29 Apr
2005
29 Apr
'05
3:58 p.m.
Hi Greger!
That was me requesting a download site. Would be great to have the
package at onsip. Would be greater to have it in CVS ;)
I didn't hear of a patch lately but someone posted a probable bug fix
with TLS session caching. The post is added below.
Alex Mack
[quote]
Hi,
First, how is free-TLS going? i mean ... is it ever going to make it into CVS?
I have been testing for some time, it may have some bugs, but just as any piece of code.
So far, i think it is good.
I found what i think it is a bug. I was testing with minisip, which supports TLS
completely on the client side (even client certs, incoming connections, etc). It would
create the initial connection ok to SER. After 2 minutes, SER shuts down the socket. So
far so good. When minisip tries to register, it tries to create a new SSL connection, and
as it supports session resuming, it would try to resume the previous session. But SER does
not support it ... and here is the bug.
To fix it ... as simple as calling
SSL_CTX_set_session_cache_mode( ssl_ctx, SSL_SESS_CACHE_OFF );
This turns the cache off ... and when ssl receives a session resume request, it sends back
a message indicating it is not possible, the client then starts the handshake from
scratch.
Another solution is to implement session catching ... but this may be too resource
consuming in big servers or in embedded systems ... so maybe better just to not support it
by default ... maybe implement an option to turn it on at will.
Another thing ... the verification of the certificates ... it is turned off. It should be
turned on i think.
/* Set verification procedure
* The verification can be made null with SSL_VERIFY_NONE, or
* at least easier with SSL_VERIFY_CLIENT_ONCE instead of
SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
* For extra control, instead of 0, we can specify a callback function:
* int (*verify_callback)(int, X509_STORE_CTX *)
* Also, depth 2 may be not enough in some scenarios ... though no need
* to increase it much further */
SSL_CTX_set_verify( _ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
SSL_CTX_set_verify_depth( _ctx, 2);
This is it for now ...
Regards,
Cesc
Unclassified
[/quote]
Greger V. Teigre schrieb:
I saw somebody asking for a place to download the TLS
implementation
before it is introduced into CVS. I have the original post from Peter
Griffiths. Is that the latest code(I have seen a thread on a patch) ?
I can post it to http://onsip.org/
As you may be aware of, we have already made available the
backports of the LCR, xlog, and UAC modules.
g-)
Peter Griffiths wrote:
_______________________________________________
Serdev mailing list
serdev(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serdev
hello --
some time ago i extended ser to support tls, basically
i implemented functions needed by the existing tls
api. i polished the code a bit and i am giving it away
freely. there are still some things to fix, but it
mostly works.
to use the code, copy tls directory into your ser tree
and optionally patch cfg.lex and cfg.y, then recompile
ser with TLS=on.
if you also patch cfg.lex and cfg.y then you can use
extended cfg syntax and specify different keys and
certificates for different listen sockets. this is
similar to apache virtual servers with ssl. without
the patches you can only use the default configuration
directives.
to iptel: would be great to have it in cvs, what do
you think ?
-- peter
-----------
example ser.cfg:
listen=tls:127.0.0.1:5061
listen=tls:127.0.0.1:5062
# defaults for outgoing tls connections
tls_certificate="default.crt"
tls_private_key = "default.key"
# domain1.com
tls_domain[127.0.0.1:5061] {
tls_certificate="domain1.crt"
tls_private_key = "domain1.key"
tls_method = sslv2
}
# domain2.com
tls_domain[127.0.0.1:5062] {
tls_certificate="domain2.crt"
tls_private_key="domain2.key"
}
__________________________________
Celebrate Yahoo!'s 10th Birthday!
Yahoo! Netrospective: 100 Moments of the Web
http://birthday.yahoo.com/netrospective/
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers