Changeset 2094

Timestamp:

Jul 1, 2008 3:31:59 PM (16 years ago)

Author:

bennylp

Message:

Ticket #552: Added TLS server name extension to support connecting to multi-hosted SIP TLS server (thanks Klaus Darilion for the suggestion)

Location:

pjproject/trunk

Files:

• pjsip-apps/src/pjsua/pjsua_app.c (modified) (5 diffs)
• pjsip/include/pjsip/sip_transport_tls.h (modified) (1 diff)
• pjsip/src/pjsip/sip_transport_tls_ossl.c (modified) (3 diffs)

pjproject/trunk/pjsip-apps/src/pjsua/pjsua_app.c

@@ -207 +207 @@
     puts  ("  --tls-verify-client Verify client's certificate (default=no)");
     puts  ("  --tls-neg-timeout   Specify TLS negotiation timeout (default=no)");
+    puts  ("  --tls-srv-name      Specify TLS server name for multi-hosting server (optional)");
 
     puts  ("");
@@ -461 +462 @@
            OPT_USE_TLS, OPT_TLS_CA_FILE, OPT_TLS_CERT_FILE, OPT_TLS_PRIV_FILE,
            OPT_TLS_PASSWORD, OPT_TLS_VERIFY_SERVER, OPT_TLS_VERIFY_CLIENT,
-           OPT_TLS_NEG_TIMEOUT,
+           OPT_TLS_NEG_TIMEOUT, OPT_TLS_SRV_NAME,
            OPT_CAPTURE_DEV, OPT_PLAYBACK_DEV,
            OPT_CAPTURE_LAT, OPT_PLAYBACK_LAT, OPT_NO_TONES,
@@ -552 +553 @@
         { "tls-verify-client", 0, 0, OPT_TLS_VERIFY_CLIENT},
         { "tls-neg-timeout", 1, 0, OPT_TLS_NEG_TIMEOUT},
+        { "tls-srv-name", 1, 0, OPT_TLS_SRV_NAME},
         { "capture-dev",    1, 0, OPT_CAPTURE_DEV},
         { "playback-dev",   1, 0, OPT_PLAYBACK_DEV},
@@ -1137 +1139 @@
             break;
 
+        case OPT_TLS_SRV_NAME:
+            cfg->udp_cfg.tls_setting.server_name = pj_str(pj_optarg);
+            break;
+
         case OPT_CAPTURE_DEV:
             cfg->capture_dev = atoi(pj_optarg);
@@ -1469 +1475 @@
                         (int)config->udp_cfg.tls_setting.password.slen, 
                         config->udp_cfg.tls_setting.password.ptr);
+        pj_strcat2(&cfg, line);
+    }
+
+    if (config->udp_cfg.tls_setting.server_name.slen) {
+        pj_ansi_sprintf(line, "--tls-srv-name %.*s\n",
+                        (int)config->udp_cfg.tls_setting.server_name.slen, 
+                        config->udp_cfg.tls_setting.server_name.ptr);
         pj_strcat2(&cfg, line);
     }

pjproject/trunk/pjsip/include/pjsip/sip_transport_tls.h

@@ -108 +108 @@
      */
     pj_str_t    ciphers;
+
+    /**
+     * Optionally specify the server name instance to be contacted when
+     * making outgoing TLS connection. This setting is useful when the
+     * server is hosting multiple domains for the same TLS listening
+     * socket.
+     *
+     * Default: empty.
+     */
+    pj_str_t    server_name;
 
     /**

pjproject/trunk/pjsip/src/pjsip/sip_transport_tls_ossl.c

@@ -165 +165 @@
     /* TLS settings, copied from listener */
     struct {
+        pj_str_t             server_name;
         pj_time_val          timeout;
     } setting;
@@ -513 +514 @@
     if (!SSL_in_connect_init(ssl))
         SSL_set_connect_state(ssl);
+
+#ifdef SSL_set_tlsext_host_name
+    if (tls->setting.server_name.slen) {
+        char server_name[PJ_MAX_HOSTNAME];
+
+        if (tls->setting.server_name.slen >= PJ_MAX_HOSTNAME)
+            return PJ_ENAMETOOLONG;
+
+        pj_memcpy(server_name, tls->setting.server_name.ptr, 
+                  tls->setting.server_name.slen);
+        server_name[tls->setting.server_name.slen] = '\0';
+
+        if (!SSL_set_tlsext_host_name(ssl, server_name)) {
+            PJ_LOG(4,(tls->base.obj_name, 
+                      "SSL_set_tlsext_host_name() failed"));
+        }
+    }
+#endif
 
     PJ_LOG(5,(tls->base.obj_name, "Starting SSL_connect() negotiation"));
@@ -1232 +1251 @@
     tls->base.pool = pool;
     tls->setting.timeout = listener->setting.timeout;
+    pj_strdup(pool, &tls->setting.server_name, 
+              &listener->setting.server_name);
 
     pj_ansi_snprintf(tls->base.obj_name, PJ_MAX_OBJ_NAME,