[asterisk-bugs] [JIRA] (ASTERISK-21894) [patch] Initial support for SIP/TLS tlsverifyclient
Michael L. Young (JIRA)
noreply at issues.asterisk.org
Thu Jun 13 08:21:03 CDT 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-21894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=207218#comment-207218 ]
Michael L. Young commented on ASTERISK-21894:
---------------------------------------------
Nothing major but here were the items that I saw.
You are using C++ style commenting. Also, not sure that we need this commented out bit in there.
{noformat}
ast_debug(3, "Remote address is '%s'\n",
ast_sockaddr_stringify_host_remote(&tcptls_session->remote_address));
// (const char *peer, struct ast_sockaddr *addr, char *callbackexten, int realtime, int which_objects, int devstate_only, int transport)
// Does not work: peer = sip_find_peer_full(NULL, &tcptls_session->remote_address, NULL, FALSE, FINDALLDEVICES, FALSE, 0);
ao2_lock(peers);
{noformat}
There should be a space after the "for" and before the "(". "for (k=0..."
{noformat}
ao2_iterator_destroy(it_peers);
for(k = 0; k < total_peers; k++) {
peer = peerarray[k];
{noformat}
In regards to the other files you are bringing in, I think someone else will need to chime in on those and the best way to handle bringing that in. I know that we have to make sure about licensing and stuff.
Thanks for your contributions... I am sure the community will appreciate them.
> [patch] Initial support for SIP/TLS tlsverifyclient
> ---------------------------------------------------
>
> Key: ASTERISK-21894
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-21894
> Project: Asterisk
> Issue Type: Improvement
> Security Level: None
> Components: Channels/chan_sip/TCP-TLS
> Affects Versions: 11.3.0
> Reporter: Serhij Stasyuk
> Attachments: asterisk-trunk-siptls.patch
>
>
> Here is initial support for tlsverifyclient for sip channels.
> Now it "works" only for peers. RFC 5922 http://tools.ietf.org/html/rfc5922 requires server to compare domain name with SIP headers. This is not done yet.
> The very first thing that is verified during mutual TLS verification on server side is certificate exchange. OpenSSL handles all certificate-related tasks but it does not verify CN and subjectAltName against desired one.
> Desired name (SIP) is not exactly available at the moment of SSL session establishment, so the only name we can use is host peer field from config. This comparison is done by this patch.
> I'm not sure what is the reason of disabling wildcard certificate matching required by Section 7.2 of RFC 5922 <http://tools.ietf.org/html/rfc5922#section-7.2> Wildcard certificate is very convenient mechanism for some deployment schemes and is adopted by customers and service providers and I see no reason to restrict their usage here. If it is required, configuration option can be introduced, like tlsallowwildcards. Patch can be easily adopted to it instead of constant.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list