> On June 19, 2014, 9:13 a.m., Matt Jordan wrote:
> > branches/12/main/tcptls.c, lines 435-447
> > <https://reviewboard.asterisk.org/r/3647/diff/1/?file=59799#file59799line435>
> >
> > Given how tricky it is to set up TLS support, I'd go ahead and add an
> > off nominal handler for BIO_new_file here. Something like:
> >
> > if (bio != NULL) {
> > ...
> > } else {
> > ast_log(LOG_WARNING, "Failed to open private key file %s:
> > %s(%d)\n", cfg->pvtfile, strerror(errno), errno);
> > }
>
> Alexander Traud wrote:
> The private file was already opened (and used) some lines above. I am
> just re-using the reference.
> The idea of this patch is to fail silently, when there are no DH
> parameters because those affect performance. Or stated differently, DH
> parameters are optional. Only administrators (who care) should enable it (and
> see success). Furthermore in Asterisk 12 chan_sip, the private file itself is
> optional. This is a bit different to pjsip were the TLS private file is
> mandatory.
Looking at where we use cfg->pvtfile above:
char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ?
cfg->certfile : cfg->pvtfile;
if (SSL_CTX_use_certificate_chain_file(cfg->ssl_ctx,
cfg->certfile) == 0) {
if (!client) {
/* Clients don't need a certificate, but if its
setup we can use it */
ast_verb(0, "SSL error loading cert file.
<%s>\n", cfg->certfile);
cfg->enabled = 0;
SSL_CTX_free(cfg->ssl_ctx);
cfg->ssl_ctx = NULL;
return 0;
}
}
So yes, if this is a TLS server and if cfg->pvtfile is specified, we will emit
an error.
However, if this is a client, we won't emit any error if the pvtfile is
specified but cannot be opened. Since in your case a client could specify a
pvtfile and the open could fail (again) when BIO_new_file is called, a warning
message at least is appropriate. The user configured Asterisk to use a private
key file and we failed to access it. Telling them that they have a
configuration error is a nice thing to do, as opposed to silently moving on.
- Matt
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/3647/#review12192
-----------------------------------------------------------
On June 19, 2014, 9:34 a.m., Alexander Traud wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/3647/
> -----------------------------------------------------------
>
> (Updated June 19, 2014, 9:34 a.m.)
>
>
> Review request for Asterisk Developers.
>
>
> Bugs: ASTERISK-23905
> https://issues.asterisk.org/jira/browse/ASTERISK-23905
>
>
> Repository: Asterisk
>
>
> Description
> -------
>
> see Bugs
>
>
> Diffs
> -----
>
> trunk/main/tcptls.c 416071
>
> Diff: https://reviewboard.asterisk.org/r/3647/diff/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Alexander Traud
>
>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
