From d27cd90155a69186a27fcbb59131e18ce52c20bb Mon Sep 17 00:00:00 2001
From: figaro2015 <figaro2015@users.noreply.github.com>
Date: Sat, 13 Feb 2021 08:37:01 -0800
Subject: [PATCH] Verification of the wss.pem certificate in mod_sofia
 application code. Display correct reason why sofia profile failed to create
 (#1067)

[mod_sofia] Verification of the wss.pem certificate in mod_sofia application code. Display correct reason why sofia profile failed to create.
---
 src/mod/endpoints/mod_sofia/sofia.c | 62 ++++++++++++++++++++++++++---
 1 file changed, 57 insertions(+), 5 deletions(-)

diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index d439b7f72f..7d8b2fe6eb 100644
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -40,7 +40,7 @@
  *
  */
 #include "mod_sofia.h"
-
+#include <switch_ssl.h>
 
 extern su_log_t tport_log[];
 extern su_log_t iptsec_log[];
@@ -3149,6 +3149,16 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 	switch_status_t st;
 	char qname [128] = "";
 
+#if defined(HAVE_OPENSSL)
+	char *key  = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.pem");
+	char *cert  = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.pem");
+	char *chain  = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.pem");
+	SSL_CTX *ssl_ctx;
+	const SSL_METHOD *ssl_method = SSLv23_server_method();
+#endif
+
+	switch_bool_t ssl_error = SWITCH_FALSE;
+
 	switch_mutex_lock(mod_sofia_globals.mutex);
 	mod_sofia_globals.threads++;
 	switch_mutex_unlock(mod_sofia_globals.mutex);
@@ -3185,6 +3195,42 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 		profile->tls_verify_in_subjects = su_strlst_dup_split((su_home_t *)profile->nua, profile->tls_verify_in_subjects_str, "|");
 	}
 
+#if defined(HAVE_OPENSSL)
+	ssl_ctx = SSL_CTX_new((SSL_METHOD *)ssl_method);
+	switch_assert(ssl_ctx);
+
+	/* Disable SSLv2 */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
+	/* Disable SSLv3 */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
+	/* Disable TLSv1 */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
+	/* Disable Compression CRIME (Compression Ratio Info-leak Made Easy) */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
+
+	if (!SSL_CTX_use_certificate_chain_file(ssl_ctx, chain)) {
+		ssl_error = SWITCH_TRUE;
+	}
+
+	if (!ssl_error && !SSL_CTX_use_certificate_file(ssl_ctx, cert, SSL_FILETYPE_PEM)) {
+		ssl_error = SWITCH_TRUE;
+	}
+
+	if (!ssl_error && !SSL_CTX_use_PrivateKey_file(ssl_ctx, key, SSL_FILETYPE_PEM)) {
+		ssl_error = SWITCH_TRUE;
+	}
+
+	if (!ssl_error && !SSL_CTX_check_private_key(ssl_ctx)) {
+		ssl_error = SWITCH_TRUE;
+	}
+
+	if (ssl_error) {
+		attempts = profile->bind_attempts;
+	}
+
+	SSL_CTX_free(ssl_ctx);
+#endif
+
 	do {
 		profile->nua = nua_create(profile->s_root,	/* Event loop */
 								  sofia_event_callback,	/* Callback for processing events */
@@ -3256,7 +3302,7 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 										 TPTAG_REUSE(0)),
 								  TAG_END());	/* Last tag should always finish the sequence */
 
-		if (!profile->nua) {
+		if (!ssl_error && !profile->nua) {
 			switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Error Creating SIP UA for profile: %s (%s) ATTEMPT %d (RETRY IN %d SEC)\n",
 							  profile->name, profile->bindurl, attempts + 1, profile->bind_attempt_interval);
 			if (attempts < profile->bind_attempts) {
@@ -3267,9 +3313,15 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 	} while (!profile->nua && attempts++ < profile->bind_attempts);
 
 	if (!profile->nua) {
-		switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Error Creating SIP UA for profile: %s (%s)\n"
-						  "The likely causes for this are:\n" "1) Another application is already listening on the specified address.\n"
-						  "2) The IP the profile is attempting to bind to is not local to this system.\n", profile->name, profile->bindurl);
+		if (!ssl_error) {
+			switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Error Creating SIP UA for profile: %s (%s)\n"
+							  "The likely causes for this are:\n" "1) Another application is already listening on the specified address.\n"
+							  "2) The IP the profile is attempting to bind to is not local to this system.\n", profile->name, profile->bindurl);
+		} else {
+			switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR,
+							  "Error Creating SIP UA for profile: %s (%s). Bad WSS.PEM certificate.\n", profile->name, profile->bindurl);
+		}
+
 		sofia_profile_start_failure(profile, profile->name);
 		sofia_glue_del_profile(profile);
 		goto end;