[asterisk-bugs] [JIRA] (ASTERISK-21894) [patch] Initial support for SIP/TLS tlsverifyclient

Matt Jordan (JIRA) noreply at issues.asterisk.org
Sat Mar 14 10:18:34 CDT 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-21894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=225431#comment-225431 ] 

Matt Jordan commented on ASTERISK-21894:
----------------------------------------

Thanks for the contribution! If you'd like your contribution to be included faster, you should submit your patch for code review by the Asterisk Developer Community. To do so, please follow the Code Review [1] instructions on the wiki. Be sure to:
* Verify that your patch conforms to the Coding Guidelines [2]
* Review the Code Review Checklist [3] for common items reviewers will look for
* If necessary, provide tests for the Asterisk Test Suite that verify the correctness of your patch [4]

When ready, submit your patch and any tests to Review Board [5] for code review.

Thanks!

[1] https://wiki.asterisk.org/wiki/display/AST/Code+Review
[2] https://wiki.asterisk.org/wiki/display/AST/Coding+Guidelines
[3] https://wiki.asterisk.org/wiki/display/AST/Code+Review+Checklist
[4] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Test+Suite+Documentation
[5] https://wiki.asterisk.org/wiki/display/AST/Review+Board+Usage



> [patch] Initial support for SIP/TLS tlsverifyclient
> ---------------------------------------------------
>
>                 Key: ASTERISK-21894
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21894
>             Project: Asterisk
>          Issue Type: New Feature
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: SVN, 11.4.0
>            Reporter: Serhij Stasyuk
>         Attachments: asterisk-trunk-siptls.patch
>
>
> Here is initial support for tlsverifyclient for sip channels.
> Now it "works" only for peers. RFC 5922 http://tools.ietf.org/html/rfc5922 requires server to compare domain name with SIP headers. This is not done yet.
> The very first thing that is verified during mutual TLS verification on server side is certificate exchange. OpenSSL handles all certificate-related tasks but it does not verify CN and subjectAltName against desired one.
> Desired name (SIP) is not exactly available at the moment of SSL session establishment, so the only name we can use is host peer field from config. This comparison is done by this patch.
> I'm not sure what is the reason of disabling wildcard certificate matching required by Section 7.2 of RFC 5922 <http://tools.ietf.org/html/rfc5922#section-7.2> Wildcard certificate is very convenient mechanism for some deployment schemes and is adopted by customers and service providers and I see no reason to restrict their usage here. If it is required, configuration option can be introduced, like tlsallowwildcards. Patch can be easily adopted to it instead of constant.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list