kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-06 12:36:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge "sip_to_pjsip: Map the TLS method correctly."

Browse Source
This commit is contained in:
Joshua Colp
2016-08-18 11:47:29 -05:00
committed by Gerrit Code Review
parent 0a09ab5b1c e55d1e47aa
commit 14284aee45
1 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
contrib/scripts/sip_to_pjsip/sip_to_pjsip.py
View File

@@ -734,11 +734,6 @@ def set_tls_verifyserver(val, pjsip, nmapped):
'transport') 'transport')
def set_tls_method(val, pjsip, nmapped):
"""Sets method based on sip.conf tlsclientmethod or sslclientmethod"""
set_value('method', val, 'transport-tls', pjsip, nmapped, 'transport')
def create_tls(sip, pjsip, nmapped): def create_tls(sip, pjsip, nmapped):
""" """
Creates a 'transport-tls' section in pjsip.conf based on the following Creates a 'transport-tls' section in pjsip.conf based on the following
@@ -762,8 +757,7 @@ def create_tls(sip, pjsip, nmapped):
(['tlscipher', 'sslcipher'], set_tls_cipher), (['tlscipher', 'sslcipher'], set_tls_cipher),
(['tlscafile'], set_tls_cafile), (['tlscafile'], set_tls_cafile),
(['tlsverifyclient'], set_tls_verifyclient), (['tlsverifyclient'], set_tls_verifyclient),
(['tlsdontverifyserver'], set_tls_verifyserver), (['tlsdontverifyserver'], set_tls_verifyserver)
(['tlsclientmethod', 'sslclientmethod'], set_tls_method)
] ]
try: try:
@@ -783,6 +777,23 @@ def create_tls(sip, pjsip, nmapped):
except LookupError: except LookupError:
pass pass
try:
method = sip.multi_get('general', ['tlsclientmethod', 'sslclientmethod'])[0]
print 'In chan_sip, you specified the TLS version. With chan_sip, this was just for outbound client connections. In chan_pjsip, this value is for client and server. Instead, consider not to specify \'tlsclientmethod\' for chan_sip and \'method = sslv23\' for chan_pjsip.'
except LookupError:
"""
OpenSSL emerged during the 90s. SSLv2 and SSLv3 were the only
existing methods at that time. The OpenSSL project continued. And as
of today (OpenSSL 1.0.2) this does not start SSLv2 and SSLv3 anymore
but TLSv1.0 and v1.2. Or stated differently: This method should
have been called 'method = secure' or 'method = automatic' back in
the 90s. The PJProject did not realize this and uses 'tlsv1' as
default when unspecified, which disables TLSv1.2. chan_sip used
'sslv23' as default when unspecified, which gives TLSv1.0 and v1.2.
"""
method = 'sslv23'
set_value('method', val, 'transport-tls', pjsip, nmapped, 'transport')
set_transport_common('transport-tls', pjsip, nmapped) set_transport_common('transport-tls', pjsip, nmapped)
try: try:
extern_addr = sip.multi_get('general', ['externaddr', 'externip', extern_addr = sip.multi_get('general', ['externaddr', 'externip',