[asterisk-commits] kmoore: branch 10 r375147 - in /branches/10: ./ main/tcptls.c
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Oct 17 13:58:56 CDT 2012
Author: kmoore
Date: Wed Oct 17 13:58:52 2012
New Revision: 375147
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=375147
Log:
Ensure Asterisk fails TCP/TLS SIP calls when certificate checking fails
When placing a call to a TCP/TLS SIP endpoint whose certificate is not
signed by a configured CA certificate, Asterisk would issue a warning
and continue to process the call as if there was not an issue with the
certificate. Asterisk now properly fails the call if the certificate
fails verification or if the certificate does not exist when
certificate checking is enabled (the default behavior).
(closes issue ASTERISK-20559)
Review: https://reviewboard.asterisk.org/r/2163/
........
Merged revisions 375146 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Modified:
branches/10/ (props changed)
branches/10/main/tcptls.c
Propchange: branches/10/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.
Modified: branches/10/main/tcptls.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/main/tcptls.c?view=diff&rev=375147&r1=375146&r2=375147
==============================================================================
--- branches/10/main/tcptls.c (original)
+++ branches/10/main/tcptls.c Wed Oct 17 13:58:52 2012
@@ -194,11 +194,21 @@
X509 *peer;
long res;
peer = SSL_get_peer_certificate(tcptls_session->ssl);
- if (!peer)
- ast_log(LOG_WARNING, "No peer SSL certificate\n");
+ if (!peer) {
+ ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");
+ ast_tcptls_close_session_file(tcptls_session);
+ ao2_ref(tcptls_session, -1);
+ return NULL;
+ }
+
res = SSL_get_verify_result(tcptls_session->ssl);
- if (res != X509_V_OK)
+ if (res != X509_V_OK) {
ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
+ X509_free(peer);
+ ast_tcptls_close_session_file(tcptls_session);
+ ao2_ref(tcptls_session, -1);
+ return NULL;
+ }
if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
ASN1_STRING *str;
unsigned char *str2;
@@ -225,16 +235,13 @@
}
if (!found) {
ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
- if (peer) {
- X509_free(peer);
- }
+ X509_free(peer);
ast_tcptls_close_session_file(tcptls_session);
ao2_ref(tcptls_session, -1);
return NULL;
}
}
- if (peer)
- X509_free(peer);
+ X509_free(peer);
}
}
if (!tcptls_session->f) /* no success opening descriptor stacking */
More information about the asterisk-commits
mailing list