FS-3071 Added the tls extra options patch

947096c6 · Marc Olivier Chouinard · 235ef72f · 947096c6 · 947096c6 · 947096c6
--- a/conf/sip_profiles/external.xml
+++ b/conf/sip_profiles/external.xml
@@ -69,12 +69,21 @@
    <!-- TLS: disabled by default, set to "true" to enable -->
    <param name="tls" value="$${external_ssl_enable}"/>
+    <!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
+    <param name="tls-only" value="false"/>
    <!-- additional bind parameters for TLS -->
    <param name="tls-bind-params" value="transport=tls"/>
    <!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
    <param name="tls-sip-port" value="$${external_tls_port}"/>
    <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
    <param name="tls-cert-dir" value="$${external_ssl_dir}"/>
+    <!-- Don't verify the date on TLS certificates -->
+    <param name="tls-no-verify-date" value="false"/>
+    <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
+    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
+    <param name="tls-verify-policy" value="none"/>
+    <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
+    <param name="tls-verify-depth" value="2"/>
    <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
    <param name="tls-version" value="$${sip_tls_version}"/>
    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->

--- a/conf/sip_profiles/internal.xml
+++ b/conf/sip_profiles/internal.xml
@@ -176,12 +176,21 @@
    <!-- TLS: disabled by default, set to "true" to enable -->
    <param name="tls" value="$${internal_ssl_enable}"/>
+    <!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
+    <param name="tls-only" value="false"/>
    <!-- additional bind parameters for TLS -->
    <param name="tls-bind-params" value="transport=tls"/>
    <!-- Port to listen on for TLS requests. (5061 will be used if unspecified) -->
    <param name="tls-sip-port" value="$${internal_tls_port}"/>
    <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
    <param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
+    <!-- Don't verify the date on TLS certificates -->
+    <param name="tls-no-verify-date" value="false"/>
+    <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
+    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
+    <param name="tls-verify-policy" value="none"/>
+    <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
+    <param name="tls-verify-depth" value="2"/>
    <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
    <param name="tls-version" value="$${sip_tls_version}"/>
    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->

--- a/src/mod/endpoints/mod_sofia/mod_sofia.c
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.c
@@ -2930,8 +2930,10 @@ static switch_status_t cmd_status(char **argv, int argc, switch_stream_handle_t
 					if (profile->extsipip) {
 						stream->write_function(stream, "Ext-SIP-IP       \t%s\n", profile->extsipip);
 					}
-					stream->write_function(stream, "URL              \t%s\n", switch_str_nil(profile->url));
+					if (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only) {
-					stream->write_function(stream, "BIND-URL         \t%s\n", switch_str_nil(profile->bindurl));
+						stream->write_function(stream, "URL              \t%s\n", switch_str_nil(profile->url));
+						stream->write_function(stream, "BIND-URL         \t%s\n", switch_str_nil(profile->bindurl));
+					}
 					if (sofia_test_pflag(profile, PFLAG_TLS)) {
 						stream->write_function(stream, "TLS-URL          \t%s\n", switch_str_nil(profile->tls_url));
 						stream->write_function(stream, "TLS-BIND-URL     \t%s\n", switch_str_nil(profile->tls_bindurl));
@@ -3056,8 +3058,10 @@ static switch_status_t cmd_status(char **argv, int argc, switch_stream_handle_t
 				ac++;
 				stream->write_function(stream, "%25s\t%s\t  %40s\t%s\n", vvar, "  alias", profile->name, "ALIASED");
 			} else {
-				stream->write_function(stream, "%25s\t%s\t  %40s\t%s (%u)\n", profile->name, "profile", profile->url,
+				if (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only) {
+					stream->write_function(stream, "%25s\t%s\t  %40s\t%s (%u)\n", profile->name, "profile", profile->url,
 									   sofia_test_pflag(profile, PFLAG_RUNNING) ? "RUNNING" : "DOWN", profile->inuse);
+				}
 				if (sofia_test_pflag(profile, PFLAG_TLS)) {
 					stream->write_function(stream, "%25s\t%s\t  %40s\t%s (%u) (TLS)\n", profile->name, "profile", profile->tls_url,
@@ -3331,9 +3335,11 @@ static switch_status_t cmd_xml_status(char **argv, int argc, switch_stream_handl
 				stream->write_function(stream, "<alias>\n<name>%s</name>\n<type>%s</type>\n<data>%s</data>\n<state>%s</state>\n</alias>\n", vvar, "alias",
 									   profile->name, "ALIASED");
 			} else {
-				stream->write_function(stream, "<profile>\n<name>%s</name>\n<type>%s</type>\n<data>%s</data>\n<state>%s (%u)</state>\n</profile>\n",
+				if (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only){
+					stream->write_function(stream, "<profile>\n<name>%s</name>\n<type>%s</type>\n<data>%s</data>\n<state>%s (%u)</state>\n</profile>\n",
 									   profile->name, "profile", profile->url, sofia_test_pflag(profile, PFLAG_RUNNING) ? "RUNNING" : "DOWN",
 									   profile->inuse);
+				}
 				if (sofia_test_pflag(profile, PFLAG_TLS)) {
 					stream->write_function(stream,

--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -639,6 +639,10 @@ struct sofia_profile {
 	switch_mutex_t *gw_mutex;
 	uint32_t queued_events;
 	uint32_t cseq_base;
+	int tls_only;
+	int tls_no_verify_date;
+	enum tport_tls_verify_policy tls_verify_policy;
+	int tls_verify_depth;
 	char *tls_passphrase;
 };
@@ -1039,6 +1043,7 @@ void sofia_reg_release_gateway__(const char *file, const char *func, int line, s
 sofia_transport_t sofia_glue_via2transport(const sip_via_t * via);
 sofia_transport_t sofia_glue_url2transport(const url_t *url);
 sofia_transport_t sofia_glue_str2transport(const char *str);
+enum tport_tls_verify_policy sofia_glue_str2tls_verify_policy(const char * str);
 const char *sofia_glue_transport2str(const sofia_transport_t tp);
 char *sofia_glue_find_parameter(const char *str, const char *param);

--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -1845,7 +1845,7 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 	supported = switch_core_sprintf(profile->pool, "%s%s%sprecondition, path, replaces", use_100rel ? "100rel, " : "", use_timer ? "timer, " : "", use_rfc_5626 ? "outbound, " : "");
 	if (sofia_test_pflag(profile, PFLAG_AUTO_NAT) && switch_nat_get_type()) {
-		if (switch_nat_add_mapping(profile->sip_port, SWITCH_NAT_UDP, NULL, SWITCH_FALSE) == SWITCH_STATUS_SUCCESS) {
+		if ( (! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only) && switch_nat_add_mapping(profile->sip_port, SWITCH_NAT_UDP, NULL, SWITCH_FALSE) == SWITCH_STATUS_SUCCESS) {
 			switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Created UDP nat mapping for %s port %d\n", profile->name, profile->sip_port);
 		}
 		if (switch_nat_add_mapping(profile->sip_port, SWITCH_NAT_TCP, NULL, SWITCH_FALSE) == SWITCH_STATUS_SUCCESS) {
@@ -1860,7 +1860,7 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 	profile->nua = nua_create(profile->s_root,	/* Event loop */
 							  sofia_event_callback,	/* Callback for processing events */
 							  profile,	/* Additional data to pass to callback */
-							  NUTAG_URL(profile->bindurl),
+							  TAG_IF( ! sofia_test_pflag(profile, PFLAG_TLS) || ! profile->tls_only, NUTAG_URL(profile->bindurl)),
 							  NTATAG_USER_VIA(1),
 							  TAG_IF(!strchr(profile->sipip, ':'),
 									 SOATAG_AF(SOA_AF_IP4_ONLY)),
@@ -1873,7 +1873,11 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_passphrase,
 									TPTAG_TLS_PASSPHRASE(profile->tls_passphrase)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
-									 TPTAG_TLS_VERIFY_POLICY(0)),
+									 TPTAG_TLS_VERIFY_POLICY(profile->tls_verify_policy)),
+							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
+									 TPTAG_TLS_VERIFY_DEPTH(profile->tls_verify_depth)),
+							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
+									 TPTAG_TLS_VERIFY_DATE(! profile->tls_no_verify_date)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
 									 TPTAG_TLS_VERSION(profile->tls_version)),
 							  TAG_IF(!strchr(profile->sipip, ':'),
@@ -3467,6 +3471,9 @@ switch_status_t reconfig_sofia(sofia_profile_t *profile)
 						}
 					}
 				}
+				profile->tls_verify_policy = TPTLS_VERIFY_NONE;
+				/* lib default */
+				profile->tls_verify_depth = 2;
 				switch_event_destroy(&xml_params);
 			}
@@ -4403,6 +4410,14 @@ switch_status_t config_sofia(int reload, char *profile_name)
 						}
 					} else if (!strcasecmp(var, "tls-bind-params")) {
 						profile->tls_bind_params = switch_core_strdup(profile->pool, val);
+					} else if (!strcasecmp(var, "tls-only")) {
+						profile->tls_only = switch_true(val);
+					} else if (!strcasecmp(var, "tls-no-verify-date")) {
+						profile->tls_no_verify_date = switch_true(val);
+					} else if (!strcasecmp(var, "tls-verify-depth")) {
+						profile->tls_verify_depth = atoi(val);
+					} else if (!strcasecmp(var, "tls-verify-policy")) {
+						profile->tls_verify_policy = sofia_glue_str2tls_verify_policy(val);
 					} else if (!strcasecmp(var, "tls-sip-port")) {
 						if (!strcasecmp(val, "auto")) {
 							sofia_set_pflag(profile, PFLAG_AUTO_ASSIGN_TLS_PORT);

--- a/src/mod/endpoints/mod_sofia/sofia_glue.c
+++ b/src/mod/endpoints/mod_sofia/sofia_glue.c
@@ -1142,6 +1142,24 @@ sofia_transport_t sofia_glue_str2transport(const char *str)
 	return SOFIA_TRANSPORT_UNKNOWN;
 }
+enum tport_tls_verify_policy sofia_glue_str2tls_verify_policy(const char * str){
+	if (!strcasecmp(str, "in")) {
+		return TPTLS_VERIFY_IN;
+	} else if (!strcasecmp(str, "out")) {
+		return TPTLS_VERIFY_OUT;
+	} else if (!strcasecmp(str, "all")) {
+		return TPTLS_VERIFY_ALL;
+	} else if (!strcasecmp(str, "subjects_in")) {
+		return TPTLS_VERIFY_SUBJECTS_IN;
+	} else if (!strcasecmp(str, "subjects_out")) {
+		return TPTLS_VERIFY_SUBJECTS_OUT;
+	} else if (!strcasecmp(str, "subjects_all")) {
+		return TPTLS_VERIFY_SUBJECTS_ALL;
+	}
+	return TPTLS_VERIFY_NONE;
+}
 char *sofia_glue_find_parameter_value(switch_core_session_t *session, const char *str, const char *param)
 {
 	const char *param_ptr;