[Asterisk-code-review] Add X.509 subject alternative name support to TLS certificat... (asterisk[master])

Maciej Szmigiero asteriskteam at digium.com
Fri May 15 08:30:23 CDT 2015 

Maciej Szmigiero has posted comments on this change.

Change subject: Add X.509 subject alternative name support to TLS certificate verification.
......................................................................


Patch Set 3:

(1 comment)

> Is there a specific test case that demonstrates the issue?
 
As far as I can see there is currently no test for Asterisk's TLS support certificate verification as both sip_tls_call and sip_tls_register tests
have tlsdontverifyserver set to yes, which disables certificate
verification.

 > I've set up manager, http and res_pjsip with no issues using SANs.
 
(Server) certificate verification currently happen only when
Asterisk is a TLS client.
Manager and HTTP are both TLS servers.

There is a bit of TLS client certificate verification code for case
when Asterisk is a TLS server but I see that it is not complete and disabled.

For chan_pjsip / res_pjsip looks like there is no actual TLS code there -
probably everything related to TLS transport is in PJSIP library itself
(and so it doesn't use Asterisk TLS support).

 > chan_sip only perhaps?

While I've made this primarly for chan_sip,
I can see that in current Git this code is also used
by res_http_websocket and app_externalivr.

https://gerrit.asterisk.org/#/c/416/3/include/asterisk/tcptls.h
File include/asterisk/tcptls.h:

Line 68: #include <openssl/x509v3.h>
> I'm wondering about the compatibility of this header file.
Looking at OpenSSL repository this file was already present in the original import of SSLeay in 1998.


-- 
To view, visit https://gerrit.asterisk.org/416
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I13302c80490a0b44c43f1b45376c9bd7b15a538f
Gerrit-PatchSet: 3
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Maciej Szmigiero <mail at maciej.szmigiero.name>
Gerrit-Reviewer: George Joseph <george.joseph at fairview5.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Maciej Szmigiero <mail at maciej.szmigiero.name>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>
Gerrit-HasComments: Yes

More information about the asterisk-code-review mailing list