On 01 Dec 2014, at 16:21, Mark Michelson <[email protected]> wrote:
> On 11/25/2014 02:46 PM, James Cloos wrote: >> Now that 13 has hit sid, I've started converting to pjsip. >> >> Chan_sip supports one's preference of a ca path or ca file, but >> res_pjsip does not. At least not on the 13 branch. >> >> Is that intentional, or an oversight? >> >> If not intentional, will a patch to fix be accepted for 13, >> only for trunk? >> >> -JimC > > For res_pjsip, we're using the mechanisms that PJSIP exposes in its TLS > transport. Since a CA path option is not exposed, the option to provide one > in pjsip.conf does not exist. If you want to provide a patch, that's totally > fine, but the patch would need to be made against PJProject instead of > Asterisk. > > Doing a quick search, it looks like the change to make would be in > pjlib/src/pj/ssl_sock_ossl.c. The pj_ssl_cert_t would need to be modified to > have a CA path. The functions used to get and set pj_ssl_cert_t would need to > be modified to take a CA path into account. And finally, the create_ssl() > function would need to pass the configured CA path into > SSL_CTX_load_verify_locations(). If you have no CA path - how does the CHAN_PJSIP verify TLS certificates? /O -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
