From 62859ad52684ec17d01225f6cd2f2fbfdc6d53c6 Mon Sep 17 00:00:00 2001 From: Joshua Colp Date: Mon, 2 Jul 2018 20:44:53 -0300 Subject: [PATCH] pjsip: Clarify certificate configuration for Websocket. The Websocket transport uses the built-in HTTP server. As a result the TLS configuration is done in http.conf and not in pjsip.conf. This change adds a warning if this is configured in pjsip.conf and also clarifies in the sample configuration file. Change-Id: I187d994d328c3ed274b6754fd4c2a4955bdc6dd9 --- configs/samples/pjsip.conf.sample | 17 ++++++++++------- res/res_pjsip.c | 18 +++++++++--------- res/res_pjsip/config_transport.c | 3 +++ 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample index 69576c19d5..a603a3ee43 100644 --- a/configs/samples/pjsip.conf.sample +++ b/configs/samples/pjsip.conf.sample @@ -842,10 +842,13 @@ ;==========================TRANSPORT SECTION OPTIONS========================= ;[transport] ; SYNOPSIS: SIP Transport +; ;async_operations=1 ; Number of simultaneous Asynchronous Operations ; (default: "1") ;bind= ; IP Address and optional port to bind to for this transport (default: ; "") +; Note that for the Websocket transport the TLS configuration is configured +; in http.conf and is applied for all HTTPS traffic. ;ca_list_file= ; File containing a list of certificates to read TLS ONLY ; (default: "") ;ca_list_path= ; Path to directory containing certificates to read TLS ONLY. @@ -857,6 +860,13 @@ ; a .key file must be specified via priv_key_file ; (default: "") ;cipher= ; Preferred cryptography cipher names TLS ONLY (default: "") +;method= ; Method of SSL transport TLS ONLY (default: "") +;priv_key_file= ; Private key file TLS ONLY (default: "") +;verify_client= ; Require verification of client certificate TLS ONLY (default: + ; "") +;verify_server= ; Require verification of server certificate TLS ONLY (default: + ; "") +;require_client_cert= ; Require client certificate TLS ONLY (default: "") ;domain= ; Domain the transport comes from (default: "") ;external_media_address= ; External IP address to use in RTP handling ; (default: "") @@ -864,17 +874,10 @@ ; "") ;external_signaling_port=0 ; External port for SIP signalling (default: ; "0") -;method= ; Method of SSL transport TLS ONLY (default: "") ;local_net= ; Network to consider local used for NAT purposes (default: "") ;password= ; Password required for transport (default: "") -;priv_key_file= ; Private key file TLS ONLY (default: "") ;protocol=udp ; Protocol to use for SIP traffic (default: "udp") -;require_client_cert= ; Require client certificate TLS ONLY (default: "") ;type= ; Must be of type transport (default: "") -;verify_client= ; Require verification of client certificate TLS ONLY (default: - ; "") -;verify_server= ; Require verification of server certificate TLS ONLY (default: - ; "") ;tos=0 ; Enable TOS for the signalling sent over this transport (default: "0") ;cos=0 ; Enable COS for the signalling sent over this transport (default: "0") ;websocket_write_timeout=100 ; Default write timeout to set on websocket diff --git a/res/res_pjsip.c b/res/res_pjsip.c index a82af0eeab..99abfb0cc2 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -1158,13 +1158,13 @@ IP Address and optional port to bind to for this transport - File containing a list of certificates to read (TLS ONLY) + File containing a list of certificates to read (TLS ONLY, not WSS) - Path to directory containing a list of certificates to read (TLS ONLY) + Path to directory containing a list of certificates to read (TLS ONLY, not WSS) - Certificate file for endpoint (TLS ONLY) + Certificate file for endpoint (TLS ONLY, not WSS) A path to a .crt or .pem file can be provided. However, only the certificate is read from the file, not the private key. @@ -1173,7 +1173,7 @@ - Preferred cryptography cipher names (TLS ONLY) + Preferred cryptography cipher names (TLS ONLY, not WSS) Comma separated list of cipher names or numeric equivalents. Numeric equivalents can be either decimal or hexadecimal (0xX). @@ -1205,7 +1205,7 @@ External port for SIP signalling - Method of SSL transport (TLS ONLY) + Method of SSL transport (TLS ONLY, not WSS) @@ -1232,7 +1232,7 @@ Password required for transport - Private key file (TLS ONLY) + Private key file (TLS ONLY, not WSS) Protocol to use for SIP traffic @@ -1247,16 +1247,16 @@ - Require client certificate (TLS ONLY) + Require client certificate (TLS ONLY, not WSS) Must be of type 'transport'. - Require verification of client certificate (TLS ONLY) + Require verification of client certificate (TLS ONLY, not WSS) - Require verification of server certificate (TLS ONLY) + Require verification of server certificate (TLS ONLY, not WSS) Enable TOS for the signalling sent over this transport diff --git a/res/res_pjsip/config_transport.c b/res/res_pjsip/config_transport.c index 55ef3c5d89..3ad4dcc42a 100644 --- a/res/res_pjsip/config_transport.c +++ b/res/res_pjsip/config_transport.c @@ -650,6 +650,9 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj) } else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) { if (transport->cos || transport->tos) { ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n"); + } else if (!ast_strlen_zero(transport->ca_list_file) || !ast_strlen_zero(transport->ca_list_path) || + !ast_strlen_zero(transport->cert_file) || !ast_strlen_zero(transport->privkey_file)) { + ast_log(LOG_WARNING, "TLS certificate values ignored for websocket transport as they are configured in http.conf\n"); } res = PJ_SUCCESS; }