kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-06 12:36:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

sip_to_pjsip: Map the TLS method correctly.

Browse Source 
When using the migration script sip_to_pjsip.py and tlsclientmethod is not set
in sip.conf, the default value of chan_sip (sslv23) is copied to pjsip.conf, to
overwrite the default of the PJProject (tlsv1). This makes sure, res_pjsip is
offering/using not just TLSv1.0 but TLSv1.2 as well.

ASTERISK-22374

Change-Id: Ie530a3dae9926ae14f3920a21be1e2edb15bda4f
This commit is contained in:
Alexander Traud
2016-08-18 15:19:15 +02:00
parent b35779c6c6
commit e55d1e47aa
1 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
contrib/scripts/sip_to_pjsip/sip_to_pjsip.py
View File

@@ -731,11 +731,6 @@ def set_tls_verifyserver(val, pjsip, nmapped):
'transport') 'transport')
def set_tls_method(val, pjsip, nmapped):
"""Sets method based on sip.conf tlsclientmethod or sslclientmethod"""
set_value('method', val, 'transport-tls', pjsip, nmapped, 'transport')
def create_tls(sip, pjsip, nmapped): def create_tls(sip, pjsip, nmapped):
""" """
Creates a 'transport-tls' section in pjsip.conf based on the following Creates a 'transport-tls' section in pjsip.conf based on the following
@@ -759,8 +754,7 @@ def create_tls(sip, pjsip, nmapped):
(['tlscipher', 'sslcipher'], set_tls_cipher), (['tlscipher', 'sslcipher'], set_tls_cipher),
(['tlscafile'], set_tls_cafile), (['tlscafile'], set_tls_cafile),
(['tlsverifyclient'], set_tls_verifyclient), (['tlsverifyclient'], set_tls_verifyclient),
(['tlsdontverifyserver'], set_tls_verifyserver), (['tlsdontverifyserver'], set_tls_verifyserver)
(['tlsclientmethod', 'sslclientmethod'], set_tls_method)
] ]
try: try:
@@ -780,6 +774,23 @@ def create_tls(sip, pjsip, nmapped):
except LookupError: except LookupError:
pass pass
try:
method = sip.multi_get('general', ['tlsclientmethod', 'sslclientmethod'])[0]
print 'In chan_sip, you specified the TLS version. With chan_sip, this was just for outbound client connections. In chan_pjsip, this value is for client and server. Instead, consider not to specify \'tlsclientmethod\' for chan_sip and \'method = sslv23\' for chan_pjsip.'
except LookupError:
"""
OpenSSL emerged during the 90s. SSLv2 and SSLv3 were the only
existing methods at that time. The OpenSSL project continued. And as
of today (OpenSSL 1.0.2) this does not start SSLv2 and SSLv3 anymore
but TLSv1.0 and v1.2. Or stated differently: This method should
have been called 'method = secure' or 'method = automatic' back in
the 90s. The PJProject did not realize this and uses 'tlsv1' as
default when unspecified, which disables TLSv1.2. chan_sip used
'sslv23' as default when unspecified, which gives TLSv1.0 and v1.2.
"""
method = 'sslv23'
set_value('method', val, 'transport-tls', pjsip, nmapped, 'transport')
set_transport_common('transport-tls', pjsip, nmapped) set_transport_common('transport-tls', pjsip, nmapped)
try: try:
extern_addr = sip.multi_get('general', ['externaddr', 'externip', extern_addr = sip.multi_get('general', ['externaddr', 'externip',