From 0f4489dc0f76b92d95592cc0b726cb98f781881e Mon Sep 17 00:00:00 2001 From: Mark Michelson Date: Thu, 2 Feb 2012 18:55:05 +0000 Subject: [PATCH] Fix TLS port binding behavior as well as reload behavior: * Removes references to tlsbindport from http.conf.sample and manager.conf.sample * Properly bind to port specified in tlsbindaddr, using the default port if specified. * On a reload, properly close socket if the service has been disabled. A note has been added to UPGRADE.txt to indicate how ports must be set for TLS. (closes issue ASTERISK-16959) reported by Olaf Holthausen (closes issue ASTERISK-19201) reported by Chris Mylonas (closes issue ASTERISK-19204) reported by Chris Mylonas Review: https://reviewboard.asterisk.org/r/1709 ........ Merged revisions 353770 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 353820 from http://svn.asterisk.org/svn/asterisk/branches/10 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@353821 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- configs/http.conf.sample | 3 +-- configs/manager.conf.sample | 3 +-- include/asterisk/manager.h | 1 + main/http.c | 11 ++++++++--- main/manager.c | 23 +++++++++++++++++------ 5 files changed, 28 insertions(+), 13 deletions(-) diff --git a/configs/http.conf.sample b/configs/http.conf.sample index 8a63148..5b9c9a7 100644 --- a/configs/http.conf.sample +++ b/configs/http.conf.sample @@ -56,8 +56,7 @@ bindaddr=127.0.0.1 ; explicitly enable tls, define the port to use, ; and have a certificate somewhere. ;tlsenable=yes ; enable tls - default no. -;tlsbindport=4433 ; port to use - default is 8089 -;tlsbindaddr=0.0.0.0 ; address to bind to - default is bindaddr. +;tlsbindaddr=0.0.0.0:8089 ; address and port to bind to - default is bindaddr and port 8089. ; ;tlscertfile= ; path to the certificate file (*.pem) only. ;tlsprivatekey= ; path to private key file (*.pem) only. diff --git a/configs/manager.conf.sample b/configs/manager.conf.sample index 2d43360..fb44e74 100644 --- a/configs/manager.conf.sample +++ b/configs/manager.conf.sample @@ -33,8 +33,7 @@ bindaddr = 0.0.0.0 ; openssl s_client -connect my_host:5039 ; ;tlsenable=no ; set to YES to enable it -;tlsbindport=5039 ; the port to bind to -;tlsbindaddr=0.0.0.0 ; address to bind to, default to bindaddr +;tlsbindaddr=0.0.0.0:5039 ; address and port to bind to, default to bindaddr and port 5039 ;tlscertfile=/tmp/asterisk.pem ; path to the certificate. ;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given, ; if no tlsprivatekey is given, default is to search diff --git a/include/asterisk/manager.h b/include/asterisk/manager.h index eaf48ce..534e43f 100644 --- a/include/asterisk/manager.h +++ b/include/asterisk/manager.h @@ -56,6 +56,7 @@ #define AMI_VERSION "1.2" #define DEFAULT_MANAGER_PORT 5038 /* Default port for Asterisk management via TCP */ +#define DEFAULT_MANAGER_TLS_PORT 5039 /* Default port for Asterisk management via TCP */ /*! \name Constant return values *\note Currently, returning anything other than zero causes the session to terminate. diff --git a/main/http.c b/main/http.c index 724a58f..c7e3ceb 100644 --- a/main/http.c +++ b/main/http.c @@ -1005,13 +1005,15 @@ static int __ast_http_load(int reload) uint32_t bindport = DEFAULT_PORT; struct ast_sockaddr *addrs = NULL; int num_addrs = 0; + int http_tls_was_enabled = 0; cfg = ast_config_load2("http.conf", "http", config_flags); if (cfg == CONFIG_STATUS_FILEMISSING || cfg == CONFIG_STATUS_FILEUNCHANGED || cfg == CONFIG_STATUS_FILEINVALID) { return 0; } - /* default values */ + http_tls_was_enabled = (reload && http_tls_cfg.enabled); + http_tls_cfg.enabled = 0; if (http_tls_cfg.certfile) { ast_free(http_tls_cfg.certfile); @@ -1034,6 +1036,8 @@ static int __ast_http_load(int reload) } AST_RWLIST_UNLOCK(&uri_redirects); + ast_sockaddr_setnull(&https_desc.local_address); + if (cfg) { v = ast_variable_browse(cfg, "general"); for (; v; v = v->next) { @@ -1113,8 +1117,9 @@ static int __ast_http_load(int reload) ast_sockaddr_set_port(&https_desc.local_address, DEFAULT_TLS_PORT); } } - - if (enabled && !ast_sockaddr_isnull(&https_desc.local_address)) { + if (http_tls_was_enabled && !http_tls_cfg.enabled) { + ast_tcptls_server_stop(&https_desc); + } else if (http_tls_cfg.enabled && !ast_sockaddr_isnull(&https_desc.local_address)) { /* We can get here either because a TLS-specific address was specified * or because we copied the non-TLS address here. In the case where * we read an explicit address from the config, there may have been diff --git a/main/manager.c b/main/manager.c index 727df26..3558697 100644 --- a/main/manager.c +++ b/main/manager.c @@ -6645,6 +6645,7 @@ static int __init_manager(int reload) char a1_hash[256]; struct sockaddr_in ami_desc_local_address_tmp = { 0, }; struct sockaddr_in amis_desc_local_address_tmp = { 0, }; + int tls_was_enabled = 0; manager_enabled = 0; @@ -6708,11 +6709,16 @@ static int __init_manager(int reload) /* default values */ ast_copy_string(global_realm, S_OR(ast_config_AST_SYSTEM_NAME, DEFAULT_REALM), sizeof(global_realm)); - memset(&ami_desc.local_address, 0, sizeof(struct sockaddr_in)); - memset(&amis_desc.local_address, 0, sizeof(amis_desc.local_address)); - amis_desc_local_address_tmp.sin_port = htons(5039); + ast_sockaddr_setnull(&ami_desc.local_address); + ast_sockaddr_setnull(&amis_desc.local_address); + + ami_desc_local_address_tmp.sin_family = AF_INET; + amis_desc_local_address_tmp.sin_family = AF_INET; + ami_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_PORT); + tls_was_enabled = (reload && ami_tls_cfg.enabled); + ami_tls_cfg.enabled = 0; if (ami_tls_cfg.certfile) { ast_free(ami_tls_cfg.certfile); @@ -6786,8 +6792,7 @@ static int __init_manager(int reload) } } - ami_desc_local_address_tmp.sin_family = AF_INET; - amis_desc_local_address_tmp.sin_family = AF_INET; + ast_sockaddr_to_sin(&amis_desc.local_address, &amis_desc_local_address_tmp); /* if the amis address has not been set, default is the same as non secure ami */ if (!amis_desc_local_address_tmp.sin_addr.s_addr) { @@ -6795,6 +6800,10 @@ static int __init_manager(int reload) ami_desc_local_address_tmp.sin_addr; } + if (!amis_desc_local_address_tmp.sin_port) { + amis_desc_local_address_tmp.sin_port = htons(DEFAULT_MANAGER_TLS_PORT); + } + if (manager_enabled) { ast_sockaddr_from_sin(&ami_desc.local_address, &ami_desc_local_address_tmp); ast_sockaddr_from_sin(&amis_desc.local_address, &amis_desc_local_address_tmp); @@ -7031,7 +7040,9 @@ static int __init_manager(int reload) manager_event(EVENT_FLAG_SYSTEM, "Reload", "Module: Manager\r\nStatus: %s\r\nMessage: Manager reload Requested\r\n", manager_enabled ? "Enabled" : "Disabled"); ast_tcptls_server_start(&ami_desc); - if (ast_ssl_setup(amis_desc.tls_cfg)) { + if (tls_was_enabled && !ami_tls_cfg.enabled) { + ast_tcptls_server_stop(&amis_desc); + } else if (ast_ssl_setup(amis_desc.tls_cfg)) { ast_tcptls_server_start(&amis_desc); } return 0; -- 1.7.9.5