Travis Cross
6a3dcc9e0f
Drop null-auth suites from our default TLS cipher list
...
Previously we disallowed anonymous Diffie-Hellman, but there are other
kinds of null-authentication TLS suites. In particular, disallowing
AECDH is important now that we support elliptic-curve Diffie-Hellman.
2014-03-05 21:37:30 +00:00
Travis Cross
c0101e2ce6
Allow setting TLS cipher suites through Sofia-SIP API
...
Previously there was no way to override the hard-coded cipher suite
specification of "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".
This commit does leave in place the hardcoded cipher spec for WebRTC
of "HIGH:!DSS:!aNULL@STRENGTH".
2014-02-06 06:04:02 +00:00
Anthony Minessale
668f4a6207
working mo better
2013-03-31 21:27:20 -05:00
Travis Cross
c85c8d7bbd
Add mechanism to set OpenSSL session timeout
...
In a sofia profile, you can now set the parameter tls-timeout to a
positive integer value which represents the maximum time in seconds
that OpenSSL will keep a TLS session (and its ephemeral keys) alive.
This value is passed to OpenSSL's SSL_CTX_set_timeout(3).
OpenSSL's default value is 300 seconds, but the relevant standard
(RFC 2246) suggests that much longer session lifetimes are
acceptable (it recommends values less than 24 hours).
Longer values can be useful for extending battery life on mobile
devices.
Signed-off-by: Travis Cross <tc@traviscross.com>
2012-06-11 21:46:05 +00:00
Marc Olivier Chouinard
f97a3266df
FS-3071 I've commited the upstream passphrase backport
2011-12-18 11:04:59 -05:00
Michael Jerris
38dabb3635
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com>
...
* TLS Subject Checking in tport
sofia-sip/tport.h:
* tport_delivered_from_subjects() returns type (su_strlst_t const *)
* Export tport_subject_search()
sofia-sip/tport_tag.h + tport_tag.c:
* Remove TPTAG_TLS_VERIFY_PEER()
- Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead.
- Binary Compatibility is preserved.
* Add TPTAG_TLS_VERIFY_POLICY()
- tport can verify incoming and/or outgoing connections, using:
1) Certificate Signatures only - or -
2) Certificate Signatures and Certificate Subjects
* Add TPTAG_TLS_VERIFY_DEPTH()
- Restrict certificate chain verification to a set length.
* Add TPTAG_TLS_VERIFY_DATE()
- Disable notBefore/notAfter checking (application: embedded devices)
* Add TPTAG_TLS_VERIFY_SUBJECTS()
- Incoming connections must present client certificates with subjects
that match an item in this list.
- Intended Use: Proxy Authentication
* Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT()
- Commented out for future use.
- Intended Use: SIP User Identities in Server Certificates.
* Add appropriate doxygen documentation.
tport.c
* Add tport_subject_search()
- Subject can be a hostname, IP Address, or a URI.
- Valid subject examples include:
example.com
alice@example.com
sip:alice@example.com
sips:alice@example.com
* tport_by_addrinfo() matches tpn_canon against the subject list
of reusable TLS connections.
tport_tls.h:
* Add tls_init_secondary()
* Remove tls_init_slave() & tls_init_client()
tport_tls.c:
* tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE()
* tls_post_connection_check() verifies certificate subjects.
* tls_init_secondary()
- Replaces tls_init_slave(), tls_init_client(), and tls_clone().
tport_type_tls.c:
* Removed erroneous reference to tport_tls_deliver()
* Fix a memory leak caused by duplicate calls to tls_clone().
* Populate the (tport_t *)->tp_subjects field with peer certificate data for
new secondary connections.
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
Michael Jerris
52fa079b2b
Tue Dec 16 16:19:37 CST 2008 Jarod Neuner <janeuner@networkharbor.com>
...
* Early TLS Handshake and Verification
tport_type_tls.c:
* tport_tls_accept():
- Replaces tport_accept for incoming TLS connections.
* tport_tls_connect():
- Replaces tport_base_connect() for outgoing TLS connections.
tport_tls.c:
* tls_t now use a memory home instead of malloc.
* removed tls_check_hosts()
* tls_connect():
- Replaces tport_base_connect for TLS connection setup.
- Completes TLS handshake and verifies peer certificates.
- Destroys suspect TLS connections before sending/receiving payload.
- Populates a su_strlst_t with subjects from the peer certificate.
tport.c:
* tport_is_verified()
- true if peer certificate validated successfully
* tport_delivered_from_subjects()
- Certificate subjects listed in the peer certificate.
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11769 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 16:11:33 +00:00
Michael Jerris
253c81bb45
Wed Nov 26 12:42:31 CST 2008 Paulo Pizarro <paulo DOT pizarro AT gmail DOT com>
...
* tport: new tag TPTAG_TLS_VERIFY_PEER
With this tag, the verification of certificates can be controlled:
0: no verify certificates.
1: on server mode, the certificate returned by client is checked and
if fail the TLS/SSL handshake is immediately terminated.
1: on client mode, the server certificate is verified and
if fail the TLS/SSL handshake is immediately terminated.
I added this tag, because I'd like that my application not connected to a
server with a untrusted certificate.
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@10824 d0543943-73ff-0310-b7d9-9358b9ac24b2
2008-12-16 20:26:19 +00:00
Michael Jerris
d8c4d22d40
merge whitespace fixes from sofia-sip tree
...
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@10802 d0543943-73ff-0310-b7d9-9358b9ac24b2
2008-12-16 18:05:22 +00:00
Michael Jerris
5e81b98eba
Sync to current darcs tree:
...
Mon Sep 17 14:50:04 EDT 2007 Pekka.Pessi@nokia.com
* sofia-sip/sip_util.h: updated documentation
Mon Sep 17 14:50:18 EDT 2007 Pekka.Pessi@nokia.com
* sofia-sip/tport_tag.h: updated documentation
Mon Sep 17 14:50:28 EDT 2007 Pekka.Pessi@nokia.com
* soa_tag.c: updated documentation
Wed Sep 19 12:50:01 EDT 2007 Pekka.Pessi@nokia.com
* msg: updated documentation
Wed Sep 19 13:29:50 EDT 2007 Pekka.Pessi@nokia.com
* url: updated documentation
Wed Sep 19 13:32:14 EDT 2007 Pekka.Pessi@nokia.com
* nth: updated documentation
Wed Sep 19 13:32:27 EDT 2007 Pekka.Pessi@nokia.com
* nea: updated documentation
Wed Sep 19 13:33:36 EDT 2007 Pekka.Pessi@nokia.com
* http: updated documentation
Wed Sep 19 13:36:58 EDT 2007 Pekka.Pessi@nokia.com
* bnf: updated documentation
Wed Sep 19 13:38:58 EDT 2007 Pekka.Pessi@nokia.com
* nua: updated nua_stack_init_handle() prototype
Wed Sep 19 18:45:56 EDT 2007 Pekka.Pessi@nokia.com
* sip: added sip_name_addr_xtra(), sip_name_addr_dup()
Wed Sep 19 19:00:19 EDT 2007 Pekka.Pessi@nokia.com
* sip_basic.c: cleaned old crud
Thu Sep 20 13:34:04 EDT 2007 Pekka.Pessi@nokia.com
* iptsec: updated documentation
Thu Sep 20 13:36:22 EDT 2007 Pekka.Pessi@nokia.com
* tport: updated documentation
Thu Sep 20 13:36:56 EDT 2007 Pekka.Pessi@nokia.com
* su: updated documentation
Removed internal files from doxygen-generated documentation.
Thu Sep 20 13:38:29 EDT 2007 Pekka.Pessi@nokia.com
* soa: fixed documentation
Thu Sep 20 13:39:56 EDT 2007 Pekka.Pessi@nokia.com
* sdp: updated documentation
Thu Sep 20 13:40:16 EDT 2007 Pekka.Pessi@nokia.com
* ipt: updated documentation
Thu Sep 20 14:24:20 EDT 2007 Pekka.Pessi@nokia.com
* nta: updated documentation
Thu Sep 20 14:41:04 EDT 2007 Pekka.Pessi@nokia.com
* nua: updated documentation
Updated tag documentation.
Moved doxygen doc entries from sofia-sip/nua_tag.h to nua_tag.c.
Removed internal datatypes and files from the generated documents.
Wed Sep 19 13:34:20 EDT 2007 Pekka.Pessi@nokia.com
* docs: updated the generation of documentation. Updated links to header files.
Thu Sep 20 08:45:32 EDT 2007 Pekka.Pessi@nokia.com
* sip/Makefile.am: added tags to <sofia-sip/sip_extra.h>
Added check for extra tags in torture_sip.c.
Thu Sep 20 14:45:22 EDT 2007 Pekka.Pessi@nokia.com
* stun: updated documentation
Wed Jul 4 18:55:20 EDT 2007 Pekka.Pessi@nokia.com
* torture_heap.c: added tests for ##sort() and su_smoothsort()
Wed Jul 4 18:56:59 EDT 2007 Pekka.Pessi@nokia.com
* Makefile.am: added smoothsort.c
Fri Jul 13 12:38:44 EDT 2007 Pekka.Pessi@nokia.com
* sofia-sip/heap.h: heap_remove() now set()s index to 0 on removed item
Mon Jul 23 11:14:22 EDT 2007 Pekka.Pessi@nokia.com
* sofia-sip/heap.h: fixed bug in heap##remove()
If left kid was in heap but right was not, left kid was ignored.
Wed Jul 4 18:51:08 EDT 2007 Pekka.Pessi@nokia.com
* smoothsort.c: added
Wed Jul 4 18:51:34 EDT 2007 Pekka.Pessi@nokia.com
* heap.h: using su_smoothsort()
Fri Jul 6 10:20:27 EDT 2007 Pekka.Pessi@nokia.com
* smoothsort.c: added
Wed Sep 19 17:40:30 EDT 2007 Pekka.Pessi@nokia.com
* msg_parser.awk: generate two parser tables, default and extended
Wed Sep 19 18:39:45 EDT 2007 Pekka.Pessi@nokia.com
* msg_parser.awk: just generate list of extra headers
Allocate extended parser dynamically.
Wed Sep 19 18:59:59 EDT 2007 Pekka.Pessi@nokia.com
* sip: added Remote-Party-ID, P-Asserted-Identity, P-Preferred-Identity
Added functions sip_update_default_mclass() and sip_extend_mclass()
for handling the extended parser. Note that Reply-To and Alert-Info are only
available with the extended parser.
Wed Sep 19 19:05:44 EDT 2007 Pekka.Pessi@nokia.com
* RELEASE: updated
Thu Sep 20 13:38:59 EDT 2007 Pekka.Pessi@nokia.com
* sip: updated documentation
Thu Sep 20 14:17:28 EDT 2007 Pekka.Pessi@nokia.com
* docs/conformance.docs: updated
Mon Oct 1 10:11:14 EDT 2007 Pekka.Pessi@nokia.com
* tport_tag.c: re-enabled tptag_trusted
Thu Oct 4 09:21:07 EDT 2007 Pekka.Pessi@nokia.com
* su_osx_runloop.c: moved virtual function table after struct definition
Preparing for su_port_vtable_t refactoring.
Thu Oct 4 10:22:03 EDT 2007 Pekka.Pessi@nokia.com
* su_source.c: refactored initialization/deinitialization
Fri Oct 5 04:58:18 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com>
* sip_extra.c: fixed prototypes with isize_t
Fri Oct 5 04:58:45 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com>
* test_nta_api.c: removed warnings about signedness
Fri Oct 5 04:59:02 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com>
* test_nua_params.c: removed warnings about constness
Fri Oct 5 07:20:26 EDT 2007 Pekka Pessi <first.lastname@nokia.com>
* su_port.h, su_root.c: cleaned argument checking
The su_root_*() and su_port_*() functions now check their arguments once
and do not assert() with NULL arguments. The sur_task->sut_port should
always be valid while su_root_t is alive.
Fri Oct 5 07:22:09 EDT 2007 Pekka Pessi <first.lastname@nokia.com>
* su: added su_root_obtain(), su_root_release() and su_root_has_thread()
When root is created with su_root_create() or cloned with su_clone_start(),
the resulting root is obtained by the calling or created thread,
respectively.
The root can be released with su_root_release() and another thread can
obtain it.
The function su_root_has_thread() can be used to check if a thread has
obtained or released the root.
Implementation upgraded the su_port_own_thread() method as su_port_thread().
Fri Oct 5 07:28:10 EDT 2007 Pekka Pessi <first.lastname@nokia.com>
* su_port.h: removed su_port_threadsafe() and su_port_yield() methods
su_port_wait_events() replaces su_port_yield().
Fri Oct 5 13:26:04 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com>
* msg_parser.awk: not extending header structure unless needed.
Removed gawk-ish /* comments */.
Fri Oct 5 14:32:25 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com>
* run_test_su: removed GNUisms
Fri Oct 5 14:32:47 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com>
* Makefile.am: removed implicit check target test_urlmap
Fri Oct 5 14:22:32 EDT 2007 Pekka Pessi <first.lastname@nokia.com>
* torture_sresolv.c: use CLOCK_REALTIME if no CLOCK_PROCESS_CPUTIME_ID available
Casting timespec tv_sec to unsigned long.
Fri Oct * nua_s added handling nua_prack()
Thanks to Fabio Margarido for the patch.
Mon Oct 8 10:24:35 EDT 2007 Pekka.Pessi@nokia.com
* test_nua: added test for sf.net bug #1803686
Mon Oct 8 08:15:23 EDT 2007 Pekka.Pessi@nokia.com
* RELEASE: updated.
Mon Oct 8 09:30:36 EDT 2007 Pekka.Pessi@nokia.com
* nua_stack: added handling nua_prack()
Thanks to Fabio Margarido for the patch.
Mon Oct 8 10:24:35 EDT 2007 Pekka.Pessi@nokia.com
* test_nua: added test for sf.net bug #1803686
Mon Oct 8 10:26:31 EDT 2007 Pekka.Pessi@nokia.com
* nua: added test for nua_prack() (sf.net bug #1804248 )
Avoid sending nua_i_state after nua_prack() if no SDP O/A is happening, too.
Mon Oct 8 10:32:04 EDT 2007 Mikhail Zabaluev <mikhail.zabaluev@nokia.com>
* su_source.c: don t leak the wait arrays
Mon Oct 8 10:37:11 EDT 2007 Pekka.Pessi@nokia.com
* RELEASE: updated
Wed Oct 10 11:55:21 EDT 2007 Pekka.Pessi@nokia.com
* sip_parser.c: silenced warning about extra const in sip_extend_mclass()
Wed Oct 10 11:57:08 EDT 2007 Pekka.Pessi@nokia.com
* nta_tag.c: updated tag documentation
Wed Oct 10 13:16:40 EDT 2007 Pekka.Pessi@nokia.com
* nua: fix logging crash if outbound used with application contact
Silenced warnings.
Wed Oct 10 13:30:45 EDT 2007 Pekka.Pessi@nokia.com
* msg_parser.awk: removed extra "const"
Wed Oct 10 13:31:45 EDT 2007 Pekka.Pessi@nokia.com
* Makefile.am's: fixed distclean of documentation
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5840 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-10-11 14:16:59 +00:00
Michael Jerris
2ecac238f3
add sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs
...
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2
2006-12-21 06:30:28 +00:00