URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=29b0138a... Author: Jan Janak jan@iptel.org Date: Thu Mar 26 14:49:36 2009 +0100
Replace TCP_BUF_SIZE with a cfg_get(..).
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f6eed414... Author: Jan Janak jan@iptel.org Date: Thu Mar 26 14:45:40 2009 +0100
Remove shm_str_dup function.
This function is not being used anywhere in TLS module and conflicts with a function in ../../ut.h
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=371cb375... Author: Jan Janak jan@iptel.org Date: Thu Mar 26 14:33:39 2009 +0100
Define SER_MOD_INTERFACE in Makefile.
This patch adds -DSER_MOD_INTERFACE to the modules Makefile, this is needed to make ser modules compile with the sip router core.
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=91e9758d... Merge: fc9cfc98af91092de9e12533c255778080b045dd 3018841f0fdc23caa5e8155a5b16bc1904616505 Author: Jan Janak jan@iptel.org Date: Thu Mar 26 14:23:27 2009 +0100
Merge ser tls module into the sip-router repository
* commit 'ser/modules/tls': (50 commits) - a set of minimalistic config files for testing purposes - tls module todo - default key and certificate names changed to ser-selfsigned* - updated to the latest changes in the cfg parser - Use the new configuration file parser - fixed includes (rm malloc.h) due to portability problems - shm_str_dup and shm_asciiz_dup set the destination buffer to NULL if - Convert all relative pathnames of files to absolute with - modified function get_pathname to return path relative to the - support for setting the source address in tcp_send() and tcpconn_get() - updated all the child_init users to ignore or treat specially the - added low_mem_threshold1 & low_mem_threshold2 (the ammount of free memory - tls: tls_update_fd improvement - use SSL_set_fd only when the connection is - workaround for openssl bug #1491 (multiple problems on low memory): tls - malloc debugging for openssl and random malloc null returns turened off - added tls module documentation (not yet complete, still missing select, rpc and better tls.cfg description). - make tar doesn't exclude tls*, but instead tls/* - call tls_shutdown() only if tls_set_fd() was succesfull - tls: openssl kerberos malloc bug (# 1467) fixed on cvs (0.9.8e-dev and 0.9.9-dev), so add extra checks for enabling the workarround (which disables kerberos) only when necessary: if openssl compiled with kerberos support, and openssl < 0.9.8e-beta1 or openssl between 0.9.9-dev and 0.9.9-beta1 apply workarround. - tls-core.patch removed (no longer necessary) ...
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=3018841f... Author: Jan Janak jan@iptel.org Date: Thu Jun 26 15:43:26 2008 +0000
- a set of minimalistic config files for testing purposes
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=44fc09b8... Author: Jan Janak jan@iptel.org Date: Thu Jun 26 11:49:22 2008 +0000
- tls module todo
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=82b840c7... Author: Jan Janak jan@iptel.org Date: Mon Jun 23 17:48:40 2008 +0000
- default key and certificate names changed to ser-selfsigned* - added ser_certs.sh
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=bb718b6a... Author: Jan Janak jan@iptel.org Date: Thu Jun 12 16:02:04 2008 +0000
- updated to the latest changes in the cfg parser
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=d037bb9d... Author: Jan Janak jan@iptel.org Date: Fri Jun 6 00:03:06 2008 +0000
- Use the new configuration file parser
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=87db4359... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Sun Mar 2 16:09:28 2008 +0000
- fixed includes (rm malloc.h) due to portability problems
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b717dfd1... Author: Jan Janak jan@iptel.org Date: Mon Feb 11 12:39:49 2008 +0000
- shm_str_dup and shm_asciiz_dup set the destination buffer to NULL if the source is NULL too
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=d128c59d... Author: Jan Janak jan@iptel.org Date: Fri Feb 8 05:38:39 2008 +0000
- Convert all relative pathnames of files to absolute with respect to the main SER configuration file (the external TLS config file and modparams) or the TLS config file (file included from there). - Use get_abs_pathname from sip_router/ut.c instead of the local function get_pathname
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=aa4ac2d8... Author: Jan Janak jan@iptel.org Date: Tue Feb 5 08:27:42 2008 +0000
- modified function get_pathname to return path relative to the path of the main SER configuration file if it does not start with /, this is much more sensible then just pre-pending CFG_DIR, it is possible to write modparam("tls", "config", "tls.cfg") and still control the location of the configuration files using -f cmd line option - the function now returns result allocated with malloc, not pkg_malloc
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=878bda92... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Aug 1 00:05:40 2007 +0000
- support for setting the source address in tcp_send() and tcpconn_get() (should allow for a better tcp force_send_socket() in the future) - add multiple aliases for each connection, to cover all the search possiblities: (dst_ip, dst_port), (local_ip, dst_ip, dst_port), (local_ip, local_port, dst_ip, dst_port). - improved connection hash function
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=30b49d17... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Thu Jun 7 21:46:56 2007 +0000
- updated all the child_init users to ignore or treat specially the PROC_INIT rank
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=66fff017... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 28 01:38:47 2007 +0000
- added low_mem_threshold1 & low_mem_threshold2 (the ammount of free memory from which tls operations will start to fail preemptively is now configurable; by default the value depends on the number of processes) - doc update
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=30e67c4f... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Mon Feb 26 23:32:29 2007 +0000
- tls: tls_update_fd improvement - use SSL_set_fd only when the connection is not fully init. and SSL_get_*bio/BIO_set_fd in the other cases (much faster and avoids SSL_mallocs).
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=433e6896... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Feb 23 23:24:32 2007 +0000
- workaround for openssl bug #1491 (multiple problems on low memory): tls functions will preemptively fail if the available memory drops under a certain treshold (for now a very conservative value based on the maximum possible number of simultaneously executing connects/accepts - expect something >= 20MB, depending on the number of processes)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=3d980a8e... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 21 20:29:04 2007 +0000
- malloc debugging for openssl and random malloc null returns turened off (I've commited this yesterday by mistake)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=32e4977c... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 21 00:54:44 2007 +0000
- added tls module documentation (not yet complete, still missing select, rpc and better tls.cfg description).
Test case: try to read the generated README and see if it makes sense and you uderstand at least 88,73% from it. Prerequisites: well rested and a blood alcohol level within legal driving limits. WARNING: known to induce strong drowsiness.
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=0e4d732d... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Tue Feb 20 19:41:14 2007 +0000
- make tar doesn't exclude tls*, but instead tls/* - don't append -tls to the version number unless CORE_TLS is used (there's enough information in the flags to see if support for the tls modules is enabled)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5777d866... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Feb 16 21:43:17 2007 +0000
- call tls_shutdown() only if tls_set_fd() was succesfull (fixes a tricky bug that can appear on low memory conditions)A - tls_dump_cert_info takes into account the possibility of a failing X609_NAME_oneline() (can happen on low memory)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=560a42b6... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Tue Feb 13 13:22:57 2007 +0000
- tls: openssl kerberos malloc bug (# 1467) fixed on cvs (0.9.8e-dev and 0.9.9-dev), so add extra checks for enabling the workarround (which disables kerberos) only when necessary: if openssl compiled with kerberos support, and openssl < 0.9.8e-beta1 or openssl between 0.9.9-dev and 0.9.9-beta1 apply workarround.
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c9557b13... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Sat Feb 10 19:02:56 2007 +0000
- tls-core.patch removed (no longer necessary)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6a8994c4... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Sat Feb 10 19:02:04 2007 +0000
- use the new tls hooks api (the core patch is no longer necessary) - renamed some of tls_.* functions to tls_h_.* to avoid name conflicts with the core - fixed shutdown tls before tcp bug (if ser was stopped while tls connections were still active, the tls module was destroyed before tcp => crash when tcp tried to close the tls connections). Now all the destroy operation are moved into the new destroy_tls hook and the module destroy function is empty.
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=dd750880... Author: Jan Janak jan@iptel.org Date: Mon Feb 5 10:20:54 2007 +0000
- added missing header files to make tls module compile on FreeBSD reported by Atle Samuelsen
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c20ee398... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Feb 2 15:17:52 2007 +0000
- fixed missing warning quotes (problem with older compilers)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=fc660aae... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Thu Feb 1 04:24:06 2007 +0000
- openssl compression bug detect/workaround enabled at runtime (if zlib compression is detected, we replace openssl version with ours). The previous version had this fix but it was enabled only at compile-time. - SSL_OP_TLS_BLOCK_PADDING_BUG option disabled if 0.9.8 <= openssl < 0.9.8c and compresion is used (check at runtime) - more start-up sanity checks: - check if openssl used library version is close enough to the library with which the tls module was compiled (header files) For now it checks for the same major, minor and fix level (e.g. 0.9.8a && 0.9.8c are ok, 0.9.7b and 0.9.8a are not) - try to auto-detect (using the compile flags) if the used library was compiled with kerberos support and if the tls module was compiled with the same setting (or else we won't be able to enable the kerberos bug workarround). - more verbose start-up messages and errors - warning fixes - 2 new module parameters: tls_disable_compression (default 0) tls_force_run (default 0) -- will ignore the start-up sanity checks and continue running even if the library version/options are different References: openssl bugs #1468, #1467 & #1204 (http://rt.openssl.org)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=36cb8fa7... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Jan 26 23:11:21 2007 +0000
- workarround for openssl kerberos malloc bug: openssl kerberos code in kssl.c uses libc malloc/free/calloc instead of the OPENSSL* versions (set using CRYPTO_set_mem_functions()). In ser ssl connections "move" between processes and so everything must be allocated in shared mem. If the wrong malloc function are called ser will eventually crash. This workarround tries to disable kerberos support each time a new SSL structure is created. For this fix to work is important to either use statically linked openssl or re-compile ser on the target machine (if openssl is linked dynamically then it must use the same compilation options as the machine on which ser is compiled). Bug reporterd by Atle Samuelsen clona@cyberhouse.no.
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=7f8edfa7... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Jan 26 19:56:49 2007 +0000
- typo fix: don't attempt to apply the compression fix workarround if no zlib compression was found
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=a558c65e... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Jan 24 18:01:54 2007 +0000
- tls fix: set openssl locking functions (should be stable even under high load, lost of connections, and multi-cpu machines)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b2aa9fd7... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Jan 17 20:24:05 2007 +0000
- timeouts fixed (all the tcp timeouts use now ticks and not seconds)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ba83663c... Author: Jan Janak jan@iptel.org Date: Wed Jan 17 10:39:09 2007 +0000
- The config file parser did not always return proper variable value closes SER-206
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=2810f7a0... Author: Miklos Tirpak miklos@iptel.org Date: Mon Nov 27 13:55:51 2006 +0000
@tls.peer.verified did not set the result buffer
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c69b8d98... Author: Jan Janak jan@iptel.org Date: Fri Nov 24 07:37:28 2006 +0000
- fixed wrong comparison values, reported by Klaus Darilion closes SER-108
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b5c9bd68... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Nov 15 19:55:13 2006 +0000
- tls init updated to the new get_max_procs() use (not allowed from mod_init()) - tls-core.patch updated to the latest tcp changes - lots of warnings and/or small errors fixed
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=14b8a300... Author: Jan Halla hallik@iptel.org Date: Sat Nov 4 01:44:34 2006 +0000
tls-core.patch updated to be useable with current SER CVS HEAD
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=079850e2... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Tue Sep 19 16:13:27 2006 +0000
- applied patch from Dragos Vingarzan vingarzan@fokus.fraunhofer.de which moves all the forking part into 2 functions in pt.c (fork_process and fork_tcp_process). - added PROC_NOCHLDINIT rank value for Dragos's fork_process (if this value is used as child_id/rank_value the mod_child functions will not be called) - added register_procs(processes_no), used from mod_init when a module knows that it will fork some children (replaces the old process_count++ / the patch's estimated_process_count++) - added get_max_procs(): returns the maximum (estimated) number of processes
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=e618d0ea... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 18:23:47 2006 +0000
- deallocate lock only if it was really allocated - implemented tls.init (lists all existing TLS connections)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=31c1662e... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 15:52:11 2006 +0000
- fixed file comments - added missing defines in header files - added missing Id tags
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=742653f8... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 12:35:41 2006 +0000
- fixed get_ssl (TCP extra data contains pointer to a different structure)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5303a643... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 12:26:07 2006 +0000
- make sure tls modparams do not overview defaults for the external configuration file
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c71c178e... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 12:23:44 2006 +0000
- a couple of typos fixed
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=331ddcfa... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 12:22:01 2006 +0000
- minor beautification
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c4417073... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 12:20:45 2006 +0000
- Example configuration file for tls module
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=38a66479... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 11:26:53 2006 +0000
- Support for external TLS configuration file - support for relative path names (CFG_DIR will be added automaticaly) - Support for run-time configuration re-load - tls.reload management command implemented
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=88e8426e... Author: Jan Janak jan@iptel.org Date: Wed Feb 22 23:41:17 2006 +0000
- fixed wrong comment
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f1eadbe5... Author: Jan Janak jan@iptel.org Date: Wed Feb 22 23:37:19 2006 +0000
- TLS configuration file parser (not yet integrated with rest of tls module)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ca552cbb... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 22 13:34:00 2006 +0000
- by default don't require a certificate
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f875827d... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 22 13:10:27 2006 +0000
- by default don't verify any certs (server or client)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=e6526a64... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 22 13:00:36 2006 +0000
- applied Klaus Darilion patches (closes SER-98): - updated tls-core.patch - allow configuration of the default TLS-client-domain - more TLS logging during TLS initalisation and when TLS verification fails - use TLSv1 as default method - debian build: libradius-ng-dev as another alternative to the various libradius*
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ddfc8f35... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Mon Feb 20 23:31:18 2006 +0000
- log message fix for tls_connect (s/dst/src)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b0eb2c7d... Author: Jan Janak jan@iptel.org Date: Mon Jan 30 16:05:39 2006 +0000
- fixed @tls.cipher.bits - noisy error turned into debugging message
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=dd0647fb... Author: Jan Janak jan@iptel.org Date: Sat Jan 28 12:34:31 2006 +0000
Preliminary TLS module (requires core patch which is attached), the module contains: - Many bugfixes and better implementation of tls_write and tls_read by Andrei - openssl compression fix by Andrei - extended tls multi-domain support (most parameters can be configured to different values in different domains) - support for outgoing domains (not complete) - support for certificate based authentication through selects ( if @tls.peer == "Bob") ... - the tls code is merge of experimental/tls and Andrei's tls to get best of both
The is the TLS module from SER, I am going to merge few things from k. tlsops module and the tls implementation and then this module can replace k. tlsops
Jan.
On 26-03 14:51, Jan Janak wrote:
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=29b0138a... Author: Jan Janak jan@iptel.org Date: Thu Mar 26 14:49:36 2009 +0100
Replace TCP_BUF_SIZE with a cfg_get(..).
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f6eed414... Author: Jan Janak jan@iptel.org Date: Thu Mar 26 14:45:40 2009 +0100
Remove shm_str_dup function. This function is not being used anywhere in TLS module and conflicts with a function in ../../ut.h
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=371cb375... Author: Jan Janak jan@iptel.org Date: Thu Mar 26 14:33:39 2009 +0100
Define SER_MOD_INTERFACE in Makefile. This patch adds -DSER_MOD_INTERFACE to the modules Makefile, this is needed to make ser modules compile with the sip router core.
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=91e9758d... Merge: fc9cfc98af91092de9e12533c255778080b045dd 3018841f0fdc23caa5e8155a5b16bc1904616505 Author: Jan Janak jan@iptel.org Date: Thu Mar 26 14:23:27 2009 +0100
Merge ser tls module into the sip-router repository * commit 'ser/modules/tls': (50 commits) - a set of minimalistic config files for testing purposes - tls module todo - default key and certificate names changed to ser-selfsigned* - updated to the latest changes in the cfg parser - Use the new configuration file parser - fixed includes (rm malloc.h) due to portability problems - shm_str_dup and shm_asciiz_dup set the destination buffer to NULL if - Convert all relative pathnames of files to absolute with - modified function get_pathname to return path relative to the - support for setting the source address in tcp_send() and tcpconn_get() - updated all the child_init users to ignore or treat specially the - added low_mem_threshold1 & low_mem_threshold2 (the ammount of free memory - tls: tls_update_fd improvement - use SSL_set_fd only when the connection is - workaround for openssl bug #1491 (multiple problems on low memory): tls - malloc debugging for openssl and random malloc null returns turened off - added tls module documentation (not yet complete, still missing select, rpc and better tls.cfg description). - make tar doesn't exclude tls*, but instead tls/* - call tls_shutdown() only if tls_set_fd() was succesfull - tls: openssl kerberos malloc bug (# 1467) fixed on cvs (0.9.8e-dev and 0.9.9-dev), so add extra checks for enabling the workarround (which disables kerberos) only when necessary: if openssl compiled with kerberos support, and openssl < 0.9.8e-beta1 or openssl between 0.9.9-dev and 0.9.9-beta1 apply workarround. - tls-core.patch removed (no longer necessary) ...
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=3018841f... Author: Jan Janak jan@iptel.org Date: Thu Jun 26 15:43:26 2008 +0000
- a set of minimalistic config files for testing purposes
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=44fc09b8... Author: Jan Janak jan@iptel.org Date: Thu Jun 26 11:49:22 2008 +0000
- tls module todo
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=82b840c7... Author: Jan Janak jan@iptel.org Date: Mon Jun 23 17:48:40 2008 +0000
- default key and certificate names changed to ser-selfsigned* - added ser_certs.sh
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=bb718b6a... Author: Jan Janak jan@iptel.org Date: Thu Jun 12 16:02:04 2008 +0000
- updated to the latest changes in the cfg parser
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=d037bb9d... Author: Jan Janak jan@iptel.org Date: Fri Jun 6 00:03:06 2008 +0000
- Use the new configuration file parser
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=87db4359... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Sun Mar 2 16:09:28 2008 +0000
- fixed includes (rm malloc.h) due to portability problems
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b717dfd1... Author: Jan Janak jan@iptel.org Date: Mon Feb 11 12:39:49 2008 +0000
- shm_str_dup and shm_asciiz_dup set the destination buffer to NULL if the source is NULL too
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=d128c59d... Author: Jan Janak jan@iptel.org Date: Fri Feb 8 05:38:39 2008 +0000
- Convert all relative pathnames of files to absolute with respect to the main SER configuration file (the external TLS config file and modparams) or the TLS config file (file included from there). - Use get_abs_pathname from sip_router/ut.c instead of the local function get_pathname
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=aa4ac2d8... Author: Jan Janak jan@iptel.org Date: Tue Feb 5 08:27:42 2008 +0000
- modified function get_pathname to return path relative to the path of the main SER configuration file if it does not start with /, this is much more sensible then just pre-pending CFG_DIR, it is possible to write modparam("tls", "config", "tls.cfg") and still control the location of the configuration files using -f cmd line option - the function now returns result allocated with malloc, not pkg_malloc
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=878bda92... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Aug 1 00:05:40 2007 +0000
- support for setting the source address in tcp_send() and tcpconn_get() (should allow for a better tcp force_send_socket() in the future) - add multiple aliases for each connection, to cover all the search possiblities: (dst_ip, dst_port), (local_ip, dst_ip, dst_port), (local_ip, local_port, dst_ip, dst_port). - improved connection hash function
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=30b49d17... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Thu Jun 7 21:46:56 2007 +0000
- updated all the child_init users to ignore or treat specially the PROC_INIT rank
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=66fff017... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 28 01:38:47 2007 +0000
- added low_mem_threshold1 & low_mem_threshold2 (the ammount of free memory from which tls operations will start to fail preemptively is now configurable; by default the value depends on the number of processes) - doc update
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=30e67c4f... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Mon Feb 26 23:32:29 2007 +0000
- tls: tls_update_fd improvement - use SSL_set_fd only when the connection is not fully init. and SSL_get_*bio/BIO_set_fd in the other cases (much faster and avoids SSL_mallocs).
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=433e6896... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Feb 23 23:24:32 2007 +0000
- workaround for openssl bug #1491 (multiple problems on low memory): tls functions will preemptively fail if the available memory drops under a certain treshold (for now a very conservative value based on the maximum possible number of simultaneously executing connects/accepts - expect something >= 20MB, depending on the number of processes)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=3d980a8e... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 21 20:29:04 2007 +0000
- malloc debugging for openssl and random malloc null returns turened off (I've commited this yesterday by mistake)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=32e4977c... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 21 00:54:44 2007 +0000
- added tls module documentation (not yet complete, still missing select, rpc and better tls.cfg description). Test case: try to read the generated README and see if it makes sense and you uderstand at least 88,73% from it. Prerequisites: well rested and a blood alcohol level within legal driving limits. WARNING: known to induce strong drowsiness.
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=0e4d732d... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Tue Feb 20 19:41:14 2007 +0000
- make tar doesn't exclude tls*, but instead tls/* - don't append -tls to the version number unless CORE_TLS is used (there's enough information in the flags to see if support for the tls modules is enabled)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5777d866... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Feb 16 21:43:17 2007 +0000
- call tls_shutdown() only if tls_set_fd() was succesfull (fixes a tricky bug that can appear on low memory conditions)A - tls_dump_cert_info takes into account the possibility of a failing X609_NAME_oneline() (can happen on low memory)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=560a42b6... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Tue Feb 13 13:22:57 2007 +0000
- tls: openssl kerberos malloc bug (# 1467) fixed on cvs (0.9.8e-dev and 0.9.9-dev), so add extra checks for enabling the workarround (which disables kerberos) only when necessary: if openssl compiled with kerberos support, and openssl < 0.9.8e-beta1 or openssl between 0.9.9-dev and 0.9.9-beta1 apply workarround.
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c9557b13... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Sat Feb 10 19:02:56 2007 +0000
- tls-core.patch removed (no longer necessary)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6a8994c4... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Sat Feb 10 19:02:04 2007 +0000
- use the new tls hooks api (the core patch is no longer necessary) - renamed some of tls_.* functions to tls_h_.* to avoid name conflicts with the core - fixed shutdown tls before tcp bug (if ser was stopped while tls connections were still active, the tls module was destroyed before tcp => crash when tcp tried to close the tls connections). Now all the destroy operation are moved into the new destroy_tls hook and the module destroy function is empty.
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=dd750880... Author: Jan Janak jan@iptel.org Date: Mon Feb 5 10:20:54 2007 +0000
- added missing header files to make tls module compile on FreeBSD reported by Atle Samuelsen
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c20ee398... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Feb 2 15:17:52 2007 +0000
- fixed missing warning quotes (problem with older compilers)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=fc660aae... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Thu Feb 1 04:24:06 2007 +0000
- openssl compression bug detect/workaround enabled at runtime (if zlib compression is detected, we replace openssl version with ours). The previous version had this fix but it was enabled only at compile-time. - SSL_OP_TLS_BLOCK_PADDING_BUG option disabled if 0.9.8 <= openssl < 0.9.8c and compresion is used (check at runtime) - more start-up sanity checks: - check if openssl used library version is close enough to the library with which the tls module was compiled (header files) For now it checks for the same major, minor and fix level (e.g. 0.9.8a && 0.9.8c are ok, 0.9.7b and 0.9.8a are not) - try to auto-detect (using the compile flags) if the used library was compiled with kerberos support and if the tls module was compiled with the same setting (or else we won't be able to enable the kerberos bug workarround). - more verbose start-up messages and errors - warning fixes - 2 new module parameters: tls_disable_compression (default 0) tls_force_run (default 0) -- will ignore the start-up sanity checks and continue running even if the library version/options are different References: openssl bugs #1468, #1467 & #1204 (http://rt.openssl.org)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=36cb8fa7... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Jan 26 23:11:21 2007 +0000
- workarround for openssl kerberos malloc bug: openssl kerberos code in kssl.c uses libc malloc/free/calloc instead of the OPENSSL* versions (set using CRYPTO_set_mem_functions()). In ser ssl connections "move" between processes and so everything must be allocated in shared mem. If the wrong malloc function are called ser will eventually crash. This workarround tries to disable kerberos support each time a new SSL structure is created. For this fix to work is important to either use statically linked openssl or re-compile ser on the target machine (if openssl is linked dynamically then it must use the same compilation options as the machine on which ser is compiled). Bug reporterd by Atle Samuelsen <clona@cyberhouse.no>.
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=7f8edfa7... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Jan 26 19:56:49 2007 +0000
- typo fix: don't attempt to apply the compression fix workarround if no zlib compression was found
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=a558c65e... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Jan 24 18:01:54 2007 +0000
- tls fix: set openssl locking functions (should be stable even under high load, lost of connections, and multi-cpu machines)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b2aa9fd7... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Jan 17 20:24:05 2007 +0000
- timeouts fixed (all the tcp timeouts use now ticks and not seconds)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ba83663c... Author: Jan Janak jan@iptel.org Date: Wed Jan 17 10:39:09 2007 +0000
- The config file parser did not always return proper variable value closes SER-206
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=2810f7a0... Author: Miklos Tirpak miklos@iptel.org Date: Mon Nov 27 13:55:51 2006 +0000
@tls.peer.verified did not set the result buffer
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c69b8d98... Author: Jan Janak jan@iptel.org Date: Fri Nov 24 07:37:28 2006 +0000
- fixed wrong comparison values, reported by Klaus Darilion closes SER-108
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b5c9bd68... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Nov 15 19:55:13 2006 +0000
- tls init updated to the new get_max_procs() use (not allowed from mod_init()) - tls-core.patch updated to the latest tcp changes - lots of warnings and/or small errors fixed
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=14b8a300... Author: Jan Halla hallik@iptel.org Date: Sat Nov 4 01:44:34 2006 +0000
tls-core.patch updated to be useable with current SER CVS HEAD
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=079850e2... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Tue Sep 19 16:13:27 2006 +0000
- applied patch from Dragos Vingarzan <vingarzan@fokus.fraunhofer.de> which moves all the forking part into 2 functions in pt.c (fork_process and fork_tcp_process). - added PROC_NOCHLDINIT rank value for Dragos's fork_process (if this value is used as child_id/rank_value the mod_child functions will not be called) - added register_procs(processes_no), used from mod_init when a module knows that it will fork some children (replaces the old process_count++ / the patch's estimated_process_count++) - added get_max_procs(): returns the maximum (estimated) number of processes
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=e618d0ea... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 18:23:47 2006 +0000
- deallocate lock only if it was really allocated - implemented tls.init (lists all existing TLS connections)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=31c1662e... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 15:52:11 2006 +0000
- fixed file comments - added missing defines in header files - added missing Id tags
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=742653f8... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 12:35:41 2006 +0000
- fixed get_ssl (TCP extra data contains pointer to a different structure)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5303a643... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 12:26:07 2006 +0000
- make sure tls modparams do not overview defaults for the external configuration file
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c71c178e... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 12:23:44 2006 +0000
- a couple of typos fixed
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=331ddcfa... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 12:22:01 2006 +0000
- minor beautification
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c4417073... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 12:20:45 2006 +0000
- Example configuration file for tls module
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=38a66479... Author: Jan Janak jan@iptel.org Date: Fri Mar 3 11:26:53 2006 +0000
- Support for external TLS configuration file - support for relative path names (CFG_DIR will be added automaticaly) - Support for run-time configuration re-load - tls.reload management command implemented
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=88e8426e... Author: Jan Janak jan@iptel.org Date: Wed Feb 22 23:41:17 2006 +0000
- fixed wrong comment
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f1eadbe5... Author: Jan Janak jan@iptel.org Date: Wed Feb 22 23:37:19 2006 +0000
- TLS configuration file parser (not yet integrated with rest of tls module)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ca552cbb... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 22 13:34:00 2006 +0000
- by default don't require a certificate
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f875827d... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 22 13:10:27 2006 +0000
- by default don't verify any certs (server or client)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=e6526a64... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Wed Feb 22 13:00:36 2006 +0000
- applied Klaus Darilion patches (closes SER-98): - updated tls-core.patch - allow configuration of the default TLS-client-domain - more TLS logging during TLS initalisation and when TLS verification fails - use TLSv1 as default method - debian build: libradius-ng-dev as another alternative to the various libradius*
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ddfc8f35... Author: Andrei Pelinescu-Onciul andrei@iptel.org Date: Mon Feb 20 23:31:18 2006 +0000
- log message fix for tls_connect (s/dst/src)
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b0eb2c7d... Author: Jan Janak jan@iptel.org Date: Mon Jan 30 16:05:39 2006 +0000
- fixed @tls.cipher.bits - noisy error turned into debugging message
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=dd0647fb... Author: Jan Janak jan@iptel.org Date: Sat Jan 28 12:34:31 2006 +0000
Preliminary TLS module (requires core patch which is attached), the module contains: - Many bugfixes and better implementation of tls_write and tls_read by Andrei - openssl compression fix by Andrei - extended tls multi-domain support (most parameters can be configured to different values in different domains) - support for outgoing domains (not complete) - support for certificate based authentication through selects ( if @tls.peer == "Bob") ... - the tls code is merge of experimental/tls and Andrei's tls to get best of both
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev