8 Nov
2011
8 Nov
'11
9:36 p.m.
I am trying to get some detailed understanding on the TLS code in Kamailio, but have a
problem finding the code used to connect to other servers over TLS. There is some
documentation saying that the server part is a bit weird, since we get into the routing
script, having accepted a message, before we can evaluate certificates. I agree with that
documentation, but it kind of works so far.
I can't find a way to verify the certificate of the server I connect to as a client
*BEFORE* I send any message. Anyone that can comment or point me to the right file?
Thanks,
/O
9 Nov
9 Nov
4:01 p.m.
IIRC on outgoing TLS connection the certificate validation only includes
verification of the certificate chain against the trusted root CAs. I
think there is no check which compares the SIP domain (R-URI, Route URI)
against the CN/Subject Alternative of the certificate.
Regarding certificate validation checks, I guess if you grep for
"set_verify" you should find the code where the certificate validation
checks are enabled. The validation itself is done inside openssl.
klaus
On 08.11.2011 21:36, Olle E. Johansson wrote:
I am trying to get some detailed understanding on the
TLS code in Kamailio, but have a problem finding the code used to connect to other servers
over TLS. There is some documentation saying that the server part is a bit weird, since we
get into the routing script, having accepted a message, before we can evaluate
certificates. I agree with that documentation, but it kind of works so far.
I can't find a way to verify the certificate of the server I connect to as a client
*BEFORE* I send any message. Anyone that can comment or point me to the right file?
Thanks,
/O
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
4:08 p.m.
9 nov 2011 kl. 16:01 skrev Klaus Darilion:
IIRC on outgoing TLS connection the certificate
validation only includes verification of the certificate chain against the trusted root
CAs. I think there is no check which compares the SIP domain (R-URI, Route URI) against
the CN/Subject Alternative of the certificate.
I suspected that being the case. Room
for improvement.
Regarding certificate validation checks, I guess if you grep for "set_verify"
you should find the code where the certificate validation checks are enabled. The
validation itself is done inside openssl.
Thanks.
It's interesting to consider how we could do this. Either hard-code it in the code or
making it possible to verify in the config script. If that's the case, we need a route
that is executed BEFORE we send a message on a new connection.
Or we just implement SIP connection reuse properly. We could have a list with servers that
we should require mutual auth from or something like that.
/O
klaus
On 08.11.2011 21:36, Olle E. Johansson wrote:
> I am trying to get some detailed understanding on the TLS code in Kamailio, but have
a problem finding the code used to connect to other servers over TLS. There is some
documentation saying that the server part is a bit weird, since we get into the routing
script, having accepted a message, before we can evaluate certificates. I agree with that
documentation, but it kind of works so far.
>
> I can't find a way to verify the certificate of the server I connect to as a
client *BEFORE* I send any message. Anyone that can comment or point me to the right
file?
>
> Thanks,
> /O
>
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
---
* Olle E Johansson - oej(a)edvina.net
* Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
4772
days inactive
4773
days old
2 comments
2 participants
participants (2)
-
Klaus Darilion -
Olle E. Johansson