[kamailio/kamailio] tls: add sel for tls verified cert chain (requires OpenSSL 1.1+) (#2289)
* New Feature * Changes Tested Locally
This sel variable allows a kam script to get access to not just the peer certificate (at index 0), but when a certificate is successfully verified, the entire chain of certificates that were used to verify the peer certificate (at index 1, 2, 3, etc).
This functionality is provided by OpenSSL's SSL_get0_verified_chain() function, which is only available in OpenSSL 1.1.0+ (which is why there is an #if for this feature)
This is important when a server trusts many CAs - without this addition, I don't think that it is definitively possible to tell which CA signed the verified certificate, leading to security issues if one of the trusted CAs was compromised and was used to sign certificates that look like they were signed by another issuing CA. You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/2289
-- Commit Summary --
* tls: add sel for tls verified cert chain (requires OpenSSL 1.1+)
-- File Changes --
M src/modules/tls/tls_select.c (121)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/2289.patch https://github.com/kamailio/kamailio/pull/2289.diff
Thanks, it will be merged!
Have you seen my comment on your previous PR:
* https://github.com/kamailio/kamailio/pull/2268#issuecomment-609935161
@armenb pushed 1 commit.
abc474d1caedb4661f3b0fc8168ea0cb608b3e83 remove extra tcpconn_put() call
Merged #2289 into master.
-
Armen Babikyan -
Daniel-Constantin Mierla