[Asterisk-code-review] Add X.509 subject alternative name support to TLS certificat... (asterisk[master])
Maciej Szmigiero
asteriskteam at digium.com
Fri May 15 08:30:23 CDT 2015
Maciej Szmigiero has posted comments on this change.
Change subject: Add X.509 subject alternative name support to TLS certificate verification.
......................................................................
Patch Set 3:
(1 comment)
> Is there a specific test case that demonstrates the issue?
As far as I can see there is currently no test for Asterisk's TLS support certificate verification as both sip_tls_call and sip_tls_register tests
have tlsdontverifyserver set to yes, which disables certificate
verification.
> I've set up manager, http and res_pjsip with no issues using SANs.
(Server) certificate verification currently happen only when
Asterisk is a TLS client.
Manager and HTTP are both TLS servers.
There is a bit of TLS client certificate verification code for case
when Asterisk is a TLS server but I see that it is not complete and disabled.
For chan_pjsip / res_pjsip looks like there is no actual TLS code there -
probably everything related to TLS transport is in PJSIP library itself
(and so it doesn't use Asterisk TLS support).
> chan_sip only perhaps?
While I've made this primarly for chan_sip,
I can see that in current Git this code is also used
by res_http_websocket and app_externalivr.
https://gerrit.asterisk.org/#/c/416/3/include/asterisk/tcptls.h
File include/asterisk/tcptls.h:
Line 68: #include <openssl/x509v3.h>
> I'm wondering about the compatibility of this header file.
Looking at OpenSSL repository this file was already present in the original import of SSLeay in 1998.
--
To view, visit https://gerrit.asterisk.org/416
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I13302c80490a0b44c43f1b45376c9bd7b15a538f
Gerrit-PatchSet: 3
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Maciej Szmigiero <mail at maciej.szmigiero.name>
Gerrit-Reviewer: George Joseph <george.joseph at fairview5.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Maciej Szmigiero <mail at maciej.szmigiero.name>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>
Gerrit-HasComments: Yes
More information about the asterisk-code-review
mailing list