25 Apr
2005
25 Apr
'05
2:17 p.m.
Hi,
I have tested the free-tls code. It compiles and it works. I've tried
with the minisip user agent connecting over TLS, and no major problems.
Also, the interconnection of SER proxies (t_relay_to_tls between
proxies, to force tls) also works.
It seems to me as a rather functional piece of code, much wanted by the
community, though it has not made its way through into the CVS. Why? I
think it is time.
This said, it also has some things that need to be fixed. I recently
sent an email to peter and ser-dev ... but just got silence back.
Anyway, here's the email, for those who came up with the same problems:
sessioin resuming not supported (but unconfigured) by ser, and no peer
certificate verification.
Cesc
supports
TLS completely on the client side (even client certs,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I found what i think it is a bug. I was testing with minisip, which incoming connections, etc). It would create the initial
connection ok
to SER. After 2 minutes, SER shuts down the socket. So far
so good. When minisip tries to register, it tries to
create a new SSL
connection, and as it supports session resuming, it would try
to resume the previous session. But SER does not
support it ... and
here is the bug.
To fix it ... as simple as calling
SSL_CTX_set_session_cache_mode( ssl_ctx, SSL_SESS_CACHE_OFF );
This turns the cache off ... and when ssl receives a session resume
request, it
sends back a message indicating it is not possible,
the client then starts the handshake from scratch.
Another solution is to implement session catching ... but this may be
too resource
consuming in big servers or in embedded
systems ... so maybe better just to not support it by
default ...
maybe implement an option to turn it on at will.
Another thing ... the verification of the certificates ... it is
turned off. It
should be turned on i think.
/* Set verification procedure
* The verification can be made null with SSL_VERIFY_NONE, or
* at least easier with SSL_VERIFY_CLIENT_ONCE instead
of
SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
* For extra control, instead of 0, we can specify a
callback
function:
* int (*verify_callback)(int, X509_STORE_CTX
*)
* Also, depth 2 may be not enough in some scenarios
... though
no need
* to increase it much further */
SSL_CTX_set_verify( _ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
SSL_CTX_set_verify_depth( _ctx, 2);
Unclassified
25 Apr
25 Apr
4:02 p.m.
Cesc Santasusana writes:
It seems to me as a rather functional piece of code,
much wanted by the
community, though it has not made its way through into the CVS. Why? I
think it is time.
i too think that it would be a good idea to put tls implementation to
cvs head. that way it would be easier to test and maintain. someone
would need to be in charge of the module though, i.e., be willing to
maintain the code and fix bugs.
-- juha
4:28 p.m.
Juha, Cesc,
I was considering for some time to upload on CVS devel version Peter's
TLS implementation - there were some fixes from Cesc and I was also
thinking of some config-adds. But it got delayed since I haven't had
some free time to test it.
As Juha said couple of time ago, this is on of the last missing on the
public CVS.
So let's have it tested - or maybe there are people who can confirm it
already - and move it on CVS.
bogdan
Juha Heinanen wrote:
Cesc Santasusana writes:
It seems to me as a rather functional piece of
code, much wanted by the
community, though it has not made its way through into the CVS. Why? I
think it is time.
i too think that it would be a good idea to put tls implementation to
cvs head. that way it would be easier to test and maintain. someone
would need to be in charge of the module though, i.e., be willing to
maintain the code and fix bugs.
-- juha
7155
days inactive
7155
days old
2 comments
3 participants
participants (3)
-
Bogdan-Andrei Iancu -
Cesc Santasusana -
Juha Heinanen