diff --git a/MANIFEST.in b/MANIFEST.in index c9bfea3..5f5f31b 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,9 +1,10 @@ recursive-include debian changelog compat control copyright rules recursive-include debian pycompat pyversions recursive-include debian *.init *.dirs *.default recursive-include debian/source format recursive-include resources/sounds *.wav recursive-include resources/sounds/moh *.wav +recursive-include tls *.crt prune debian/tmp prune debian/sylkserver-* include INSTALL LICENSE MANIFEST.in *.ini.sample diff --git a/config.ini.sample b/config.ini.sample index 05fb392..0fdb63f 100644 --- a/config.ini.sample +++ b/config.ini.sample @@ -1,80 +1,80 @@ ; SylkServer configuration file [Server] ; The following settings are the default used by the software, uncomment ; them only if you want to make changes ; default_application = conference ; Map user part of the Request URI to a specific application ; application_map = 123:conference,test:irc-conference ; trace_dir = /var/log/sylkserver ; trace_sip = False ; trace_msrp = False ; trace_notifications = False ; TLS can be used for encryption of SIP signaling and MSRP media. TLS is ; disabled by default. To enable TLS, you must have a valid X.509 ; certificate and configure it below, then set the local_tls_port in the SIP ; section and use_tls in MSRP section ; The X.509 Certificate Authorities file ; ca_file = /etc/sylkserver/tls/ca.crt -; The file containing X.509 certificate and private key in unencrypted format -; certificate = /etc/sylkserver/tls/sylkserver.crt +; The file containing X.509 certificate and private key in unencrypted format +; certificate = /etc/sylkserver/tls/default.crt ; verify_server = False [SIP] ; SIP transport settings ; IP address used for SIP signaling; empty string or any means listen on interface used ; by the default route ; local_ip = ; Ports used for SIP transports, if not set to any value the transport will be disabled ; local_udp_port = 5060 ; local_tcp_port = 5060 ; local_tls_port = ; If set all outbound SIP requests will be sent through this SIP proxy ; outbound_proxy = ; A comma-separated list of hosts or networks to trust. ; The elements can be an IP address in CIDR format, a ; hostname or an IP address (in the latter 2 a mask of 32 ; is assumed), or the special keywords 'any' and 'none' ; (being equivalent to 0.0.0.0/0 and 0.0.0.0/32 ; respectively). It defaults to 'any'. ; trusted_peers = [MSRP] ; MSRP transport settings -; By default MSRP media is using TCP, to enable TLS you must configure a -; X.509 certificate in the server section and enable it here -; use_tls = False +; A valid X.509 certificate is required for MSRP to work over TLS. +; TLS is enabled by default, a default TLS certificate is provided with SylkServer. +; use_tls = True [RTP] ; RTP transport settings ; Allowed codec list, valid values: G722, speex, PCMU, PCMA, iLBC, GSM ; audio_codecs = G722,speex,PCMU,PCMA ; Port range used for RTP ; port_range = 50000:50500 ; SRTP valid values: disabled, mandatory, optional ; srtp_encryption = optional ; RTP stream timeout, session will be disconnected after this value ; timeout = 30 diff --git a/debian/rules b/debian/rules index f1e68bc..357f5fc 100755 --- a/debian/rules +++ b/debian/rules @@ -1,20 +1,21 @@ #!/usr/bin/make -f #export DH_VERBOSE=1 %: dh $@ --with python2 override_dh_clean: dh_clean rm -rf build dist MANIFEST override_dh_install: install -m 0644 config.ini.sample debian/sylkserver/etc/sylkserver/config.ini install -m 0644 conference.ini.sample debian/sylkserver/etc/sylkserver/conference.ini + install -m 0600 tls/default.crt debian/sylkserver/etc/sylkserver/tls/default.crt dh_install override_dh_installinit: dh_installinit --no-start .PHONY: override_dh_clean override_dh_install override_dh_installinit diff --git a/sylk/configuration/__init__.py b/sylk/configuration/__init__.py index be92048..ea60954 100644 --- a/sylk/configuration/__init__.py +++ b/sylk/configuration/__init__.py @@ -1,69 +1,69 @@ # Copyright (C) 2010-2011 AG Projects. See LICENSE for details. # from application.configuration import ConfigSection, ConfigSetting from application.configuration.datatypes import NetworkRangeList, StringList from application.system import host from sipsimple.configuration.datatypes import NonNegativeInteger, SRTPEncryption from sylk import configuration_filename from sylk.configuration.datatypes import AudioCodecs, IPAddress, NillablePath, Path, Port, PortRange, SIPProxyAddress from sylk.tls import Certificate, PrivateKey class ServerConfig(ConfigSection): __cfgfile__ = configuration_filename __section__ = 'Server' ca_file = ConfigSetting(type=NillablePath, value=NillablePath('/etc/sylkserver/tls/ca.crt')) - certificate = ConfigSetting(type=NillablePath, value=NillablePath('/etc/sylkserver/tls/sylkserver.crt')) + certificate = ConfigSetting(type=NillablePath, value=NillablePath('/etc/sylkserver/tls/default.crt')) verify_server = False default_application = 'conference' application_map = ConfigSetting(type=StringList, value='') trace_dir = ConfigSetting(type=Path, value=Path('/var/log/sylkserver')) trace_sip = False trace_msrp = False trace_notifications = False class SIPConfig(ConfigSection): __cfgfile__ = configuration_filename __section__ = 'SIP' local_ip = ConfigSetting(type=IPAddress, value=host.default_ip) local_udp_port = ConfigSetting(type=Port, value=5060) local_tcp_port = ConfigSetting(type=Port, value=5060) local_tls_port = ConfigSetting(type=Port, value=None) outbound_proxy = ConfigSetting(type=SIPProxyAddress, value=None) trusted_peers = ConfigSetting(type=NetworkRangeList, value=NetworkRangeList('any')) class MSRPConfig(ConfigSection): __cfgfile__ = configuration_filename __section__ = 'MSRP' - use_tls = False + use_tls = True class RTPConfig(ConfigSection): __cfgfile__ = configuration_filename __section__ = 'RTP' audio_codecs = ConfigSetting(type=AudioCodecs, value=None) port_range = ConfigSetting(type=PortRange, value=PortRange('50000:50500')) srtp_encryption = ConfigSetting(type=SRTPEncryption, value='optional') timeout = ConfigSetting(type=NonNegativeInteger, value=30) class ThorNodeConfig(ConfigSection): __cfgfile__ = configuration_filename __section__ = 'ThorNetwork' enabled = False domain = "sipthor.net" multiply = 1000 certificate = ConfigSetting(type=Certificate, value=None) private_key = ConfigSetting(type=PrivateKey, value=None) ca = ConfigSetting(type=Certificate, value=None) diff --git a/tls/default.crt b/tls/default.crt new file mode 100644 index 0000000..fad3a4e --- /dev/null +++ b/tls/default.crt @@ -0,0 +1,83 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJJwIBAAKCAgEAs2FpmmunJwhE7ViR9cI9ESN3tVDoMf4J2PW87cEHUcMdrCkx +vv7NcD57fG9ev1UI6MwN0ThcAPUoLec/iqQqHrKnB7ES79yBrXKe8wEJLYjf4sNB +L+tEzuo1UkBszFh2hteDPSHjJEYyBbQf07jtNSgt3O5vWBCFZ7H9Pk6S/vjwH9yi +Wly/BVFrD6j0MYV+w1CR1UaqoWOyL/IMsCWwQ4vAn6VAud2WcpQNFbue9w32m4pF +KISupBLH2kpSTJPHmcp0Wr369LElKy732jSzoQXsJG7eKs5VV3eL4XhTqeky9LY/ +RSsY8KRMHqO8tG11q/aFOhSwEhuCsAVOJeEW7DAQsA5/kZZgqoPZNeIrZRupfsor +ZtG2wMpfOaapvppwWL65I/GSe/WupaGZgzXPA1zS5HBzT0LX3Da58MWNf09POatL +DaXKbaG4Ip1XqFl72eqnicF/DdZNGI/dMUQZE6zgOr9wKlsjwOeX7PwakrMFM0Gr +PMzFejFgiURVjczEvkZsIe5e7WqAcolnW09I2paGSyduzl4uXsJdLURTMuexW2Pt +/Mh4hRKvkNllech+0yrjdjfpW2fEgvurhp3lqX9MerRvgr+A+8LokMhNypzgzhDb +BIn/lK0B8CC22k1K01u6fh/prfXXrOKPzQ8+iZGhrMtF2SNoXfWcoPUcKhMCAwEA +AQKCAgByQGNQtaybUcsFGVquG29l0R9X3xZlcRa4l5wkGsQcsZfepcZHjmcvTLy+ +PvksCG9KR12tmqYO/hb/VcDE/1bMgqGcZo5XNC1sWgsfX9OGqx1eg1qruL/0wnv/ +zYT+ioHD1NSERWc1HXiS5W04HxsGtnavtzY38x3lNBrGaql5uPjIcnD9+QC51GfK +a6RNPmfE4zZfj0jyzlsZ6qNmNjsUapjflhOpzpcal23WH9BaLwyZePIfopLRchzU +zm2o1J9XNvnxKfwDiijQXnQDCXo331vOwMbEoPL+aOgxTcCMAjowXzvhRFf4Pc01 +3rg8e1NtmfC1U6PphJgyoM5rlfhQmdXr689kxh2MjGChTtp2QjkPyUMLoUjf3Yje +lS3eK3uihUMG+vSBK/dS1nb4qe9ZtAp3YSiifGzjdU/8Onvta9fi1a9szu7tQm/W +xrSeXfWhRhy/p57RLjDrKbZIYS3Q99Qy4hh6Hc7APG6aoqol/vnK4/EaYq0aYoP2 +HdK5yTFuy3Rowyiwr0B1YPFxuhMovLNgsTRaBBgxT/glexsNemjeE8GR+W7O3lyN +DciKaYLEQNSJymRzYcHIKssNWNWWXAJ1tUoxP/7gsvpEE6/XYf7XHaykgo9L+FTA +pFA5iPsexzkLR9rkjFIUV2G/FA875n3KaXuWtlJLIle68zFlsQKCAQEA4g672yrd +DBJboGqU+d06BB/yu6lHTdEC6qf+BWv/ZBO0TCyvB9tUIVGoBokQQl9uJzxkvtV1 +6hbRbAahJ7Mi4xF+1FBaIFh6X3hOxP5THtc9hQv3b+RPSaT2d61iUv3wEAzb8neU +Hmjnfhs6dZsU19UIx4tIV1unSjuCmKjhgiWBBM9O2abNhE6Uk5Fr7+An+M2m/IcR +zHhYeIRocCb5sU9gW/7+US26PgwymuEwTZW6AJPsVB/VueoGkEvYO9pApWA+11sn +8u6JxHk7csZTpMYGIZvAQQJ0j2oeJ0kVCePNT5N2iNvL6FRNZpc7flY2jr0KSVTc +mdtLjKLMLTmtHwKCAQEAyyPuheiaWxF3McEkhdx7WvRVUxf7QWOYISMcMTb0pXE/ +ui8QL6Vk1jykB5sO5J5hEjALwnH58VhBhUqjJNynwssEBTIBPD6LANESbAh+nERH +pELqZbrTqj3HunFFP72yeY3kb1y5R2h4wytuA1KO0B0INT1woH58OQEuczKOj0Qw +rarIHjEadz5QHzpQfxYO0bP/CqCfx0+4Dlk7caNbm+3rGyslsr1j2hNSZ9fBOAFp +HctxtUk19lZb6VYWpKeO9rGBvleLJltqoqGtlkTH+UGYc01uwRjOYOEBIUAnpv81 +CSX/CQb2bl9eZVotXiMp5d/CfTHJHplj4DHEhd4wjQKCAQA/9elDLtKSatNQBTgX +pneW2S9F17ScGOpZWKTwBcmiGE0oTHBNqcoZD1CaYMef7/5rzZO3xw/w5vnkNc/9 +OptBYh7flciaZE5jmte2tzrve/klHuio2RFyBeHSpNUwJDd7YxgMd7cKD6aIMM4O +no18MAOm6grS5NTllQbziL0dpNznbnyh6qc1q0IwqrG+kk7c/9siklj/4IEvwE8I +hI6bk5jxDqoIcAbFLZBX8CVJnnadWT1B5CwFyWiIBV2uOaeW4y+EoX8hJksGs0KV +y/W4pmrvsXDpM/ek6GKVvQDd5n2d6Vxdhssf9lJcF6g2q9AN/QDfFMrCIaEzrpBU +r4ADAoIBAFJBPW8ZjY78loAeDhTp/0UIFJit6D5E/q/EUMEY2J05Ky3PqsUwOpGJ +Qn4V6kTmYLYFoG1ey29PZlB7tW3Sr1dv7zPPWLK1PIHbJpN6KRJLj5rSwajpqpWP +qJU1Em5J+L/BldMF/7wLcILOziAoSM26Q72TIEzMiq5mbRGWUiVu3iskMR4Qkf/g +yn6qlTewjdWaBdaezbPd8tBUj35nQEv2XbHFmeEzUQBXvJFxyrpLz+2RmHxopaIW +u+bSxh5r/rajj76sIhso/xfVUb28IiEqz3k4zHUB/2c5FMUK/kNfqXEH4qocGKL+ +mPF/P0mUAX4kSdN52k86mzeHz2TJYG0CggEALpLGQz37voXzMuFguQ1eao8GdHFD +yjlY6dbYtA58ZE8IK7JRPt9NZ7twn30GzfwcQG0knz2VtfIA74cdC+EaRO2hrXOv +b/lDCg3hYTiszu55xzQOtaw7589gLYLJgnm+p6Vj8Ne4KpCQoQXhkiff4PqHuFzi +CAAz9+3Mrdq5zfp4TBg37WwCJHsGiPGjo1OzrzQk4Nw5puaVrun6C7KM5TaHD/Fb +yFCvARVV/7Bqs6jTmglP6mMbl1wK1lUTOOcblGI8u1wFWm4s0pQLi7GnKptx+zRF +cgaVlnIJeo/UN9MhCm32VXhl/VJ5SEQmBbLVB6uvpvz9t4onGBVY8GNNpg== +-----END RSA PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIIFSzCCBLSgAwIBAgIBCzANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCTkwx +FjAUBgNVBAgTDU5vb3JkLUhvbGxhbmQxEDAOBgNVBAcTB0hhYXJsZW0xFDASBgNV +BAoTC0FHLVByb2plY3RzMRcwFQYDVQQDEw5BRy1Qcm9qZWN0cyBDQTEmMCQGCSqG +SIb3DQEJARYXc3VwcG9ydEBhZy1wcm9qZXRjcy5jb20wHhcNMTEwNjE1MDgyMTE1 +WhcNMTIwNjE0MDgyMTE1WjBpMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQt +SG9sbGFuZDEQMA4GA1UEBxMHSGFhcmxlbTEUMBIGA1UEChMLQUctUHJvamVjdHMx +GjAYBgNVBAMTEWJsaW5rLmV4YW1wbGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOC +Ag8AMIICCgKCAgEAs2FpmmunJwhE7ViR9cI9ESN3tVDoMf4J2PW87cEHUcMdrCkx +vv7NcD57fG9ev1UI6MwN0ThcAPUoLec/iqQqHrKnB7ES79yBrXKe8wEJLYjf4sNB +L+tEzuo1UkBszFh2hteDPSHjJEYyBbQf07jtNSgt3O5vWBCFZ7H9Pk6S/vjwH9yi +Wly/BVFrD6j0MYV+w1CR1UaqoWOyL/IMsCWwQ4vAn6VAud2WcpQNFbue9w32m4pF +KISupBLH2kpSTJPHmcp0Wr369LElKy732jSzoQXsJG7eKs5VV3eL4XhTqeky9LY/ +RSsY8KRMHqO8tG11q/aFOhSwEhuCsAVOJeEW7DAQsA5/kZZgqoPZNeIrZRupfsor +ZtG2wMpfOaapvppwWL65I/GSe/WupaGZgzXPA1zS5HBzT0LX3Da58MWNf09POatL +DaXKbaG4Ip1XqFl72eqnicF/DdZNGI/dMUQZE6zgOr9wKlsjwOeX7PwakrMFM0Gr +PMzFejFgiURVjczEvkZsIe5e7WqAcolnW09I2paGSyduzl4uXsJdLURTMuexW2Pt +/Mh4hRKvkNllech+0yrjdjfpW2fEgvurhp3lqX9MerRvgr+A+8LokMhNypzgzhDb +BIn/lK0B8CC22k1K01u6fh/prfXXrOKPzQ8+iZGhrMtF2SNoXfWcoPUcKhMCAwEA +AaOCAVcwggFTMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgSwMCsGCWCGSAGG ++EIBDQQeFhxUaW55Q0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSW +/ufbnmFBpqJmPHw1pLkLKEeJTTCBwwYDVR0jBIG7MIG4gBSUGO6ky74q4yoqQ48z +IFjvzXuvF6GBlKSBkTCBjjELMAkGA1UEBhMCTkwxFjAUBgNVBAgTDU5vb3JkLUhv +bGxhbmQxEDAOBgNVBAcTB0hhYXJsZW0xFDASBgNVBAoTC0FHLVByb2plY3RzMRcw +FQYDVQQDEw5BRy1Qcm9qZWN0cyBDQTEmMCQGCSqGSIb3DQEJARYXc3VwcG9ydEBh +Zy1wcm9qZXRjcy5jb22CCQCnj7ANVIQRVTAJBgNVHRIEAjAAMAkGA1UdEQQCMAAw +CwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBAApKLZ0MSgYumbm9LFRYPVR7 +q4v2q5sYvcfq5Vn4tTFqcZ14iDPfxon5ChD+3PNMU8Um0sHjqa1uMkkf5oHW5nD0 +de8+S3qNIupqyhcWr0haJDA6ZJhJIZT+zzZXD6tlOWb1ZhHvKEuexVWPkR5dpks9 +fNnOsHzyln60u0xwHXig +-----END CERTIFICATE-----