pjsip: Clarify certificate configuration for Websocket.
authorJoshua Colp <jcolp@digium.com>
Mon, 2 Jul 2018 23:44:53 +0000 (20:44 -0300)
committerJoshua Colp <jcolp@digium.com>
Tue, 3 Jul 2018 12:56:45 +0000 (07:56 -0500)
The Websocket transport uses the built-in HTTP server. As a result
the TLS configuration is done in http.conf and not in pjsip.conf.

This change adds a warning if this is configured in pjsip.conf and
also clarifies in the sample configuration file.

Change-Id: I187d994d328c3ed274b6754fd4c2a4955bdc6dd9

configs/samples/pjsip.conf.sample
res/res_pjsip.c
res/res_pjsip/config_transport.c

index 9b64001..5ec7a63 100644 (file)
 ;==========================TRANSPORT SECTION OPTIONS=========================
 ;[transport]
 ;  SYNOPSIS: SIP Transport
+;
 ;async_operations=1     ; Number of simultaneous Asynchronous Operations
                         ; (default: "1")
 ;bind=  ; IP Address and optional port to bind to for this transport (default:
         ; "")
+; Note that for the Websocket transport the TLS configuration is configured
+; in http.conf and is applied for all HTTPS traffic.
 ;ca_list_file=  ; File containing a list of certificates to read TLS ONLY
                 ; (default: "")
 ;ca_list_path=  ; Path to directory containing certificates to read TLS ONLY.
                 ; different, at least OpenSSL 1.0.2 is required.
                 ; (default: "")
 ;cipher=        ; Preferred cryptography cipher names TLS ONLY (default: "")
+;method=        ; Method of SSL transport TLS ONLY (default: "")
+;priv_key_file= ; Private key file TLS ONLY (default: "")
+;verify_client= ; Require verification of client certificate TLS ONLY (default:
+                ; "")
+;verify_server= ; Require verification of server certificate TLS ONLY (default:
+                ; "")
+;require_client_cert=   ; Require client certificate TLS ONLY (default: "")
 ;domain=        ; Domain the transport comes from (default: "")
 ;external_media_address=        ; External IP address to use in RTP handling
                                 ; (default: "")
                                 ; "")
 ;external_signaling_port=0      ; External port for SIP signalling (default:
                                 ; "0")
-;method=        ; Method of SSL transport TLS ONLY (default: "")
 ;local_net=     ; Network to consider local used for NAT purposes (default: "")
 ;password=      ; Password required for transport (default: "")
-;priv_key_file= ; Private key file TLS ONLY (default: "")
 ;protocol=udp   ; Protocol to use for SIP traffic (default: "udp")
-;require_client_cert=   ; Require client certificate TLS ONLY (default: "")
 ;type=  ; Must be of type transport (default: "")
-;verify_client= ; Require verification of client certificate TLS ONLY (default:
-                ; "")
-;verify_server= ; Require verification of server certificate TLS ONLY (default:
-                ; "")
 ;tos=0  ; Enable TOS for the signalling sent over this transport (default: "0")
 ;cos=0  ; Enable COS for the signalling sent over this transport (default: "0")
 ;websocket_write_timeout=100    ; Default write timeout to set on websocket
index 9a6b310..300c0de 100644 (file)
                                        <synopsis>IP Address and optional port to bind to for this transport</synopsis>
                                </configOption>
                                <configOption name="ca_list_file">
-                                       <synopsis>File containing a list of certificates to read (TLS ONLY)</synopsis>
+                                       <synopsis>File containing a list of certificates to read (TLS ONLY, not WSS)</synopsis>
                                </configOption>
                                <configOption name="ca_list_path">
-                                       <synopsis>Path to directory containing a list of certificates to read (TLS ONLY)</synopsis>
+                                       <synopsis>Path to directory containing a list of certificates to read (TLS ONLY, not WSS)</synopsis>
                                </configOption>
                                <configOption name="cert_file">
-                                       <synopsis>Certificate file for endpoint (TLS ONLY)</synopsis>
+                                       <synopsis>Certificate file for endpoint (TLS ONLY, not WSS)</synopsis>
                                        <description><para>
                                                A path to a .crt or .pem file can be provided.  However, only
                                                the certificate is read from the file, not the private key.
                                        </para></description>
                                </configOption>
                                <configOption name="cipher">
-                                       <synopsis>Preferred cryptography cipher names (TLS ONLY)</synopsis>
+                                       <synopsis>Preferred cryptography cipher names (TLS ONLY, not WSS)</synopsis>
                                        <description>
                                        <para>Comma separated list of cipher names or numeric equivalents.
                                                Numeric equivalents can be either decimal or hexadecimal (0xX).
                                        <synopsis>External port for SIP signalling</synopsis>
                                </configOption>
                                <configOption name="method">
-                                       <synopsis>Method of SSL transport (TLS ONLY)</synopsis>
+                                       <synopsis>Method of SSL transport (TLS ONLY, not WSS)</synopsis>
                                        <description>
                                                <enumlist>
                                                        <enum name="default">
                                        <synopsis>Password required for transport</synopsis>
                                </configOption>
                                <configOption name="priv_key_file">
-                                       <synopsis>Private key file (TLS ONLY)</synopsis>
+                                       <synopsis>Private key file (TLS ONLY, not WSS)</synopsis>
                                </configOption>
                                <configOption name="protocol" default="udp">
                                        <synopsis>Protocol to use for SIP traffic</synopsis>
                                        </description>
                                </configOption>
                                <configOption name="require_client_cert" default="false">
-                                       <synopsis>Require client certificate (TLS ONLY)</synopsis>
+                                       <synopsis>Require client certificate (TLS ONLY, not WSS)</synopsis>
                                </configOption>
                                <configOption name="type">
                                        <synopsis>Must be of type 'transport'.</synopsis>
                                </configOption>
                                <configOption name="verify_client" default="false">
-                                       <synopsis>Require verification of client certificate (TLS ONLY)</synopsis>
+                                       <synopsis>Require verification of client certificate (TLS ONLY, not WSS)</synopsis>
                                </configOption>
                                <configOption name="verify_server" default="false">
-                                       <synopsis>Require verification of server certificate (TLS ONLY)</synopsis>
+                                       <synopsis>Require verification of server certificate (TLS ONLY, not WSS)</synopsis>
                                </configOption>
                                <configOption name="tos" default="false">
                                        <synopsis>Enable TOS for the signalling sent over this transport</synopsis>
index 20324ed..13a9ff8 100644 (file)
@@ -651,6 +651,9 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
        } else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) {
                if (transport->cos || transport->tos) {
                        ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n");
+               } else if (!ast_strlen_zero(transport->ca_list_file) || !ast_strlen_zero(transport->ca_list_path) ||
+                       !ast_strlen_zero(transport->cert_file) || !ast_strlen_zero(transport->privkey_file)) {
+                       ast_log(LOG_WARNING, "TLS certificate values ignored for websocket transport as they are configured in http.conf\n");
                }
                res = PJ_SUCCESS;
        }