diff options
author | David Troy <dave@popvox.com> | 2006-04-02 17:32:12 +0000 |
---|---|---|
committer | David Troy <dave@popvox.com> | 2006-04-02 17:32:12 +0000 |
commit | 273e500c262b84c8cd9a2249ba8955e6f3ff8c74 (patch) | |
tree | a8252f62c8e1934a1bb63295a20c82ea0d12b983 | |
parent | 08192d2b732eaaff203012c0acda210b40261885 (diff) | |
download | astmanproxy-273e500c262b84c8cd9a2249ba8955e6f3ff8c74.tar.gz astmanproxy-273e500c262b84c8cd9a2249ba8955e6f3ff8c74.tar.xz astmanproxy-273e500c262b84c8cd9a2249ba8955e6f3ff8c74.zip |
git-svn-id: http://svncommunity.digium.com/svn/astmanproxy/branches/1.20pre@59 f02b47b9-160a-0410-81a6-dc3441afb0ec
-rw-r--r-- | astmanproxy.conf | 3 | ||||
-rw-r--r-- | src/astmanproxy.c | 38 | ||||
-rw-r--r-- | src/common.c | 2 | ||||
-rw-r--r-- | src/config.c | 7 | ||||
-rw-r--r-- | src/include/astmanproxy.h | 9 | ||||
-rw-r--r-- | src/ssl.c | 2 | ||||
-rw-r--r-- | ssl.conf | 154 |
7 files changed, 204 insertions, 11 deletions
diff --git a/astmanproxy.conf b/astmanproxy.conf index b8ab5d3..95db4e6 100644 --- a/astmanproxy.conf +++ b/astmanproxy.conf @@ -36,6 +36,9 @@ asteriskwritetimeout=100 ; Amount of time to wait before timing out on writes to clients clientwritetimeout=200 +; Our server-side SSL certificate; what we use when answering clients +certfile = /var/lib/asterisk/certs/proxy.pem + ; Address for proxy to listen on, can be set to * or x.x.x.x format ; recommend that you listen only on 127.0.0.1 or on an interface that ; is otherwise locked down to a trusted host, since the proxy diff --git a/src/astmanproxy.c b/src/astmanproxy.c index 0a3a172..29259d3 100644 --- a/src/astmanproxy.c +++ b/src/astmanproxy.c @@ -78,7 +78,7 @@ void leave(int sig) { c->output->write(c, &cm); logmsg("Shutdown, closed client %s", ast_inet_ntoa(iabuf, sizeof(iabuf), c->sin.sin_addr)); } - close(c->fd); + close_sock(c->fd); /* close tcp & ssl socket */ pthread_mutex_destroy(&c->lock); free(c); } @@ -95,7 +95,7 @@ void leave(int sig) { if (debug) debugmsg("Closing listener socket"); - close(asock); + close_sock(asock); /* close tcp & ssl socket */ /* unload io handlers */ while (iohandlers) { @@ -154,7 +154,7 @@ void destroy_session(struct mansession *s) sessions = cur->next; debugmsg("Connection closed: %s", ast_inet_ntoa(iabuf, sizeof(iabuf), s->sin.sin_addr)); if (s->fd > -1) - close(s->fd); + close_sock(s->fd); /* close tcp & ssl socket */ pthread_mutex_destroy(&s->lock); free(s); } else @@ -183,7 +183,7 @@ int WriteClients(struct message *m) { } else c->output->write(c, m); if ( c->input->autodisconnect && c->input->autodisconnect() ) - close(c->fd); + close_sock(c->fd); /* close tcp & ssl socket */ } c = c->next; } @@ -517,6 +517,7 @@ static void *accept_thread() int flags; pthread_attr_t attr; char iabuf[INET_ADDRSTRLEN]; + int is_encrypted; pthread_attr_init(&attr); pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); @@ -534,6 +535,35 @@ static void *accept_thread() logmsg("Failed to set listener tcp connection to TCP_NODELAY mode: %s\n", strerror(errno)); } } + + /* SSL stuff below */ + is_encrypted = is_encrypt_request(pc.sslclhellotimeout, as); + if (is_encrypted > 0) { + if (!pc.acceptencryptedconnection) { + if( debug ) + debugmsg("Accepting encrypted connection disabled, closing the connection \n"); + close_sock(as); + continue; + } else { + if((as = saccept(as)) >= 0 ) { + if( debug ) + debugmsg("Can't accept the ssl connection, since SSL init has failed for certificate reason\n"); + close_sock(as); + continue; + } + } + } else if (is_encrypted == -1) { + logmsg("SSL version 2 is unsecure, we don't support it\n"); + close_sock(as); + continue; + } + if ( (! pc.acceptunencryptedconnection) && (as >= 0)) { + logmsg("Unencrypted connections are not accepted and we received an unencrypted connection request\n"); + close_sock(as); + continue; + } + /* SSL stuff end */ + s = malloc(sizeof(struct mansession)); if ( !s ) { logmsg("Failed to allocate listener session: %s\n", strerror(errno)); diff --git a/src/common.c b/src/common.c index b52ee59..8ec016d 100644 --- a/src/common.c +++ b/src/common.c @@ -143,7 +143,7 @@ done: fcntl(sockfd, F_SETFL, flags); /* restore file status flags */ if (error) { - /* close(sockfd); */ /* disable for now, we want to retry... */ + /* close(sockfd); */ /* we want to retry... */ errno = error; return(-1); } diff --git a/src/config.c b/src/config.c index 824043b..29213ad 100644 --- a/src/config.c +++ b/src/config.c @@ -105,6 +105,8 @@ void *processline(char *s) { pc.acceptencryptedconnection = strcmp(value,"yes") ? 0 : 1; else if (!strcmp(name,"acceptunencryptedconnection") ) pc.acceptunencryptedconnection = strcmp(value,"yes") ? 0 : 1; + else if (!strcmp(name,"certfile") ) + strcpy(pc.certfile, value); else if (!strcmp(name,"proxykey") ) strcpy(pc.key, value); else if (!strcmp(name,"proc_user") ) @@ -217,7 +219,7 @@ int ReadConfig() { /* Set nonzero config defaults */ pc.asteriskwritetimeout = 100; pc.clientwritetimeout = 100; - pc.sslclhellotimeout = 200; + pc.sslclhellotimeout = 500; sprintf(cfn, "%s/%s", CDIR, CFILE); FP = fopen( cfn, "r" ); @@ -238,6 +240,9 @@ int ReadConfig() { fclose(FP); + /* initialize SSL layer with our server certfile */ + init_secure(pc.certfile); + return 0; } diff --git a/src/include/astmanproxy.h b/src/include/astmanproxy.h index fdd783d..6c4ef0b 100644 --- a/src/include/astmanproxy.h +++ b/src/include/astmanproxy.h @@ -63,16 +63,17 @@ struct proxyconfig { char outputformat[80]; int autofilter; char key[80]; - char proc_user[30]; - char proc_group[30]; - char logfile[80]; + char proc_user[40]; + char proc_group[40]; + char logfile[256]; int retryinterval; int maxretries; int asteriskwritetimeout; /* ms to wait when writing to asteriskfor ast_carefulwrite */ int clientwritetimeout; /* ms to wait when writing to client ast_carefulwrite */ int sslclhellotimeout; /* ssl client hello timeout -- how long to wait before assuming not ssl */ - int acceptencryptedconnection; /* accept encrypted connections? */ + int acceptencryptedconnection; /* accept encrypted connections? */ int acceptunencryptedconnection; /* accept unencrypted connections? */ + char certfile[256]; /* our SERVER-side SSL certificate file */ }; struct iohandler { @@ -215,7 +215,7 @@ int m_recv(int s, void *buf, size_t len, int flags) rec_bytes += ret; if (debug) - debugmsg("Received data from SSL socket - %d\n", ret); + debugmsg("Received data from SSL socket - %d", ret); return ret; } diff --git a/ssl.conf b/ssl.conf new file mode 100644 index 0000000..d10d9a1 --- /dev/null +++ b/ssl.conf @@ -0,0 +1,154 @@ +# Asterisk SSL configuration +# +# OpenSSL configuration file for custom Certificate Authority. Use a +# different openssl.cnf file to generate certificate signing requests; +# this one is for use only in Certificate Authority operations (csr -> +# cert, cert revocation, revocation list generation). +# +# Be sure to customize this file prior to use, e.g. the commonName and +# other options under the root_ca_distinguished_name section. + +HOME = . +RANDFILE = $ENV::HOME/.rnd + +[ ca ] +default_ca = MyAsteriskCA + +[ MyAsteriskCA ] +dir = . +# unsed at present, and my limited certs can be kept in current dir +#certs = $dir/certs +new_certs_dir = $dir/newcerts +crl_dir = $dir/crl +database = $dir/index + +certificate = $dir/ca-cert.pem +serial = $dir/serial +crl = $dir/ca-crl.pem +private_key = $dir/private/ca-key.pem +RANDFILE = $dir/private/.rand + +x509_extensions = usr_cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default +cert_opt = ca_default + +default_crl_days= 30 +default_days = 7300 +# if need to be compatible with older software, use weaker md5 +default_md = sha1 +# MSIE may need following set to yes? +preserve = no + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = US +stateOrProvinceName = CA +organizationName = XYZ +organizationalUnitName = XYZ +commonName = asterisk +emailAddress = root@localhost + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = ./private/ca-key.pem +default_md = sha1 + +prompt = no +distinguished_name = root_ca_distinguished_name + +x509_extensions = v3_ca + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req + +[ root_ca_distinguished_name ] +commonName = NoSuchCA CA +countryName = US +stateOrProvinceName = California +localityName = San Mateo +0.organizationName = domain.net +emailAddress = nobody@localhost + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +nsCaRevocationUrl = https://www.sial.org/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + +# PKIX recommendation. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always |