[asterisk-dev] [Code Review] Asterisk does not fail TCP/TLS SIP calls when certificate checking fails
jcolp
reviewboard at asterisk.org
Mon Oct 15 09:01:03 CDT 2012
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/2163/#review7275
-----------------------------------------------------------
trunk/main/tcptls.c
<https://reviewboard.asterisk.org/r/2163/#comment14049>
Removal of the call to SSL_get_peer_certificate from here is incorrect. SSL_get_verify_result will return X509_V_OK if no peer certificate was presented, so you need to use both to confirm verification actually occurred.
- jcolp
On Oct. 15, 2012, 8:54 a.m., opticron wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/2163/
> -----------------------------------------------------------
>
> (Updated Oct. 15, 2012, 8:54 a.m.)
>
>
> Review request for Asterisk Developers.
>
>
> Summary
> -------
>
> When calling using TCP/TLS with an invalid CA certificate for the key in use and tlsdontverifyserver is set to no, Asterisk produces the error message:
> ERROR[16872]: tcptls.c:199 handle_tcptls_connection: Certificate did not verify: certificate signature failure
>
> This should cause the call to fail, but it does not. The call instead completes successfully. This patch corrects that behavior as well as avoids a segfault if the remote end does not provide a certificate at all.
>
>
> This addresses bug ASTERISK-20559.
> https://issues.asterisk.org/jira/browse/ASTERISK-20559
>
>
> Diffs
> -----
>
> trunk/main/tcptls.c 374904
>
> Diff: https://reviewboard.asterisk.org/r/2163/diff
>
>
> Testing
> -------
>
> Ensured that the TCP/TLS call failed when expected and succeeded when expected.
>
>
> Thanks,
>
> opticron
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20121015/1bdae9d6/attachment.htm>
More information about the asterisk-dev
mailing list