaddr")) {
-                       if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.local_address))
-                               ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
                } else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) {
                        global_dynamic_exclude_static = ast_true(v->value);
                } else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {
@@ -24052,7 +24032,7 @@ static int reload_config(enum channelreloadreason reason)
                                i = 0;
                        ast_set2_flag(&global_flags[1], i || ast_true(v->value), SIP_PAGE2_RTAUTOCLEAR);
                } else if (!strcasecmp(v->name, "usereqphone")) {
-                       ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE);   
+                       ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE);
                } else if (!strcasecmp(v->name, "relaxdtmf")) {
                        global_relaxdtmf = ast_true(v->value);
                } else if (!strcasecmp(v->name, "vmexten")) {
index 9d37697..a47a2d6 100644 (file)
@@ -46,17 +46,16 @@ bindaddr=127.0.0.1
 ;redirect = / /static/config/cfgbasic.html
 ;
 ; HTTPS support. In addition to enabled=yes, you need to
-; explicitly enable ssl, define the port to use,
+; explicitly enable tls, define the port to use,
 ; and have a certificate somewhere.
-; sslenable=yes                ; enable ssl - default no.
-; sslbindport=4433     ; port to use - default is 8089
-; sslbindaddr=0.0.0.0  ; address to bind to - default is bindaddr.
-;
-;
-; sslcert=</path/to/certificate.pem>   ; path to the certificate file (*.pem) only.
-; sslprivatekey=</path/to/private.pem>    ; path to private key file (*.pem) only.
-; If no path is given for sslcert or sslprivatekey, default is to look in current
-; directory. If no sslprivatekey is given, default is to search sslcert for private key.
+;tlsenable=yes          ; enable tls - default no.
+;tlsbindport=4433       ; port to use - default is 8089
+;tlsbindaddr=0.0.0.0    ; address to bind to - default is bindaddr.
+;
+;tlscertfile=</path/to/certificate.pem>  ; path to the certificate file (*.pem) only.
+;tlsprivatekey=</path/to/private.pem>    ; path to private key file (*.pem) only.
+; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
+; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
 ;
 ; To produce a certificate you can e.g. use openssl. This places both the cert and
 ; private in same .pem file.
index 39585c1..425ce4c 100644 (file)
@@ -39,15 +39,14 @@ bindaddr = 0.0.0.0
 ;
 ;      openssl s_client -connect my_host:5039
 ;
-;   sslenable=no               ; set to YES to enable it
-;   sslbindport=5039           ; the port to bind to
-;   sslbindaddr=0.0.0.0                ; address to bind to, default to bindaddr
-;   sslcert=/tmp/asterisk.pem  ; path to the certificate.
-;   sslprivatekey=/tmp/private.pem ; path to the private key, if no private given,
-                                   ; if no sslprivatekey is given, default is to search
-                                                                  ; sslcert for private key.
-;   sslcipher=<cipher string>   ; string specifying which SSL ciphers to use or not use
-
+;tlsenable=no          ; set to YES to enable it
+;tlsbindport=5039              ; the port to bind to
+;tlsbindaddr=0.0.0.0           ; address to bind to, default to bindaddr
+;tlscertfile=/tmp/asterisk.pem ; path to the certificate.
+;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
+                                ; if no tlsprivatekey is given, default is to search
+                                                               ; tlscertfile for private key.
+;tlscipher=<cipher string>      ; string specifying which SSL ciphers to use or not use
 ;
 ;allowmultiplelogin = yes              ; IF set to no, rejects manager logins that are already in use.
 ;                               ; The default is yes.
index e811ab2..9496d97 100644 (file)
@@ -174,6 +174,11 @@ void ast_tcptls_server_start(struct ast_tcptls_session_args *desc);
 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc);
 int ast_ssl_setup(struct ast_tls_config *cfg);
 
+/*!
+ * \brief Used to parse conf files containing tls/ssl options.
+ */
+int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value);
+
 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, const void *buf, size_t count);
 
index 595d6cb..f99c03e 100644 (file)
@@ -983,7 +983,6 @@ static int __ast_http_load(int reload)
        struct hostent *hp;
        struct ast_hostent ahp;
        char newprefix[MAX_PREFIX] = "";
-       int have_sslbindaddr = 0;
        struct http_uri_redirect *redirect;
        struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
 
@@ -1024,32 +1023,18 @@ static int __ast_http_load(int reload)
        if (cfg) {
                v = ast_variable_browse(cfg, "general");
                for (; v; v = v->next) {
+
+                       /* handle tls conf */
+                       if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+                               continue;
+                       }
+
                        if (!strcasecmp(v->name, "enabled")) {
                                enabled = ast_true(v->value);
-                       } else if (!strcasecmp(v->name, "sslenable")) {
-                               http_tls_cfg.enabled = ast_true(v->value);
-                       } else if (!strcasecmp(v->name, "sslbindport")) {
-                               https_desc.local_address.sin_port = htons(atoi(v->value));
-                       } else if (!strcasecmp(v->name, "sslcert")) {
-                               ast_free(http_tls_cfg.certfile);
-                               http_tls_cfg.certfile = ast_strdup(v->value);
-                       } else if (!strcasecmp(v->name, "sslprivatekey")) {
-                               ast_free(http_tls_cfg.pvtfile);
-                               http_tls_cfg.pvtfile = ast_strdup(v->value);
-                       } else if (!strcasecmp(v->name, "sslcipher")) {
-                               ast_free(http_tls_cfg.cipher);
-                               http_tls_cfg.cipher = ast_strdup(v->value);
                        } else if (!strcasecmp(v->name, "enablestatic")) {
                                newenablestatic = ast_true(v->value);
                        } else if (!strcasecmp(v->name, "bindport")) {
                                http_desc.local_address.sin_port = htons(atoi(v->value));
-                       } else if (!strcasecmp(v->name, "sslbindaddr")) {
-                               if ((hp = ast_gethostbyname(v->value, &ahp))) {
-                                       memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr));
-                                       have_sslbindaddr = 1;
-                               } else {
-                                       ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value);
-                               }
                        } else if (!strcasecmp(v->name, "bindaddr")) {
                                if ((hp = ast_gethostbyname(v->value, &ahp))) {
                                        memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr));
@@ -1072,8 +1057,8 @@ static int __ast_http_load(int reload)
 
                ast_config_destroy(cfg);
        }
-
-       if (!have_sslbindaddr) {
+       /* if the https addres has not been set, default is the same as non secure http */
+       if (!https_desc.local_address.sin_addr.s_addr) {
                https_desc.local_address.sin_addr = http_desc.local_address.sin_addr;
        }
        if (enabled) {
index a43f551..97d573c 100644 (file)
@@ -4719,9 +4719,6 @@ static int __init_manager(int reload)
        const char *val;
        char *cat = NULL;
        int newhttptimeout = 60;
-       int have_sslbindaddr = 0;
-       struct hostent *hp;
-       struct ast_hostent ahp;
        struct ast_manager_user *user = NULL;
        struct ast_variable *var;
        struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
@@ -4804,27 +4801,12 @@ static int __init_manager(int reload)
 
        for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {
                val = var->value;
-               if (!strcasecmp(var->name, "sslenable")) {
-                       ami_tls_cfg.enabled = ast_true(val);
-               } else if (!strcasecmp(var->name, "sslbindport")) {
-                       amis_desc.local_address.sin_port = htons(atoi(val));
-               } else if (!strcasecmp(var->name, "sslbindaddr")) {
-                       if ((hp = ast_gethostbyname(val, &ahp))) {
-                               memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr));
-                               have_sslbindaddr = 1;
-                       } else {
-                               ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val);
-                       }
-               } else if (!strcasecmp(var->name, "sslcert")) {
-                       ast_free(ami_tls_cfg.certfile);
-                       ami_tls_cfg.certfile = ast_strdup(val);
-               } else if (!strcasecmp(var->name, "sslprivatekey")) {
-                       ast_free(ami_tls_cfg.pvtfile);
-                       ami_tls_cfg.pvtfile = ast_strdup(val);
-               } else if (!strcasecmp(var->name, "sslcipher")) {
-                       ast_free(ami_tls_cfg.cipher);
-                       ami_tls_cfg.cipher = ast_strdup(val);
-               } else if (!strcasecmp(var->name, "enabled")) {
+
+               if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
+                       continue;
+               }
+
+               if (!strcasecmp(var->name, "enabled")) {
                        manager_enabled = ast_true(val);
                } else if (!strcasecmp(var->name, "block-sockets")) {
                        block_sockets = ast_true(val);
@@ -4856,7 +4838,8 @@ static int __init_manager(int reload)
        if (manager_enabled) {
                ami_desc.local_address.sin_family = AF_INET;
        }
-       if (!have_sslbindaddr) {
+       /* if the amis address has not been set, default is the same as non secure ami */
+       if (!amis_desc.local_address.sin_addr.s_addr) {
                amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr;
        }
        if (ami_tls_cfg.enabled) {
index 5837668..4609438 100644 (file)
@@ -488,3 +488,39 @@ void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
        desc->accept_fd = -1;
        ast_debug(2, "Stopped server :: %s\n", desc->name);
 }
+
+int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
+{
+       if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
+               tls_cfg->enabled = ast_true(value) ? 1 : 0;
+               tls_desc->local_address.sin_family = AF_INET;
+       } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert")) {
+               ast_free(tls_cfg->certfile);
+               tls_cfg->certfile = ast_strdup(value);
+       } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
+               ast_free(tls_cfg->pvtfile);
+               tls_cfg->pvtfile = ast_strdup(value);
+       } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
+               ast_free(tls_cfg->cipher);
+               tls_cfg->cipher = ast_strdup(value);
+       } else if (!strcasecmp(varname, "tlscafile")) {
+               ast_free(tls_cfg->cafile);
+               tls_cfg->cafile = ast_strdup(value);
+       } else if (!strcasecmp(varname, "tlscapath")) {
+               ast_free(tls_cfg->capath);
+               tls_cfg->capath = ast_strdup(value);
+       } else if (!strcasecmp(varname, "tlsverifyclient")) {
+               ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
+       } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
+               ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
+       } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
+               if (ast_parse_arg(value, PARSE_INADDR, &tls_desc->local_address))
+                       ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
+       } else if (!strcasecmp(varname, "tlsbindport") || !strcasecmp(varname, "sslbindport")) {
+               tls_desc->local_address.sin_port = htons(atoi(value));
+       } else {
+               return -1;
+       }
+
+       return 0;
+}