[asterisk-bugs] [JIRA] (ASTERISK-21894) [patch] Initial support for SIP/TLS tlsverifyclient
Serhij Stasyuk (JIRA)
noreply at issues.asterisk.org
Thu Jun 13 07:33:03 CDT 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-21894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=207215#comment-207215 ]
Serhij Stasyuk commented on ASTERISK-21894:
-------------------------------------------
Sorry, I've just re-checked my patch and I do not see format issues there :(
Please ignore formatting of tcptls-wildcard.h and tcptls-wildcard.c -- I tried to keep them in the closest form with the original source (as it is mentioned in their headers) -- OpenSSL 1.0.2 (crypto/x509v3/v3_util.c and crypto/x509v3/x509v3.h). Maybe better to name them tcptls-x509v3.[ch]
Large block in tcptls.c with space-only change can't be avoided from my POV -- I need to split "else if" line and enclose "if" into "else" block.
Also "2.2. File structure and header inclusion" from "Coding Guidelines" is not related for new files in this patch (tcptls-wildcard.[ch]) -- they do not use anything from asterisk and I really do not know what to write in their "copyright" section - they are just extract of new OpenSSL features needed by normal certificate names verification.
Also I am not sure what is the best place to put definition of sip_tcptls_pressl, so I put it right before first usage (static struct ast_tcptls_session_args sip_tls_desc).
I moved to a new line \brief before sip_tcptls_pressl implementation according to guidelines.
I requested access to Review Board from Matt Jordan, as it is mentioned in "Reviewboard Usage".
I am planning to implement configurable wildcard certificate matching and certificate verification depth by separate patches to minimize their sizes.
Please point me to issues in my patch so I fix them.
Sorry for inconvenience and thanks a lot for your help.
> [patch] Initial support for SIP/TLS tlsverifyclient
> ---------------------------------------------------
>
> Key: ASTERISK-21894
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-21894
> Project: Asterisk
> Issue Type: Improvement
> Security Level: None
> Components: Channels/chan_sip/TCP-TLS
> Affects Versions: 11.3.0
> Reporter: Serhij Stasyuk
> Attachments: asterisk-trunk-siptls.patch
>
>
> Here is initial support for tlsverifyclient for sip channels.
> Now it "works" only for peers. RFC 5922 http://tools.ietf.org/html/rfc5922 requires server to compare domain name with SIP headers. This is not done yet.
> The very first thing that is verified during mutual TLS verification on server side is certificate exchange. OpenSSL handles all certificate-related tasks but it does not verify CN and subjectAltName against desired one.
> Desired name (SIP) is not exactly available at the moment of SSL session establishment, so the only name we can use is host peer field from config. This comparison is done by this patch.
> I'm not sure what is the reason of disabling wildcard certificate matching required by Section 7.2 of RFC 5922 <http://tools.ietf.org/html/rfc5922#section-7.2> Wildcard certificate is very convenient mechanism for some deployment schemes and is adopted by customers and service providers and I see no reason to restrict their usage here. If it is required, configuration option can be introduced, like tlsallowwildcards. Patch can be easily adopted to it instead of constant.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list