sip_to_pjsip: Map the TLS method correctly.

When using the migration script sip_to_pjsip.py and tlsclientmethod is not set in sip.conf, the default value of chan_sip (sslv23) is copied to pjsip.conf, to overwrite the default of the PJProject (tlsv1). This makes sure, res_pjsip is offering/using not just TLSv1.0 but TLSv1.2 as well. ASTERISK-22374 Change-Id: Ie530a3dae9926ae14f3920a21be1e2edb15bda4f
9 years ago · e55d1e47aa
parent b35779c6c6
commit e55d1e47aa
1 changed files with 18 additions and 7 deletions
--- a/contrib/scripts/sip_to_pjsip/sip_to_pjsip.py
+++ b/contrib/scripts/sip_to_pjsip/sip_to_pjsip.py
@ -731,11 +731,6 @@ def set_tls_verifyserver(val, pjsip, nmapped):
                  'transport')


-def set_tls_method(val, pjsip, nmapped):
-    """Sets method based on sip.conf tlsclientmethod or sslclientmethod"""
-    set_value('method', val, 'transport-tls', pjsip, nmapped, 'transport')
-
-
 def create_tls(sip, pjsip, nmapped):
    """
    Creates a 'transport-tls' section in pjsip.conf based on the following
@ -759,8 +754,7 @@ def create_tls(sip, pjsip, nmapped):
        (['tlscipher', 'sslcipher'], set_tls_cipher),
        (['tlscafile'], set_tls_cafile),
        (['tlsverifyclient'], set_tls_verifyclient),
-        (['tlsdontverifyserver'], set_tls_verifyserver),
-        (['tlsclientmethod', 'sslclientmethod'], set_tls_method)
+        (['tlsdontverifyserver'], set_tls_verifyserver)
    ]

    try:
@ -780,6 +774,23 @@ def create_tls(sip, pjsip, nmapped):
        except LookupError:
            pass

+    try:
+        method = sip.multi_get('general', ['tlsclientmethod', 'sslclientmethod'])[0]
+        print 'In chan_sip, you specified the TLS version. With chan_sip, this was just for outbound client connections. In chan_pjsip, this value is for client and server. Instead, consider not to specify \'tlsclientmethod\' for chan_sip and \'method = sslv23\' for chan_pjsip.'
+    except LookupError:
+        """
+        OpenSSL emerged during the 90s. SSLv2 and SSLv3 were the only
+        existing methods at that time. The OpenSSL project continued. And as
+        of today (OpenSSL 1.0.2) this does not start SSLv2 and SSLv3 anymore
+        but TLSv1.0 and v1.2. Or stated differently: This method should
+        have been called 'method = secure' or 'method = automatic' back in
+        the 90s. The PJProject did not realize this and uses 'tlsv1' as
+        default when unspecified, which disables TLSv1.2. chan_sip used
+        'sslv23' as default when unspecified, which gives TLSv1.0 and v1.2.
+        """
+        method = 'sslv23'
+    set_value('method', val, 'transport-tls', pjsip, nmapped, 'transport')
+
    set_transport_common('transport-tls', pjsip, nmapped)
    try:
        extern_addr = sip.multi_get('general', ['externaddr', 'externip',