<!-- Kamailio Pull Request Template -->
<!-- IMPORTANT: - for detailed contributing guidelines, read: https://github.com/kamailio/kamailio/blob/master/.github/CONTRIBUTING.md - pull requests must be done to master branch, unless they are backports of fixes from master branch to a stable branch - backports to stable branches must be done with 'git cherry-pick -x ...' - code is contributed under BSD for core and main components (tm, sl, auth, tls) - code is contributed GPLv2 or a compatible license for the other components - GPL code is contributed with OpenSSL licensing exception -->
#### Pre-Submission Checklist <!-- Go over all points below, and after creating the PR, tick all the checkboxes that apply --> <!-- All points should be verified, otherwise, read the CONTRIBUTING guidelines from above--> <!-- If you're unsure about any of these, don't hesitate to ask on sr-dev mailing list --> - [x] Commit message has the format required by CONTRIBUTING guide - [x] Commits are split per component (core, individual modules, libs, utils, ...) - [x] Each component has a single commit (if not, squash them into one commit) - [x] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated)
#### Type Of Change - [ ] Small bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality)
#### Checklist: <!-- Go over all points below, and after creating the PR, tick the checkboxes that apply --> - [x] PR should be backported to stable branches - [ ] Tested changes locally - [ ] Related to issue #XXXX (replace XXXX with an open issue number)
#### Description <!-- Describe your changes in detail --> Adding TLS capability to connections between Kamailio and configured peers. Configuration done via kamailio.cfg.
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/3548
-- Commit Summary --
* cdp: adding TLS capability to peer connections * cdp: documenting TLS capability related parameters
-- File Changes --
M src/modules/cdp/Makefile (2) M src/modules/cdp/cdp_mod.c (27) A src/modules/cdp/cdp_tls.c (196) A src/modules/cdp/cdp_tls.h (51) M src/modules/cdp/doc/cdp_admin.xml (97) M src/modules/cdp/receiver.c (73) M src/modules/cdp/receiver.h (3)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/3548.patch https://github.com/kamailio/kamailio/pull/3548.diff
@oej commented on this pull request.
@@ -0,0 +1,196 @@
+#include "cdp_tls.h" + +cfg_option_t methods[] = { + {"TLSv1", .val = TLS_USE_TLSv1}, + {"TLSv1.0", .val = TLS_USE_TLSv1}, + {"TLSv1+", .val = TLS_USE_TLSv1_PLUS}, + {"TLSv1.0+", .val = TLS_USE_TLSv1_PLUS}, + {"TLSv1.1", .val = TLS_USE_TLSv1_1}, + {"TLSv1.1+", .val = TLS_USE_TLSv1_1_PLUS}, + {"TLSv1.2", .val = TLS_USE_TLSv1_2}, + {"TLSv1.2+", .val = TLS_USE_TLSv1_2_PLUS},
TLS 1.3 should be possible
@oej commented on this pull request.
- }
+ return 0; +} + +SSL* init_ssl_conn(int client_fd, SSL_CTX *ctx) +{ + /* Create an SSL object */ + SSL *ssl = SSL_new(ctx); + if (!ssl) { + LM_ERR("init_ssl_conn(): Failed to create SSL object."); + SSL_CTX_free(ctx); + return NULL; + } + /* Set up the TLS connection */ + if (SSL_set_fd(ssl, client_fd) != 1) { + LM_ERR("init_ssl_conn(): Failed to set up TLS connection.");
Can you divulge any more about why it failed? Does the error code hint a reason?
@oej commented on this pull request.
+int to_ssl(SSL_CTX** tls_ctx_p, SSL** tls_conn_p, int tcp_sock, int method)
+{ + *tls_ctx_p = init_ssl_ctx(method); + if (!(*tls_ctx_p)) { + LM_ERR("to_ssl(): Error on initialising ssl context\n"); + return -1; + } + if (certificate.s && private_key.s) { + if (load_certificates(*tls_ctx_p, &certificate, &private_key) < 0) { + LM_ERR("to_ssl(): Error on loading certificates\n"); + return -1; + } + } + *tls_conn_p = init_ssl_conn(tcp_sock, *tls_ctx_p); + if (!(*tls_conn_p)) { + LM_ERR("to_ssl(): Error on negociating ssl connection\n");
TLS connection
@oej commented on this pull request.
- }
+ return ssl; +} + +void cleanup_ssl(SSL_CTX* tls_ctx, SSL* tls_conn) +{ + SSL_shutdown(tls_conn); + SSL_free(tls_conn); + SSL_CTX_free(tls_ctx); +} + +int to_ssl(SSL_CTX** tls_ctx_p, SSL** tls_conn_p, int tcp_sock, int method) +{ + *tls_ctx_p = init_ssl_ctx(method); + if (!(*tls_ctx_p)) { + LM_ERR("to_ssl(): Error on initialising ssl context\n");
TLS context or "openssl context"
@oej commented on this pull request.
</itemizedlist>
+ <para><emphasis> Default value is <quote>TLSv1.2</quote>. </emphasis></para> + + <example> + <title>Set <varname>tls_method</varname> parameter</title> + + <programlisting format="linespecific">... +modparam("tls", "tls_method", "TLSv1") +... + </programlisting> + </example> + </section> + <section> + <title>private_key (string)</title> + + <para>Sets the private key file name.</para>
Do you support both der and pem encoding? Please specify format.
@oej commented on this pull request.
+ <para>Sets the private key file name.</para> + + <example> + <title>Set <varname>private_key</varname> parameter</title> + + <programlisting format="linespecific">... +modparam("cdp", "private_key", "/usr/local/etc/kamailio/my_pkey.pem") +... + </programlisting> + </example> + </section> + <section> + <title>certificate (string)</title> + + <para>Sets the certificate file name.</para>
What type of cert? Signed by whom?
Just for brainstorming: My general feeling is that a lot of this code - the parsing of the TLS variant, the default settings - should be general for all kamailio modules using TLS. If we decide to deprecate a version of TLS or add a new version, it would be simpler to have it in one place, not spread out over the code base.
Core Kamailio now has two TLS stacks supported. I have no clue, but would it be possible to use those as an interface to get the same multi-stack support here.
Thank you for your contribution!
Thanks also from my side. One additional note, please execute "clang-format" on the file, as the syntax check is currently failing. Just do a force push after you changed it to update the PR commit.
Thank you for the comments, I will make changes accordingly. Will look into the multi-stack issue as well.
I think the TLS implementation for SIP can't be used in this module, because the cdp module has its own internal design with dedicated transport workers. Reusing some common functions could be eventually done, but I am not sure how much code is shared in the current approach. The tls config parser is anyhow the ini-parser from core, it is not inside the tls module. At this moment I don't see a straightforward way that having/adding support for a TLS version (say TLS 1.3) in one module becomes available in the other one.
For the moment, the current implementation might have to be merged as it is, future reworking might do a better code sharing.
As a generic note, the name of the function does not have to be explicitly added to the log messages, it is done automatically for all log messages -- it might be that CDP module was not updated to remove function names from old log messages, but the new ones should avoid having function names, they will appear twice.
Thanks @miconda for the response. I understand.
@lbalaceanu pushed 2 commits.
9c3d2117168dc3c992df5d18ff18385508082f29 cdp: fixing formatting 9bdbe7250d892cb2d871f7e283217f0af2274ea9 cdp: logging reworking
More changes to follow in subsequent commits. In the end I will squash commits in the PR.
@lbalaceanu pushed 2 commits.
d0a81b44f6cc3a058fd5771d7080c4e5d052ac7d cdp: adding ca_list param 35a08f96a3919a58d53ca5ce25d74134de978e8d cdp: updated with ca_list param and clarifications
@lbalaceanu pushed 1 commit.
8ad748a420162625e653f5f7759a85f66174c083 cdp: adding more in-depth openssl logging
@lbalaceanu pushed 1 commit.
085bf21505a67e1404118d79f7e3288bdd2e4e51 cdp: adding TLSv1.3 configuration
@lbalaceanu pushed 1 commit.
60af9df0a5683c57472244fcf666ea3f07d78c62 cdp: updating docu for TLSv1.3 configuration addition
@lbalaceanu pushed 2 commits.
e3dea073f93bccdc9353d2f1ab9fa0a29fca0030 cdp: adding TLS capability to peer connections a1e6bed57a1e84b4837cfc9a6d961b3c262155ee cdp: documenting TLS capability related parameters
@lbalaceanu pushed 2 commits.
ff9adaf928a4932894f8e628a48bfb7fdac684db cdp: adding TLS capability to peer connections 0a2a63a606a883ecc4720d90ca8745a3db50b0e1 cdp: documenting TLS capability related parameters
Hi. Hope I took care of the punctual requests made by @oej and @henningw. Please comment. However, starting tomorrow I will not have access to my laptop for a week. Have a nice day!
Hello @oej @henningw @miconda do you think this commit can be merged?
I haven't looked much at the changes, but I am not much using these modules, so I guess the PR can be merged and adjustments can be done down the road as needed.
I did a review - looks good to me, I will merge the PR.
Merged #3548 into master.
Thank you all for your help.
@lbalaceanu this code is breaking nightly-builds I commented at https://github.com/kamailio/kamailio/commit/defae2551f8839c5397523f135293fb2... with the compile errors https://kamailio.sipwise.com/job/kamailiodev-nightly-binaries/2489/console
-
carstenbock -
Daniel-Constantin Mierla
-
Henning Westerholt
-
Lucian Balaceanu
-
Olle E. Johansson
-
Victor Seva