Merge changes from team/group/sip-tcptls

This set of changes introduces TCP and TLS support for chan_sip.  There are various
new options in configs/sip.conf.sample that are used to enable these features.  Also,
there is a document, doc/siptls.txt that describes some things in more detail.

This code was implemented by Brett Bryant and James Golovich.  It was reviewed
by Joshua Colp and myself.  A number of other people participated in the testing
of this code, but since it was done outside of the bug tracker, I do not have their
names.  If you were one of them, thanks a lot for the help!

(closes issue #4903, but with completely different code that what exists there.)


git-svn-id: http://svn.digium.com/svn/asterisk/trunk@99085 f38db490-d61c-443f-a65b-d21fe96a405b

1 files changed, 94 insertions, 0 deletions

diff --git a/doc/siptls.txt b/doc/siptls.txt
new file mode 100644
index 000000000..3a54bf095
--- /dev/null
+++ b/doc/siptls.txt
@@ -0,0 +1,94 @@
+Asterisk SIP/TLS Transport
+==========================
+
+When using TLS the client will typically check the validity of the
+certificate chain.  So that means you either need a certificate that is
+signed by one of the larger CAs, or if you use a self signed certificate
+you must install a copy of your CA on the client.
+
+So far this code has been test with:
+Asterisk as client and server (TLS and TCP)
+Polycom Soundpoint IP Phones (TLS and TCP)
+	Polycom phones require that the host (ip or hostname) that is
+	configured match the 'common name' in the certificate
+Minisip Softphone (TLS and TCP)
+Cisco IOS Gateways (TCP only)
+SNOM 360 (TLS only)
+Zoiper Biz Softphone (TLS and TCP)
+
+
+sip.conf options
+----------------
+tlsenable=[yes|no]
+	Enable TLS server, default is no
+
+tlsbindaddr=<ip address>
+	Specify IP address to bind TLS server to, default is 0.0.0.0
+
+tlscertfile=</path/to/certificate>
+	The server's certificate file.  Should include the key and 
+	certificate.  This is mandatory if your going to run a TLS server.
+
+tlscafile=</path/to/certificate>
+	If the server your connecting to uses a self signed certificate
+	you should have their certificate installed here so the code can 
+	verify the authenticity of their certificate.
+
+tlscadir=</path/to/ca/dir>
+	A directory full of CA certificates.  The files must be named with 
+	the CA subject name hash value. 
+	(see man SSL_CTX_load_verify_locations for more info) 
+
+tlsdontverifyserver=[yes|no]
+	If set to yes, don't verify the servers certificate when acting as 
+	a client.  If you don't have the server's CA certificate you can
+	set this and it will connect without requiring tlscafile to be set.
+	Default is no.
+
+tlscipher=<SSL cipher string>
+	A string specifying which SSL ciphers to use or not use
+
+
+Sample config
+-------------
+
+Here are the relevant bits of config for setting up TLS between 2
+asterisk servers.  With server_a registering to server_b
+
+On server_a:
+[general]
+tlsenable=yes
+tlscertfgile=/etc/asterisk/asterisk.pem
+tlscafile=/etc/ssl/ca.pem  ; This is the CA file used to generate both certificates
+register => tls://100:test@192.168.0.100:5061
+
+[101]
+type=friend
+context=internal
+host=192.168.0.100 ; The host should be either IP or hostname and should 
+                   ; match the 'common name' field in the servers certificate
+secret=test
+dtmfmode=rfc2833
+disallow=all
+allow=ulaw
+transport=tls 
+port=5061
+
+On server_b:
+[general]
+tlsenable=yes
+tlscertfgile=/etc/asterisk/asterisk.pem
+
+[100]
+type=friend
+context=internal
+host=dynamic
+secret=test
+dtmfmode=rfc2833
+disallow=all
+allow=ulaw
+;You can specify transport= and port=5061 for TLS, but its not necessary in
+;the server configuration, any type of SIP transport will work
+;transport=tls 
+;port=5061
+