< Previous by Date Date Index Next by Date >
  Thread Index Next in Thread >

[reSIProcate] Proposed changes to support optional RFC 5922 TLS Certificate matching rules


All,

Below is a proposed patch to allow RFC 5922 TLS certificate common and subj-alt-name matching rules. RFC 5922 mandates that wildcard matching MUST NOT be used. However, current resip code allows wildcards on the common name field.

By default, this new mode is disabled. As part of this patch, the non 5922 mode is changed to allow wildcard matching in all fields, since this mode is allowed within HTTP over TLS, not prohibited by 3261(and normal web browsers allow it too.

If there are no complaints, I will commit sometime this week.

-Aron

Index: resip/stack/ssl/TlsConnection.cxx
===================================================================
--- resip/stack/ssl/TlsConnection.cxx (revision 9058)
+++ resip/stack/ssl/TlsConnection.cxx (working copy)
@@ -24,6 +24,8 @@
 
 #define RESIPROCATE_SUBSYSTEM Subsystem::TRANSPORT
 
+bool TlsConnection::mRFC5922CertificateRules = false;
+
 TlsConnection::TlsConnection( Transport* transport, const Tuple& tuple, 
                               Socket fd, Security* security, 
                               bool server, Data domain,  SecurityTypes::SSLType sslType ,
@@ -280,25 +282,21 @@
       bool matches = false;
       for(std::list<BaseSecurity::PeerName>::iterator it = mPeerNames.begin(); it != mPeerNames.end(); it++)
       {
-         if(it->mType == BaseSecurity::CommonName)
+         if(mRFC5922CertificateRules)
          {
-            //allow wildcard match for subdomain name (RFC 2459)
-            if(BaseSecurity::matchHostName(it->mName, who().getTargetDomain()))
+            if(isEqualNoCase(it->mName, who().getTargetDomain()))
             {
                matches=true;
                break;
             }
          }
-         else //it->mType == SubjectAltName
-      {
-            //no wildcards for SubjectAltName
-            if(isEqualNoCase(it->mName, who().getTargetDomain()))
+         //.amr. allow wildcard match (RFC 2459), RFC 3261 doesn't prevent wildcards.
+         else if(BaseSecurity::matchHostName(it->mName, who().getTargetDomain()))
          {
              matches=true;
              break;
          }
       }
-      }
       if(!matches)
       {
          mTlsState = Broken;
Index: resip/stack/ssl/TlsConnection.hxx
===================================================================
--- resip/stack/ssl/TlsConnection.hxx (revision 9057)
+++ resip/stack/ssl/TlsConnection.hxx (working copy)
@@ -48,6 +48,8 @@
       
       typedef enum TlsState { Initial, Broken, Handshaking, Up } TlsState;
       static const char * fromState(TlsState);
+      static bool RFC5922CertificateRules() { return mRFC5922CertificateRules; }
+      static void setRFC5922CertificateRules(bool bEnable) { mRFC5922CertificateRules = bEnable; }
    
    private:
       /// No default c'tor
@@ -67,6 +69,7 @@
       SSL* mSsl;
       BIO* mBio;
       std::list<BaseSecurity::PeerName> mPeerNames;
+      static bool mRFC5922CertificateRules;
 };
  
 }