/* * initialize tls virtual domains */ int init_tls_domains(struct tls_domain *d) { struct tls_domain *dom; dom = d; while (d) { if (d->name.len) { LM_INFO("Processing TLS domain '%.*s'\n", d->name.len, ZSW(d->name.s)); } else { LM_INFO("Processing TLS domain [%s:%d]\n", ip_addr2a(&d->addr), d->port); } /* * set method */ if (d->method == TLS_METHOD_UNSPEC) { LM_DBG("no method for tls[%s:%d], using default\n", ip_addr2a(&d->addr), d->port); d->method = tls_method; } /* * create context */ d->ctx = SSL_CTX_new(ssl_methods[d->method - 1]); if (d->ctx == NULL) { LM_ERR("cannot create ssl context for " "tls[%s:%d]\n", ip_addr2a(&d->addr), d->port); return -1; } if (init_ssl_ctx_behavior( d ) < 0) return -1; /* * load certificate */ if (!d->cert_file) { LM_NOTICE("no certificate for tls[%s:%d] defined, using default" "'%s'\n", ip_addr2a(&d->addr), d->port, tls_cert_file); d->cert_file = tls_cert_file; } if (load_certificate(d->ctx, d->cert_file) < 0) return -1; /* * load ca */ if (!d->ca_file) { LM_NOTICE("no CA for tls[%s:%d] defined, " "using default '%s'\n", ip_addr2a(&d->addr), d->port, tls_ca_file); d->ca_file = tls_ca_file; } if (d->ca_file && load_ca(d->ctx, d->ca_file) < 0) return -1; /* * load ca from directory */ if (!d->ca_directory) { LM_NOTICE("no CA for tls[%s:%d] defined, " "using default '%s'\n", ip_addr2a(&d->addr), d->port, tls_ca_dir); d->ca_directory = tls_ca_dir; } if (d->ca_directory && load_ca_dir(d->ctx, d->ca_directory) < 0) return -1; d = d->next; } /* * load all private keys as the last step (may prompt for password) */ d = dom; while (d) { if (!d->pkey_file) { LM_NOTICE("no private key for tls[%s:%d] defined, using default" "'%s'\n", ip_addr2a(&d->addr), d->port, tls_pkey_file); d->pkey_file = tls_pkey_file; } if (load_private_key(d->ctx, d->pkey_file) < 0) return -1; d = d->next; } return 0; }
/* * called once from main.c (main process) */ int init_tls(void) { struct tls_domain *d; DBG("init_tls: Entered\n"); #if OPENSSL_VERSION_NUMBER < 0x00907000L LOG(L_ERR, "WARNING! You are using an old version of OpenSSL (< 0.9.7). Upgrade!\n"); #endif LOG(L_ALERT, "WARNING! TLS is considered as an EXPERIMENTAL module\n" ); /* * this has to be called before any function calling CRYPTO_malloc, * CRYPTO_malloc will set allow_customize in openssl to 0 */ if (!CRYPTO_set_mem_functions(ser_malloc, ser_realloc, ser_free)) { LOG(L_ERR, "init_tls: Unable to set the memory allocation functions\n"); return -1; } SSL_library_init(); SSL_load_error_strings(); init_ssl_methods(); /* * initialize default context first */ default_ctx = SSL_CTX_new(ssl_methods[tls_method - 1]); if (default_ctx == NULL) { LOG(L_ERR, "init_tls: Cannot create default ssl context\n"); return -1; } init_ssl_ctx_behavior( default_ctx ); if (load_certificate(default_ctx, tls_cert_file) < 0) return -1; if (tls_ca_file && load_ca(default_ctx, tls_ca_file) < 0) return -1; if (load_private_key(default_ctx, tls_pkey_file) < 0) return -1; /* * now initialize tls virtual domains */ d = tls_domains; while (d) { DBG("init_tls: Processing TLS domain [%s:%d]\n", ip_addr2a(&d->addr), d->port); /* * create context */ if (d->method == TLS_METHOD_UNSPEC) { DBG("init_tls: No method for tls[%s:%d], using default\n", ip_addr2a(&d->addr), d->port); d->method = tls_method; } d->ctx = SSL_CTX_new(ssl_methods[d->method - 1]); if (d->ctx == NULL) { LOG(L_ERR, "init_tls: Cannot create ssl context for tls[%s:%d]\n", ip_addr2a(&d->addr), d->port); return -1; } init_ssl_ctx_behavior( d->ctx ); /* * load certificate */ if (!d->cert_file) { LOG(L_NOTICE, "init_tls: No certificate for tls[%s:%d] defined, using default '%s'\n", ip_addr2a(&d->addr), d->port, tls_cert_file); d->cert_file = tls_cert_file; } if (load_certificate(d->ctx, d->cert_file) < 0) return -1; /* * load ca */ if (!d->ca_file) { LOG(L_NOTICE, "init_tls: No CA for tls[%s:%d] defined, using default '%s'\n", ip_addr2a(&d->addr), d->port, tls_ca_file); d->ca_file = tls_ca_file; } if (d->ca_file && load_ca(d->ctx, d->ca_file) < 0) return -1; d = d->next; } /* * load all private keys as the last step (may prompt for password) */ d = tls_domains; while (d) { if (!d->pkey_file) { LOG(L_NOTICE, "init_tls: No private key for tls[%s:%d] defined, using default '%s'\n", ip_addr2a(&d->addr), d->port, tls_pkey_file); d->pkey_file = tls_pkey_file; } if (load_private_key(d->ctx, d->pkey_file) < 0) return -1; d = d->next; } /* * we are all set */ return 0; }