Rightly the use of wildcards in certificates is disallowed in accordance
with RFC5922. However, RFC2818 does make some allowances with regards to
their use when using subject alt names with DNS name types.
As such this patch creates a new setting for TLS transports called
'allow_wildcard_certs', which when it and 'verify_server' are both enabled
allows DNS name types, as well as the common name that start with '*.'
to match as a wildcard.
For instance: *.example.com
will match for: foo.example.com
Partial matching is not allowed, e.g. f*.example.com, foo.*.com, etc...
And the starting wildcard only matches for a single level.
For instance: *.example.com
will NOT match for: foo.bar.example.com
The new setting is disabled by default.
ASTERISK-30072 #close
Change-Id: If0be3fdab2e09c2a66bb54824fca406ebaac3da4
Currently, PJSIP will randomly wait up to 10 seconds for each
outbound registration's initial attempt. The reason for this
is to avoid having all outbound registrations attempt to register
simultaneously.
This can create limitations with the test suite where we need to
be able to receive inbound calls potentially within 10 seconds of
starting up. For instance, we might register to another server
and then try to receive a call through the registration, but if
the registration hasn't happened yet, this will fail, and hence
this inconsistent behavior can cause tests to fail. Ultimately,
this requires a smaller random value because there may be no good
reason to wait for up to 10 seconds in these circumstances.
To address this, a new config option is introduced which makes this
maximum delay configurable. This allows, for instance, this to be
set to a very small value in test systems to ensure that registrations
happen immediately without an unnecessary delay, and can be used more
generally to control how "tight" the initial outbound registrations
are.
ASTERISK-29965 #close
Change-Id: Iab989a8e94323e645f3a21cbb6082287c7b2f3fd
Added the hear_own_join_sound option to the confbridge user profile to
control who hears the sound_join audio file. When set to 'yes' the user
entering the conference and the participants already in the conference
will hear the sound_join audio file. When set to 'no' the user entering
the conference will not hear the sound_join audio file, but the
participants already in the conference will hear the sound_join audio
file.
ASTERISK-29931
Added by Michael Cargile
Change-Id: I856bd66dc0dfa057323860a6418c1371d249abd2
Currently, if any custom ring cadences are specified, they are
appended to the array of cadences from wherever we left off
last time. This works properly the first time, but on subsequent
dahdi restarts, it means that the existing cadences are left
alone and (most likely) the same cadences are then re-added
afterwards. In short order, the cadence array gets maxed out
and the user begins seeing warnings that the array is full
and no more cadences may be added.
This buggy behavior persists until Asterisk is completely
restarted; however, if and when dahdi restart is run again,
then the same problem is reintroduced.
This fixes this behavior so that cadence parsing is more
idempotent, that is so running dahdi restart multiple times
starts adding cadences from the beginning, rather than from
wherever the last cadence was added.
As before, it is still not possible to revert to the default
cadences by simply removing all cadences in this manner, nor
is it possible to delete existing cadences. However, this
does make it possible to update existing cadences, which
was not possible before, and also ensures that the cadences
remain unchanged if the config remains unchanged.
ASTERISK-29990 #close
Change-Id: Ie32ea3e8a243b766756b1afce684d4a31ee7421d
Removes a couple sample config files for modules
which have since been removed from Asterisk.
ASTERISK-30008 #close
Change-Id: I6be89cafc6c575d98a5315e4912b61a833aacf52
added new global config option "allow_sending_180_after_183"
that if enabled will preserve 180 after a 183
ASTERISK-29842
Change-Id: I8a53f8c35595b6d16d8e86e241b5f110d92f3d18
Add framework to connect to, and read and write protocol based
messages from and to an external application using an Asterisk
External Application Protocol (AEAP). This has been divided into
several abstractions:
1. transport - base communication layer (currently websocket only)
2. message - AEAP description and data (currently JSON only)
3. transaction - links/binds requests and responses
4. aeap - transport, message, and transaction handler/manager
This patch also adds an AEAP implementation for speech to text.
Existing speech API callbacks for speech to text have been completed
making it possible for Asterisk to connect to a configured external
translator service and provide audio for STT. Results can also be
received from the external translator, and made available as speech
results in Asterisk.
Unit tests have also been created that test the AEAP framework, and
also the speech to text implementation.
ASTERISK-29726 #close
Change-Id: Iaa4b259f84aa63501e5fd2a6fb107f900b4d4ed2
The async_operations setting on a transport configures how
many simultaneous incoming packets the transport can handle
when multiple threads are polling and waiting on the transport.
As we only use a single thread this was needlessly creating
incoming packets when set to a non-default value, wasting memory.
ASTERISK-30006
Change-Id: I1915973ef352862dc2852a6ba4cfce2ed536e68f
Adds a new configuration option, stir_shaken_profile, in pjsip.conf that
can be specified on a per endpoint basis. This option will reference a
stir_shaken_profile that can be configured in stir_shaken.conf. The type
of this option must be 'profile'. The stir_shaken option can be
specified on this object with the same values as before (attest, verify,
on), but it cannot be off since having the profile itself implies wanting
STIR/SHAKEN support. You can also specify an ACL from acl.conf (along
with permit and deny lines in the object itself) that will be used to
limit what interfaces Asterisk will attempt to retrieve information from
when reading the Identity header.
ASTERISK-29476
Change-Id: I87fa61f78a9ea0cd42530691a30da3c781842406
Some databases depending on their configuration using backslashes
for escaping. When combined with the use of ' this can result in
a broken func_odbc query.
This change adds a SQL_ESC_BACKSLASHES dialplan function which can
be used to escape the backslashes.
This is done as a dialplan function instead of being always done
as some databases do not require this, and always doing it would
result in incorrect data being put into the database.
ASTERISK-29838
Change-Id: I152bf34899b96ddb09cca3e767254d8d78f0c83d
Adds the m option to the Queue application, which allows a
music on hold class to be specified at runtime which will
override the class configured in queues.conf.
This option functions like the m option to Dial.
ASTERISK-29876 #close
Change-Id: Ie25a48569cf8755c305c9438b1ed292c3adcf8d7
Removes some leftover build and config references to
modules that have since been removed from Asterisk.
ASTERISK-29935 #close
Change-Id: Iaefc73a23f4b2de3c6c14d928050135b6d0ef6af
pbx.digium.com no longer accepts IAX2 calls and
there are no plans for it to come back.
Accordingly, nonworking IAX2 URIs are removed from
both the LICENSE file and the sample config.
ASTERISK-29923 #close
Change-Id: I257c54d4d812ed6b4bd4cbec2cd7ebe2b87b5bad
Whereas BLFs allow to show a display name for each RLS entry,
the asterisk provides only the extension now.
This is not end user friendly.
This commit adds a new resource_list option, resource_display_name,
to indicate whether display name of resource or the resource name being
provided for RLS entries.
If this option is enabled, the Display Name will be provided.
This option is disabled by default to remain the previous behavior.
If the 'event' set to 'presence' or 'dialog' the non-empty HINT name
will be set as the Display Name.
The 'message-summary' is not supported yet.
ASTERISK-29891 #close
Change-Id: Ic5306bd5a7c73d03f5477fe235e9b0f41c69c681
The disabledevents setting has been added to the general section
in manager.conf, which allows users to specify events that
should be globally disabled and not sent to any AMI listeners.
This allows for processing of these AMI events to end sooner and,
for frequent AMI events such as Newexten which users may not have
any need for, allows them to not be processed. Additionally, it also
cleans up core debug as previously when debug was 3 or higher,
the debug was constantly spammed by "Analyzing AMI event" messages
along with a complete dump of the event contents (often for Newexten).
ASTERISK-29853 #close
Change-Id: Id42b9a3722a1f460d745cad1ebc47c537fd4f205
added res_pjsip_outbound_registration to .requires in AST_MODULE_INFO
which fixes issue with module crashes on load "FRACK!, Failed assertion"
ASTERISK-29871
Change-Id: Ia0f49d048427a40e1b763296b834a52a03610096
Adds a new option, defaultenabled, to the CDR core to
control whether or not CDR is enabled on a newly created
channel. This allows CDR to be disabled by default on
new channels and require the user to explicitly enable
CDR if desired. Existing behavior remains unchanged.
ASTERISK-29808 #close
Change-Id: Ibb78c11974bda229bbb7004b64761980e0b2c6d1
Fixes 12pm noon incorrectly returning 0/a.m.
Also fixes a misspelling typo in the config.
ASTERISK-29695 #close
Change-Id: Ie40f9618636eb4c483b449bd707a5dcffca5c406
Includes some minor updates to extensions.conf
and iax.conf. In particular, the demonstration
of macros in extensions.conf is removed, as
Macro is deprecated and will be removed soon.
These examples have been replaced with examples
demonstrating the usage of Gosub instead.
The older exten => ...,n syntax is also mostly
replaced with the same keyword to demonstrate the
newer, more concise way of defining extensions.
IAXTEL no longer exists, so this example is replaced
with something more generic.
Some documentation is also added to extensions.conf
and iax.conf to clarify some of the new expanded
encryption capabilities with IAX2.
ASTERISK-29758 #close
Change-Id: I04fba9671aa1ee9ba1bd5027061f80bbe38e7b46
Correct typos of the following word families:
password
excludes
undesirable
checksums
through
screening
interpreting
database
causes
initiation
member
busydetect
defined
severely
throughput
recognized
counter
require
indefinitely
accounts
ASTERISK-29714
Change-Id: Ie8f2a7b274a162dd627ee6a2165f5e8a3876527e
The search for a running asterisk when --running is used
has been greatly simplified and in the event it doesn't
work, you can now specify a pid to use on the command
line with --pid.
The search for asterisk modules when --tarball-coredumps
is used has been enhanced to have a better chance of finding
them and in the event it doesn't work, you can now specify
--libdir on the command line to indicate the library directory
where they were installed.
The DATEFORMAT variable was renamed to DATEOPTS and is now
passed to the 'date' utility rather than running DATEFORMAT
as a command.
The coredump and output files are now renamed with DATEOPTS.
This can be disabled by specifying --no-rename.
Several confusing and conflicting options were removed:
--append-coredumps
--conffile
--no-default-search
--tarball-uniqueid
The script was re-structured to make it easier for follow.
Change-Id: I674be64bdde3ef310b6a551d4911c3b600ffee59
In res_pjsip_sdp_rtp, the bind_rtp_to_media_address option and the
fallback use of the transport's bind address solve problems sending
media on systems that cannot send ipv4 packets on ipv6 sockets, and
certain other situations. This change extends both of these behaviors
to UDPTL sessions as well in res_pjsip_t38, to fix fax-specific
problems on these systems, introducing a new option
endpoint/t38_bind_udptl_to_media_address.
ASTERISK-29402
Change-Id: I87220c0e9cdd2fe9d156846cb906debe08c63557
The behavior of max_contacts and remove_existing are connected. If
remove_existing is enabled, the soonest expiring contacts are removed.
This may occur when there is an unavailable contact. Similarly,
when remove_existing is not enabled, registrations from good
endpoints are rejected in favor of retaining unavailable contacts.
This commit adds a new AOR option remove_unavailable, and the effect
of this setting will depend on remove_existing. If remove_existing
is set to no, we will still remove unavailable contacts when they
exceed max_contacts, if there are any. If remove_existing is set to
yes, we will prioritize the removal of unavailable contacts before
those that are expiring soonest.
ASTERISK-29525
Change-Id: Ia2711b08f2b4d1177411b1be23e970d7fdff5784
Adds the ability for users to log to custom log levels
by providing custom log level names in logger.conf. Also
adds a logger show levels CLI command.
ASTERISK-29529
Change-Id: If082703cf81a436ae5a565c75225fa8c0554b702
This allows the STUN server to change its IP address without having to
reload the res_rtp_asterisk module.
The refresh of the name resolution occurs first when the module is
loaded, then recurringly, slightly after the previous DNS answer TTL
expires.
ASTERISK-29508 #close
Change-Id: I7955a046293f913ba121bbd82153b04439e3465f
This changeset is intended to address compatibility issues encountered
when interfacing Asterisk to electromechanical telephone switches that
implement ANI-B, ANI-C, or ANI-D.
In particular the behaviours that this impacts include:
- FGC-CAMA did not work at all when using MF signaling. Modified the
switch case block to send calls to the correct part of the
signaling-handling state machine.
- For FGC-CAMA operation, the delay between called number ST and
second wink for ANI spill has been made configurable; previously
all calls were made to wait for one full second.
- After the ANI spill, previous behavior was to require a 'ST' tone
to advance the call. This has been changed to allow 'STP' 'ST2P'
or 'ST3P' as well, for compatibility with ANI-D.
- Store ANI2 (ANI INFO) digits in the CALLERID(ANI2) channel variable.
- For calls with an ANI failure, No. 1 Crossbar switches will send
forward a single-digit failure code, with no calling number digits
and no ST pulse to terminate the spill. I've made the ANI timeout
configurable so to reduce dead air time on calls with ANI fail.
- ANI info digits configurable. Modern digital switches will send 2
digits, but ANI-B sends only a single info digit. This caused the
ANI reported by Asterisk to be misaligned.
- Changed a confusing log message to be more informative.
ASTERISK-29518
Change-Id: Ib7e27d987aee4ed9bc3663c57ef413e21b404256
Allow mapping pjproject log messages to the Asterisk TRACE
log level. The defaults were also changes to log pjproject
levels 3,4 to DEBUG and 5,6 to TRACE. Previously 3,4,5,6
all went to DEBUG.
ASTERISK-29582
Change-Id: I859a37a8dec263ed68099709cfbd3e665324c72d
Meter types are not well supported,
lacking support in telegraf, datadog and the official statsd servers.
We deprecate meters and provide a compliant fallback for any existing usages.
A flag has been introduced to allow meters to fallback to counters.
ASTERISK-29513
Change-Id: I5fcb385983a1b88f03696ff30a26b55c546a1dd7
A new user option, answer_channel, adds the capability to
prevent answering the channel if it hasn't already been
answered yet.
ASTERISK-29440
Change-Id: I26642729d0345f178c7b8045506605c8402de54b
By default Asterisk reports the PJSIP version in a SOFTWARE attribute
of every STUN packet it sends. This may not be desired in a production
environment, and RFC5389 recommends making the use of the SOFTWARE
attribute a configurable option:
https://datatracker.ietf.org/doc/html/rfc5389#section-16.1.2
This patch adds a `stun_software_attribute` yes/no option to make it
possible to omit the SOFTWARE attribute from STUN packets.
ASTERISK-29434
Change-Id: Id3f2b1dd9584536ebb3a1d7e8395fd8b3e46860b
RFC7616 and RFC8760 allow more than one WWW-Authenticate or
Proxy-Authenticate header per realm, each with different digest
algorithms (including new ones like SHA-256 and SHA-512-256).
Thankfully however a UAS can NOT send back multiple Authenticate
headers for the same realm with the same digest algorithm. The
UAS is also supposed to send the headers in order of preference
with the first one being the most preferred. We're supposed to
send an Authorization header for the first one we encounter for a
realm that we can support.
The UAS can also send multiple realms, especially when it's a
proxy that has forked the request in which case the proxy will
aggregate all of the Authenticate headers and then send them all
back to the UAC.
It doesn't stop there though... Each realm can require a
different username from the others. There's also nothing
preventing each digest algorithm from having a unique password
although I'm not sure if that adds any benefit.
So now... For each Authenticate header we encounter, we have to
determine if we support the digest algorithm and, if not, just
skip the header. We then have to find an auth object that
matches the realm AND the digest algorithm or find a wildcard
object that matches the digest algorithm. If we find one, we add
it to the results vector and read the next Authenticate header.
If the next header is for the same realm AND we already added an
auth object for that realm, we skip the header. Otherwise we
repeat the process for the next header.
In the end, we'll have accumulated a list of credentials we can
pass to pjproject that it can use to add Authentication headers
to a request.
NOTE: Neither we nor pjproject can currently handle digest
algorithms other than MD5. We don't even have a place for it in
the ast_sip_auth object. For this reason, we just skip processing
any Authenticate header that's not MD5. When we support the
others, we'll move the check into the loop that searches the
objects.
Changes:
* Added a new API ast_sip_retrieve_auths_vector() that takes in
a vector of auth ids (usually supplied on a call to
ast_sip_create_request_with_auth()) and populates another
vector with the actual objects.
* Refactored res_pjsip_outbound_authenticator_digest to handle
multiple Authenticate headers and set the stage for handling
additional digest algorithms.
* Added a pjproject patch that allows them to ignore digest
algorithms they don't support. This patch has already been
merged upstream.
* Updated documentation for auth objects in the XML and
in pjsip.conf.sample.
* Although res_pjsip_authenticator_digest isn't affected
by this change, some debugging and a testsuite AMI event
was added to facilitate testing.
Discovered during OpenSIPit 2021.
ASTERISK-29397
Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281
Although Asterisk can receive and propogate flash events, it currently
provides no mechanism for doing anything with them itself.
This AMI event allows flash events to be processed by Asterisk.
Additionally, AST_CONTROL_FLASH is included in a switch statement
in channel.c to avoid throwing a warning when we shouldn't.
ASTERISK-29380
Change-Id: Ie17ffe65086e0282c88542e38eed6a461ec79e81
STIR/SHAKEN encodes using base64 URL format. Currently, we just use
base64. New functions have been added that convert to and from base64
encoding.
The origid field should also be an UUID. This means there's no reason to
have it as an option in stir_shaken.conf, as we can simply generate one
when creating the Identity header.
https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021
Change-Id: Icf094a2a54e87db91d6b12244c9f5ba4fc2e0b8c
During OpenSIPit, we found out that the public certificates must be of
type X.509. When reading in public keys, we use the corresponding X.509
functions now.
We also discovered that we needed a better naming scheme for the
certificates since certificates with the same name would cause issues
(overwriting certs, etc.). Now when we download a public certificate, we
get the serial number from it and use that as the name of the cached
certificate.
The configuration option public_key_url in stir_shaken.conf has also
been renamed to public_cert_url, which better describes what the option
is for.
https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021
Change-Id: Ia00b20835f5f976e3603797f2f2fb19672d8114d
Added support for a basic AEAP configuration read from aeap.conf.
Also added 2 CLI commands for showing individual configurations as
well as all of them: aeap show server <id> and aeap show servers.
Only one configuration option is required at the moment, and that one is
server_url. It must be a websocket URL. The other option, codecs, is
optional and will be used over the codecs specified on the endpoint if
provided.
https://wiki.asterisk.org/wiki/pages/viewpage.action?pageId=45482453
Change-Id: I567ac5148c92b98d29d2ad83421b416b75ffdaa3
Added .log extension to the sample logs in logger.conf.sample so that
they will be able to be opened in the browser when attached to JIRA
tickets. Because of this, asterisk.logrotate has also been updated to
look for .log extensions instead of no extension for log files such as
full and messages.
Change-Id: I5de743c03f08047d6c6cc80cac5019ae0c4c200f
Also removed the sample documentation, and some oddly-placed
documentation about the timeout argument to the Queue() application
itself. There is a large section on the timeout behavior below.
ASTERISK-26614 #close
Change-Id: I8f84e8304b50305b7c4cba2d9787a5d77c3a6217
