* Removes references to tlsbindport from http.conf.sample and manager.conf.sample
* Properly bind to port specified in tlsbindaddr, using the default port if specified.
* On a reload, properly close socket if the service has been disabled.
A note has been added to UPGRADE.txt to indicate how ports must be set for TLS.
(closes issue ASTERISK-16959)
reported by Olaf Holthausen
(closes issue ASTERISK-19201)
reported by Chris Mylonas
(closes issue ASTERISK-19204)
reported by Chris Mylonas
Review: https://reviewboard.asterisk.org/r/1709
........
Merged revisions 353770 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 353820 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@353821
65c4cc65-6c06-0410-ace0-
fbb531ad65f3
; explicitly enable tls, define the port to use,
; and have a certificate somewhere.
;tlsenable=yes ; enable tls - default no.
; explicitly enable tls, define the port to use,
; and have a certificate somewhere.
;tlsenable=yes ; enable tls - default no.
-;tlsbindport=4433 ; port to use - default is 8089
-;tlsbindaddr=0.0.0.0 ; address to bind to - default is bindaddr.
+;tlsbindaddr=0.0.0.0:8089 ; address and port to bind to - default is bindaddr and port 8089.
;
;tlscertfile=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
;
;tlscertfile=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
; openssl s_client -connect my_host:5039
;
;tlsenable=no ; set to YES to enable it
; openssl s_client -connect my_host:5039
;
;tlsenable=no ; set to YES to enable it
-;tlsbindport=5039 ; the port to bind to
-;tlsbindaddr=0.0.0.0 ; address to bind to, default to bindaddr
+;tlsbindaddr=0.0.0.0:5039 ; address and port to bind to, default to bindaddr and port 5039
;tlscertfile=/tmp/asterisk.pem ; path to the certificate.
;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
; if no tlsprivatekey is given, default is to search
;tlscertfile=/tmp/asterisk.pem ; path to the certificate.
;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
; if no tlsprivatekey is given, default is to search
#define AMI_VERSION "1.2"
#define DEFAULT_MANAGER_PORT 5038 /* Default port for Asterisk management via TCP */
#define AMI_VERSION "1.2"
#define DEFAULT_MANAGER_PORT 5038 /* Default port for Asterisk management via TCP */
+#define DEFAULT_MANAGER_TLS_PORT 5039 /* Default port for Asterisk management via TCP */
/*! \name Constant return values
*\note Currently, returning anything other than zero causes the session to terminate.
/*! \name Constant return values
*\note Currently, returning anything other than zero causes the session to terminate.
uint32_t bindport = DEFAULT_PORT;
struct ast_sockaddr *addrs = NULL;
int num_addrs = 0;
uint32_t bindport = DEFAULT_PORT;
struct ast_sockaddr *addrs = NULL;
int num_addrs = 0;
+ int http_tls_was_enabled = 0;
cfg = ast_config_load2("http.conf", "http", config_flags);
if (cfg == CONFIG_STATUS_FILEMISSING || cfg == CONFIG_STATUS_FILEUNCHANGED || cfg == CONFIG_STATUS_FILEINVALID) {
return 0;
}
cfg = ast_config_load2("http.conf", "http", config_flags);
if (cfg == CONFIG_STATUS_FILEMISSING || cfg == CONFIG_STATUS_FILEUNCHANGED || cfg == CONFIG_STATUS_FILEINVALID) {
return 0;
}
+ http_tls_was_enabled = (reload && http_tls_cfg.enabled);
+
http_tls_cfg.enabled = 0;
if (http_tls_cfg.certfile) {
ast_free(http_tls_cfg.certfile);
http_tls_cfg.enabled = 0;
if (http_tls_cfg.certfile) {
ast_free(http_tls_cfg.certfile);
}
AST_RWLIST_UNLOCK(&uri_redirects);
}
AST_RWLIST_UNLOCK(&uri_redirects);
+ ast_sockaddr_setnull(&https_desc.local_address);
+
if (cfg) {
v = ast_variable_browse(cfg, "general");
for (; v; v = v->next) {
if (cfg) {
v = ast_variable_browse(cfg, "general");
for (; v; v = v->next) {
ast_sockaddr_set_port(&https_desc.local_address, DEFAULT_TLS_PORT);
}
}
ast_sockaddr_set_port(&https_desc.local_address, DEFAULT_TLS_PORT);
}
}
-
- if (enabled && !ast_sockaddr_isnull(&https_desc.local_address)) {
+ if (http_tls_was_enabled && !http_tls_cfg.enabled) {
+ ast_tcptls_server_stop(&https_desc);
+ } else if (http_tls_cfg.enabled && !ast_sockaddr_isnull(&https_desc.local_address)) {
/* We can get here either because a TLS-specific address was specified
* or because we copied the non-TLS address here. In the case where
* we read an explicit address from the config, there may have been
/* We can get here either because a TLS-specific address was specified
* or because we copied the non-TLS address here. In the case where
* we read an explicit address from the config, there may have been
char a1_hash[256];
struct sockaddr_in ami_desc_local_address_tmp = { 0, };
struct sockaddr_in amis_desc_local_address_tmp = { 0, };
char a1_hash[256];
struct sockaddr_in ami_desc_local_address_tmp = { 0, };
struct sockaddr_in amis_desc_local_address_tmp = { 0, };
+ int tls_was_enabled = 0;
/* default values */
ast_copy_string(global_realm, S_OR(ast_config_AST_SYSTEM_NAME, DEFAULT_REALM), sizeof(global_realm));
/* default values */
ast_copy_string(global_realm, S_OR(ast_config_AST_SYSTEM_NAME, DEFAULT_REALM), sizeof(global_realm));
- memset(&ami_desc.local_address, 0, sizeof(struct sockaddr_in));
- memset(&amis_desc.local_address, 0, sizeof(amis_desc.local_address));
- amis_desc_local_address_tmp.sin_port = htons(5039);
+ ast_sockaddr_setnull(&ami_desc.local_address);
+ ast_sockaddr_setnull(&amis_desc.local_address);
+
+ ami_desc_local_address_tmp.sin_family = AF_INET;
+ amis_desc_local_address_tmp.sin_family = AF_INET;
+
ami_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_PORT);
ami_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_PORT);
+ tls_was_enabled = (reload && ami_tls_cfg.enabled);
+
ami_tls_cfg.enabled = 0;
if (ami_tls_cfg.certfile) {
ast_free(ami_tls_cfg.certfile);
ami_tls_cfg.enabled = 0;
if (ami_tls_cfg.certfile) {
ast_free(ami_tls_cfg.certfile);
- ami_desc_local_address_tmp.sin_family = AF_INET;
- amis_desc_local_address_tmp.sin_family = AF_INET;
+ ast_sockaddr_to_sin(&amis_desc.local_address, &amis_desc_local_address_tmp);
/* if the amis address has not been set, default is the same as non secure ami */
if (!amis_desc_local_address_tmp.sin_addr.s_addr) {
/* if the amis address has not been set, default is the same as non secure ami */
if (!amis_desc_local_address_tmp.sin_addr.s_addr) {
ami_desc_local_address_tmp.sin_addr;
}
ami_desc_local_address_tmp.sin_addr;
}
+ if (!amis_desc_local_address_tmp.sin_port) {
+ amis_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_TLS_PORT);
+ }
+
if (manager_enabled) {
ast_sockaddr_from_sin(&ami_desc.local_address, &ami_desc_local_address_tmp);
ast_sockaddr_from_sin(&amis_desc.local_address, &amis_desc_local_address_tmp);
if (manager_enabled) {
ast_sockaddr_from_sin(&ami_desc.local_address, &ami_desc_local_address_tmp);
ast_sockaddr_from_sin(&amis_desc.local_address, &amis_desc_local_address_tmp);
manager_event(EVENT_FLAG_SYSTEM, "Reload", "Module: Manager\r\nStatus: %s\r\nMessage: Manager reload Requested\r\n", manager_enabled ? "Enabled" : "Disabled");
ast_tcptls_server_start(&ami_desc);
manager_event(EVENT_FLAG_SYSTEM, "Reload", "Module: Manager\r\nStatus: %s\r\nMessage: Manager reload Requested\r\n", manager_enabled ? "Enabled" : "Disabled");
ast_tcptls_server_start(&ami_desc);
- if (ast_ssl_setup(amis_desc.tls_cfg)) {
+ if (tls_was_enabled && !ami_tls_cfg.enabled) {
+ ast_tcptls_server_stop(&amis_desc);
+ } else if (ast_ssl_setup(amis_desc.tls_cfg)) {
ast_tcptls_server_start(&amis_desc);
}
return 0;
ast_tcptls_server_start(&amis_desc);
}
return 0;
projects / asterisk/asterisk.git / commitdiff