[asterisk-bugs] [JIRA] Updated: (ASTERISK-20559) SIP TCP/TLS: When checking the CA certificate fails, the call still goes through

[Kinsey Moore (JIRA)]

     [ https://issues.asterisk.org/jira/browse/ASTERISK-20559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kinsey Moore updated ASTERISK-20559:
------------------------------------

    Attachment: tcptls_fix.diff

Attached a possible fix for this situation and an additional fix that would avoid a segfault if no certificate is provided and common name checking is not disabled.

> SIP TCP/TLS: When checking the CA certificate fails, the call still goes through
> --------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20559
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20559
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: 11.0.0-beta2
>         Environment: SIP TCP/TLS connection with differing CA certificates set on either side of the connection.  Each side of the call has a valid CA certificate for its respective key, but the CA certificates are not valid for the key on the remote side.
>            Reporter: Kinsey Moore
>            Severity: Blocker
>         Attachments: tcptls_fix.diff
>
>
> When calling in this situation and tlsdontverifyserver is set to no, Asterisk produces the error message:
> ERROR[16872]: tcptls.c:199 handle_tcptls_connection: Certificate did not verify: certificate signature failure
> This should cause the call to fail, but it does not.  The call completes successfully.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira