On 12/01/2014 09:24 AM, Olle E. Johansson wrote:
On 01 Dec 2014, at 16:21, Mark Michelson <mmichel...@digium.com> wrote:
On 11/25/2014 02:46 PM, James Cloos wrote:
Now that 13 has hit sid, I've started converting to pjsip.
Chan_sip supports one's preference of a ca path or ca file, but
res_pjsip does not. At least not on the 13 branch.
Is that intentional, or an oversight?
If not intentional, will a patch to fix be accepted for 13,
only for trunk?
-JimC
For res_pjsip, we're using the mechanisms that PJSIP exposes in its TLS
transport. Since a CA path option is not exposed, the option to provide one in
pjsip.conf does not exist. If you want to provide a patch, that's totally fine,
but the patch would need to be made against PJProject instead of Asterisk.
Doing a quick search, it looks like the change to make would be in
pjlib/src/pj/ssl_sock_ossl.c. The pj_ssl_cert_t would need to be modified to
have a CA path. The functions used to get and set pj_ssl_cert_t would need to
be modified to take a CA path into account. And finally, the create_ssl()
function would need to pass the configured CA path into
SSL_CTX_load_verify_locations().
If you have no CA path - how does the CHAN_PJSIP verify TLS certificates?
/O
PJProject requires you to specify a file that has all CA certificates
listed in that one file. PJProject currently calls
SSL_CTX_load_verify_locations() [1] with this file as the second
parameter and a NULL third parameter. If PJProject exposed a method to
specify a directory where individual CA certificates lived, then
PJProject could pass that directory as the third parameter to the function.
[1] https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
