On Thu, Nov 1, 2012 at 6:22 PM, Kyle Haefner <[email protected]>wrote:
> Hi Mircea, > > This for example works: > > curl --digest -k -X GET -u 200:password > http://example.sipx.org:6667/cdr/200?limit=5 > > This does not: > > curl --digest -k -X GET -u 200:password > https://example.sipx.org:6666/cdr/200?limit=5 > > result.... > > curl: (35) Unknown SSL protocol error in connection to > example.sipx.org:6666 > > Oddly, this also works. > > curl --digest -k -X GET -u 200:password > http://example.sipx.org:6666/cdr/200?limit=5 > Hi Kyle, We removed SSL connectors from all our components (including sipXconfig you can check sipxconfig-jetty.xml and there is no ssl connector anymore, and the old secured port 8443 is gone) The reason behind this was that we wanted to use one single point for SSL which is now apache (port 443) and our certificates sits in apache only. We had many problems (related to certificates and SSL handshake) in 4.4 where we used different SSL connectors and different certificates for sipxconfig (web cert) and for rest components (internal cert) For reference please see: http://track.sipfoundry.org/browse/XX-10098, especially the comment: -sipXcommons: added new package jetty that contains a jetty http socket factory and a security handler that makes sure that security checkings are done only for public port -sipXivr : port 8085 default to public http port (instead of https) added new http listener: port 8086 default for internal ivr rest calls only calls to 8085 are authenticated using digest use config http:12000 instead of https sipXivr digest authenticator is a spring bean now -sipXrest: removed basic or digest auth, only digest auth is used default port 6667 is used for internal communication, http, no authentication removed ssl listener from public port 6666, use http instead, and digest authentication made changes accross sipXivr, sipXrecording, sipXimbot, sipXrest, sipXopenfire to use http+internal port instead of https fixed tests So what we did is to have two ports (both http) for each component that exposes rest interfaces, one port which is internal and without authentication use for internal rest calls (6667 in sipXrest, 8086 for sipXivr) and the other port which is uses digest only authentication and is meant to be public (6666 in sipXrest, 8085 in sipXivr) Ideally we would need to use apache to proxy ports 6666 and 8085 and reuse the SSL layer that now is only on port 443 exposed in apache - but this is not achieved yet, we will address it in next releases Meanwhile we have a REST api in sipXconfig that proxies sipXrest and sipXivr (is accessed through 443 ssl) and uses the sipXconfig authentication layer, which is the most complex and covers LDAP authentication as well The relative url is: /my/redirect Here you have to append the relative url for your sipXrest or sipXivr service, for example: /cdr/200?limit=5<http://example.sipx.org:6667/cdr/200?limit=5> and it will be: /my/redirect/cdr/200?limit=5 Another example: to download a voicemail: https://192.168.1.102/sipxconfig/rest/my/redirect/media/200/inbox/100000005 Hope this helps, Mircea
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
