Author: mmichelson
Date: Fri Jan 16 11:45:44 2015
New Revision: 430709
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=430709
Log:
Add support for the ca_list_path option for PJSIP transports.
This allows for a path to be specified that has a collection of CA
certificates in it.
ASTERISK-24575 #close
Reported by cloos
Patches:
pj-ca-path-trunk.diff uploaded by cloos (License #5956)
Review: https://reviewboard.asterisk.org/r/4344
Modified:
branches/13/CHANGES
branches/13/configs/samples/pjsip.conf.sample
branches/13/configure
branches/13/configure.ac
branches/13/include/asterisk/autoconfig.h.in
branches/13/include/asterisk/res_pjsip.h
branches/13/res/res_pjsip.c
branches/13/res/res_pjsip/config_transport.c
Modified: branches/13/CHANGES
URL:
http://svnview.digium.com/svn/asterisk/branches/13/CHANGES?view=diff&rev=430709&r1=430708&r2=430709
==============================================================================
--- branches/13/CHANGES (original)
+++ branches/13/CHANGES Fri Jan 16 11:45:44 2015
@@ -45,6 +45,12 @@
and is now configurable via the 't38timeout' configuration option in
res_fax.conf and via the fax options dialplan function 'FAXOPT(t38timeout)'.
The default remains at 5000 milliseconds.
+
+PJSIP Transports
+----------
+ * The ca_list_path transport parameter has been added for TLS transports. This
+ option behaves similarly to the old sip.conf option "tlscapath". In order to
+ use this, you must be using PJProject version ?.? or higher.
ARI
------------------
Modified: branches/13/configs/samples/pjsip.conf.sample
URL:
http://svnview.digium.com/svn/asterisk/branches/13/configs/samples/pjsip.conf.sample?view=diff&rev=430709&r1=430708&r2=430709
==============================================================================
--- branches/13/configs/samples/pjsip.conf.sample (original)
+++ branches/13/configs/samples/pjsip.conf.sample Fri Jan 16 11:45:44 2015
@@ -749,6 +749,10 @@
; "")
;ca_list_file= ; File containing a list of certificates to read TLS ONLY
; (default: "")
+;ca_list_path= ; Path to directory containing certificates to read TLS ONLY.
+ ; PJProject version 2.4 or higher is required for this option
to
+ ; be used.
+ ; (default: "")
;cert_file= ; Certificate file for endpoint TLS ONLY
; Will read .crt or .pem file but only uses cert,
; a .key file must be specified via priv_key_file
Modified: branches/13/configure.ac
URL:
http://svnview.digium.com/svn/asterisk/branches/13/configure.ac?view=diff&rev=430709&r1=430708&r2=430709
==============================================================================
--- branches/13/configure.ac (original)
+++ branches/13/configure.ac Fri Jan 16 11:45:44 2015
@@ -457,6 +457,7 @@
AST_EXT_LIB_SETUP_OPTIONAL([PJ_TRANSACTION_GRP_LOCK], [PJSIP Transaction Group
Lock Support], [PJPROJECT], [pjsip])
AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_REPLACE_MEDIA_STREAM], [PJSIP Media Stream
Replacement Support], [PJPROJECT], [pjsip])
AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_GET_DEST_INFO], [pjsip_get_dest_info
support], [PJPROJECT], [pjsip])
+AST_EXT_LIB_SETUP_OPTIONAL([PJ_SSL_CERT_LOAD_FROM_FILES2],
[pj_ssl_cert_load_from_files2 support], [PJPROJECT], [pjsip])
AST_EXT_LIB_SETUP([PORTAUDIO], [PortAudio], [portaudio])
AST_EXT_LIB_SETUP([PRI], [ISDN PRI], [pri])
AST_EXT_LIB_SETUP_OPTIONAL([PRI_SETUP_ACK_INBAND], [ISDN PRI progress inband
ie in SETUP ACK], [PRI], [pri])
@@ -2076,6 +2077,7 @@
CPPFLAGS="${saved_cppflags}"
AST_EXT_LIB_CHECK([PJSIP_GET_DEST_INFO], [pjsip], [pjsip_get_dest_info],
[pjsip.h], [$PJPROJECT_LIBS], [$PJPROJECT_CFLAGS])
+AST_EXT_LIB_CHECK([PJ_SSL_CERT_LOAD_FROM_FILES2], [pj],
[pj_ssl_cert_load_from_files2], [pjlib.h], [$PJPROJECT_LIBS],
[$PJPROJECT_CFLAGS])
AST_EXT_LIB_CHECK([POPT], [popt], [poptStrerror], [popt.h])
Modified: branches/13/include/asterisk/autoconfig.h.in
URL:
http://svnview.digium.com/svn/asterisk/branches/13/include/asterisk/autoconfig.h.in?view=diff&rev=430709&r1=430708&r2=430709
==============================================================================
--- branches/13/include/asterisk/autoconfig.h.in (original)
+++ branches/13/include/asterisk/autoconfig.h.in Fri Jan 16 11:45:44 2015
@@ -583,6 +583,10 @@
/* Define if your system has the PJSIP_REPLACE_MEDIA_STREAM headers. */
#undef HAVE_PJSIP_REPLACE_MEDIA_STREAM
+
+/* Define to 1 if PJPROJECT has the pj_ssl_cert_load_from_files2 support
+ feature. */
+#undef HAVE_PJ_SSL_CERT_LOAD_FROM_FILES2
/* Define to 1 if PJPROJECT has the PJSIP Transaction Group Lock Support
feature. */
@@ -1295,11 +1299,6 @@
/* Define to 1 if running on Darwin. */
#undef _DARWIN_UNLIMITED_SELECT
-/* Enable large inode numbers on Mac OS X 10.5. */
-#ifndef _DARWIN_USE_64_BIT_INODE
-# define _DARWIN_USE_64_BIT_INODE 1
-#endif
-
/* Number of bits in a file offset, on hosts where this is settable. */
#undef _FILE_OFFSET_BITS
Modified: branches/13/include/asterisk/res_pjsip.h
URL:
http://svnview.digium.com/svn/asterisk/branches/13/include/asterisk/res_pjsip.h?view=diff&rev=430709&r1=430708&r2=430709
==============================================================================
--- branches/13/include/asterisk/res_pjsip.h (original)
+++ branches/13/include/asterisk/res_pjsip.h Fri Jan 16 11:45:44 2015
@@ -91,6 +91,8 @@
AST_DECLARE_STRING_FIELDS(
/*! Certificate of authority list file */
AST_STRING_FIELD(ca_list_file);
+ /*! Certificate of authority list path */
+ AST_STRING_FIELD(ca_list_path);
/*! Public certificate file */
AST_STRING_FIELD(cert_file);
/*! Optional private key of the certificate file */
Modified: branches/13/res/res_pjsip.c
URL:
http://svnview.digium.com/svn/asterisk/branches/13/res/res_pjsip.c?view=diff&rev=430709&r1=430708&r2=430709
==============================================================================
--- branches/13/res/res_pjsip.c (original)
+++ branches/13/res/res_pjsip.c Fri Jan 16 11:45:44 2015
@@ -829,6 +829,9 @@
<configOption name="ca_list_file">
<synopsis>File containing a list of
certificates to read (TLS ONLY)</synopsis>
</configOption>
+ <configOption name="ca_list_path">
+ <synopsis>Path to directory containing
a list of certificates to read (TLS ONLY)</synopsis>
+ </configOption>
<configOption name="cert_file">
<synopsis>Certificate file for endpoint
(TLS ONLY)</synopsis>
<description><para>
@@ -1336,6 +1339,9 @@
</parameter>
<parameter name="CaListFile">
<para><xi:include
xpointer="xpointer(/docs/configInfo[@name='res_pjsip']/configFile[@name='pjsip.conf']/configObject[@name='transport']/configOption[@name='ca_list_file']/synopsis/node())"/></para>
+ </parameter>
+ <parameter name="CaListPath">
+ <para><xi:include
xpointer="xpointer(/docs/configInfo[@name='res_pjsip']/configFile[@name='pjsip.conf']/configObject[@name='transport']/configOption[@name='ca_list_path']/synopsis/node())"/></para>
</parameter>
<parameter name="CertFile">
<para><xi:include
xpointer="xpointer(/docs/configInfo[@name='res_pjsip']/configFile[@name='pjsip.conf']/configObject[@name='transport']/configOption[@name='cert_file']/synopsis/node())"/></para>
Modified: branches/13/res/res_pjsip/config_transport.c
URL:
http://svnview.digium.com/svn/asterisk/branches/13/res/res_pjsip/config_transport.c?view=diff&rev=430709&r1=430708&r2=430709
==============================================================================
--- branches/13/res/res_pjsip/config_transport.c (original)
+++ branches/13/res/res_pjsip/config_transport.c Fri Jan 16 11:45:44 2015
@@ -217,6 +217,14 @@
res = pjsip_tcp_transport_start3(ast_sip_get_pjsip_endpoint(),
&cfg, &transport->state->factory);
} else if (transport->type == AST_TRANSPORT_TLS) {
transport->tls.ca_list_file =
pj_str((char*)transport->ca_list_file);
+#ifdef HAVE_PJ_SSL_CERT_LOAD_FROM_FILES2
+ transport->tls.ca_list_path =
pj_str((char*)transport->ca_list_path);
+#else
+ if (!ast_strlen_zero(transport->ca_list_path)) {
+ ast_log(LOG_WARNING, "Asterisk has been built against a
version of pjproject that does not "
+ "support the 'ca_list_path' option.
Please upgrade to version 2.4 or later.\n");
+ }
+#endif
transport->tls.cert_file = pj_str((char*)transport->cert_file);
transport->tls.privkey_file =
pj_str((char*)transport->privkey_file);
transport->tls.password = pj_str((char*)transport->password);
@@ -743,6 +751,7 @@
ast_sorcery_object_field_register_custom(sorcery, "transport", "bind",
"", transport_bind_handler, transport_bind_to_str, NULL, 0, 0);
ast_sorcery_object_field_register(sorcery, "transport",
"async_operations", "1", OPT_UINT_T, 0, FLDSET(struct ast_sip_transport,
async_operations));
ast_sorcery_object_field_register(sorcery, "transport", "ca_list_file",
"", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, ca_list_file));
+ ast_sorcery_object_field_register(sorcery, "transport", "ca_list_path",
"", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, ca_list_path));
ast_sorcery_object_field_register(sorcery, "transport", "cert_file",
"", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, cert_file));
ast_sorcery_object_field_register(sorcery, "transport",
"priv_key_file", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport,
privkey_file));
ast_sorcery_object_field_register(sorcery, "transport", "password", "",
OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, password));
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
svn-commits mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/svn-commits
