[asterisk-dev] [Code Review]: Asterisk does not fail TCP/TLS SIP calls when certificate checking fails

opticron reviewboard at asterisk.org
Tue Oct 16 10:38:12 CDT 2012 


> On Oct. 15, 2012, 9:01 a.m., jcolp wrote:
> > trunk/main/tcptls.c, lines 191-196
> > <https://reviewboard.asterisk.org/r/2163/diff/1/?file=31863#file31863line191>
> >
> >     Removal of the call to SSL_get_peer_certificate from here is incorrect. SSL_get_verify_result will return X509_V_OK if no peer certificate was presented, so you need to use both to confirm verification actually occurred.

Fixed


- opticron


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/2163/#review7275
-----------------------------------------------------------


On Oct. 15, 2012, 8:54 a.m., opticron wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/2163/
> -----------------------------------------------------------
> 
> (Updated Oct. 15, 2012, 8:54 a.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Summary
> -------
> 
> When calling using TCP/TLS with an invalid CA certificate for the key in use and tlsdontverifyserver is set to no, Asterisk produces the error message:
> ERROR[16872]: tcptls.c:199 handle_tcptls_connection: Certificate did not verify: certificate signature failure
> 
> This should cause the call to fail, but it does not. The call instead completes successfully.  This patch corrects that behavior as well as avoids a segfault if the remote end does not provide a certificate at all.
> 
> 
> This addresses bug ASTERISK-20559.
>     https://issues.asterisk.org/jira/browse/ASTERISK-20559
> 
> 
> Diffs
> -----
> 
>   trunk/main/tcptls.c 374904 
> 
> Diff: https://reviewboard.asterisk.org/r/2163/diff
> 
> 
> Testing
> -------
> 
> Ensured that the TCP/TLS call failed when expected and succeeded when expected.
> 
> 
> Thanks,
> 
> opticron
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20121016/07f81133/attachment.htm>

More information about the asterisk-dev mailing list