kenmirrors/freeswitch
1
0
Fork 0
mirror of https://github.com/signalwire/freeswitch.git synced 2025-03-13 12:40:17 +00:00
Code Issues Projects Releases Wiki Activity

Support setting TLS cipher suites in mod_sofia

Browse Source 
This adds a parameter tls-ciphers in which we can specify the TLS
cipher suite specification for OpenSSL.
This commit is contained in:
Travis Cross 2014-02-06 03:13:13 +00:00
parent c0101e2ce6
commit 57abca11a8
3 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
View File

@ -249,6 +249,8 @@
sets which subjects are allowed, multiple subjects can be split sets which subjects are allowed, multiple subjects can be split
with a '|' pipe --> with a '|' pipe -->
<param name="tls-verify-in-subjects" value=""/> <param name="tls-verify-in-subjects" value=""/>
<!-- Set the OpenSSL cipher suite list -->
<!-- <param name="tls-ciphers" value="!aNULL:!LOW:!EXP:!kECDH:!ECDSA:!DSS:!PSK:!SRP:ALL"/> -->
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not
work with TLSv1 --> work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/> <param name="tls-version" value="$${sip_tls_version}"/>

1
src/mod/endpoints/mod_sofia/mod_sofia.h
View File

@ -587,6 +587,7 @@ struct sofia_profile {
switch_port_t sip_port; switch_port_t sip_port;
switch_port_t extsipport; switch_port_t extsipport;
switch_port_t tls_sip_port; switch_port_t tls_sip_port;
char *tls_ciphers;
int tls_version; int tls_version;
unsigned int tls_timeout; unsigned int tls_timeout;
char *inbound_codec_string; char *inbound_codec_string;

5
src/mod/endpoints/mod_sofia/sofia.c
View File

@ -2535,6 +2535,8 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
TPTAG_TLS_VERIFY_DATE(profile->tls_verify_date)), TPTAG_TLS_VERIFY_DATE(profile->tls_verify_date)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_verify_in_subjects, TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_verify_in_subjects,
TPTAG_TLS_VERIFY_SUBJECTS(profile->tls_verify_in_subjects)), TPTAG_TLS_VERIFY_SUBJECTS(profile->tls_verify_in_subjects)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
TPTAG_TLS_CIPHERS(profile->tls_ciphers)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS), TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
TPTAG_TLS_VERSION(profile->tls_version)), TPTAG_TLS_VERSION(profile->tls_version)),
TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_timeout, TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_timeout,
@ -3764,6 +3766,7 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
profile->sip_force_expires = 0; profile->sip_force_expires = 0;
profile->sip_expires_max_deviation = 0; profile->sip_expires_max_deviation = 0;
profile->sip_subscription_max_deviation = 0; profile->sip_subscription_max_deviation = 0;
profile->tls_ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
profile->tls_version = SOFIA_TLS_VERSION_TLSv1; profile->tls_version = SOFIA_TLS_VERSION_TLSv1;
profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_1; profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_1;
profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_2; profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_2;
@ -4701,6 +4704,8 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
profile->tls_passphrase = switch_core_strdup(profile->pool, val); profile->tls_passphrase = switch_core_strdup(profile->pool, val);
} else if (!strcasecmp(var, "tls-verify-in-subjects") && !zstr(val)) { } else if (!strcasecmp(var, "tls-verify-in-subjects") && !zstr(val)) {
profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val); profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
} else if (!strcasecmp(var, "tls-ciphers") && !zstr(val)) {
profile->tls_ciphers = switch_core_strdup(profile->pool, val);
} else if (!strcasecmp(var, "tls-version") && !zstr(val)) { } else if (!strcasecmp(var, "tls-version") && !zstr(val)) {
char *ps = val, *pe; char *ps = val, *pe;
profile->tls_version = 0; profile->tls_version = 0;