support tls dir options properly

This commit is contained in:
Anthony Minessale 2013-02-26 11:49:41 -06:00
parent a4e0bae4c7
commit 68055eab2b
6 changed files with 79 additions and 23 deletions

View File

@ -78,7 +78,7 @@
<!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
<param name="tls-sip-port" value="$${external_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<param name="tls-cert-dir" value="$${external_ssl_dir}"/>
<!--<param name="tls-cert-dir" value=""/>-->
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
<param name="tls-passphrase" value=""/>
<!-- Verify the date on TLS certificates -->

View File

@ -188,7 +188,7 @@
<!-- Port to listen on for TLS requests. (5061 will be used if unspecified) -->
<param name="tls-sip-port" value="$${internal_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
<!--<param name="tls-cert-dir" value=""/>-->
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
<param name="tls-passphrase" value=""/>
<!-- Verify the date on TLS certificates -->

View File

@ -257,12 +257,12 @@
<X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/>
<X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/>
<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=false"/>
<X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${base_dir}/conf/ssl"/>
<!-- External SIP Profile -->
<X-PRE-PROCESS cmd="set" data="external_auth_calls=false"/>
<X-PRE-PROCESS cmd="set" data="external_sip_port=5080"/>
<X-PRE-PROCESS cmd="set" data="external_tls_port=5081"/>
<X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
<X-PRE-PROCESS cmd="set" data="external_ssl_dir=$${base_dir}/conf/ssl"/>
</include>

View File

@ -222,9 +222,13 @@ static int tport_tls_init_master(tport_primary_t *pri,
ti.configured = path != tbf;
ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
ti.key = su_sprintf(autohome, "%s/%s", path, "agent.pem");
if (access(ti.key, R_OK) != 0) ti.key = NULL;
if (!ti.key) ti.key = su_sprintf(autohome, "%s/%s", path, "tls.pem");
ti.passphrase = su_strdup(autohome, passphrase);
ti.cert = ti.key;
ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
if (access(ti.CAfile, R_OK) != 0) ti.CAfile = NULL;
if (!ti.CAfile) ti.CAfile = su_sprintf(autohome, "%s/%s", path, "tls.pem");
ti.version = tls_version;
ti.timeout = tls_timeout;
ti.CApath = su_strdup(autohome, path);

View File

@ -3643,6 +3643,7 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
profile->mflags = MFLAG_REFER | MFLAG_REGISTER;
profile->server_rport_level = 1;
profile->client_rport_level = 1;
profile->tls_cert_dir = SWITCH_GLOBAL_dirs.certs_dir;
sofia_set_pflag(profile, PFLAG_DISABLE_100REL);
profile->auto_restart = 1;
sofia_set_media_flag(profile, SCMF_AUTOFIX_TIMING);
@ -4503,13 +4504,13 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
} else {
profile->tls_sip_port = (switch_port_t) atoi(val);
}
} else if (!strcasecmp(var, "tls-cert-dir")) {
} else if (!strcasecmp(var, "tls-cert-dir") && !zstr(val)) {
profile->tls_cert_dir = switch_core_strdup(profile->pool, val);
} else if (!strcasecmp(var, "tls-passphrase")) {
} else if (!strcasecmp(var, "tls-passphrase") && !zstr(val)) {
profile->tls_passphrase = switch_core_strdup(profile->pool, val);
} else if (!strcasecmp(var, "tls-verify-in-subjects")) {
} else if (!strcasecmp(var, "tls-verify-in-subjects") && !zstr(val)) {
profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
} else if (!strcasecmp(var, "tls-version")) {
} else if (!strcasecmp(var, "tls-version") && !zstr(val)) {
if (!strcasecmp(val, "tlsv1")) {
profile->tls_version = 1;
@ -4671,10 +4672,33 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
config_sofia_profile_urls(profile);
if (!profile->tls_cert_dir) {
profile->tls_cert_dir = switch_core_sprintf(profile->pool, "%s/ssl", SWITCH_GLOBAL_dirs.conf_dir);
if (profile->tls_cert_dir) {
if (profile->wss_ip) {
char *key, *cert;
key = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.key");
if (switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS) key = NULL;
cert = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.crt");
if (switch_file_exists(cert, profile->pool) != SWITCH_STATUS_SUCCESS) cert = NULL;
if ( !key || !cert) {
key = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.pem");
if ( switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS ) {
switch_core_gen_certs(key);
}
}
}
if (sofia_test_pflag(profile, PFLAG_TLS)) {
char *key = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "agent.pem");
char *ca = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "cafile.pem");;
if (switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS) key = NULL;
if (switch_file_exists(ca, profile->pool) != SWITCH_STATUS_SUCCESS) ca = NULL;
if ( !key || !ca ) {
key = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "tls.pem");
if ( switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS ) {
switch_core_gen_certs(key);
}
}
}
}
}
if (profile) {

View File

@ -214,13 +214,32 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix)
EVP_PKEY *pkey = NULL;
char *rsa = NULL, *pvt = NULL;
FILE *fp;
char *pem = NULL;
if (switch_stristr(".pem", prefix)) {
if (switch_is_file_path(prefix)) {
pem = strdup(prefix);
} else {
pem = switch_mprintf("%s%s%s", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
}
if (switch_file_exists(pem, NULL) == SWITCH_STATUS_SUCCESS) {
goto end;
}
} else {
if (switch_is_file_path(prefix)) {
pvt = switch_mprintf("%s.key", prefix);
rsa = switch_mprintf("%s.crt", prefix);
} else {
pvt = switch_mprintf("%s%s%s.key", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
rsa = switch_mprintf("%s%s%s.crt", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
}
if (switch_file_exists(pvt, NULL) == SWITCH_STATUS_SUCCESS || switch_file_exists(rsa, NULL) == SWITCH_STATUS_SUCCESS) {
goto end;
}
}
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
@ -231,7 +250,14 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix)
//RSA_print_fp(stdout, pkey->pkey.rsa, 0);
//X509_print_fp(stdout, x509);
if (pem) {
if ((fp = fopen(pem, "w"))) {
PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL);
PEM_write_X509(fp, x509);
fclose(fp);
}
} else {
if ((fp = fopen(pvt, "w"))) {
PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL);
}
@ -243,6 +269,7 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix)
}
fclose(fp);
}
X509_free(x509);
EVP_PKEY_free(pkey);
@ -260,6 +287,7 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix)
switch_safe_free(pvt);
switch_safe_free(rsa);
switch_safe_free(pem);
return(0);
}