• New Feature
• Changes Tested Locally

This sel variable allows a kam script to get access to not just the peer certificate (at index 0), but when a certificate is successfully verified, the entire chain of certificates that were used to verify the peer certificate (at index 1, 2, 3, etc).

This functionality is provided by OpenSSL's SSL_get0_verified_chain() function, which is only available in OpenSSL 1.1.0+ (which is why there is an #if for this feature)

This is important when a server trusts many CAs - without this addition, I don't think that it is definitively possible to tell which CA signed the verified certificate, leading to security issues if one of the trusted CAs was compromised and was used to sign certificates that look like they were signed by another issuing CA.

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/2289

Commit Summary

• tls: add sel for tls verified cert chain (requires OpenSSL 1.1+)

File Changes

• M src/modules/tls/tls_select.c (121)

Patch Links:

• https://github.com/kamailio/kamailio/pull/2289.patch
• https://github.com/kamailio/kamailio/pull/2289.diff

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.