[reSIProcate] Fwd: Proposed changes to support optional RFC 5922 TLS Certificate matching rules

[Scott Godin <sgodin@xxxxxxxxxxxxxxx>]

Hi Aron,

I think the default needs to be flipped.  I think RFC5922 support should be enabled by default, and you must explicitly turn the option off to get the non-RFC compliant behavior.

I am a little concerned about people relying on wildcards in the CommonName today - but as long as we document the need to use the following setting - I think we are good:

TlsConnection::mRFC5922CertificateRules = false;

Scott

---------- Forwarded message ----------
From: Aron Rosenberg <arosenberg@xxxxxxxxxxxx>
Date: Sun, Mar 13, 2011 at 4:31 PM
Subject: [reSIProcate] Proposed changes to support optional RFC 5922 TLS Certificate matching rules
To: resiprocate-devel <resiprocate-devel@xxxxxxxxxxxxxxx>


All,

Below is a proposed patch to allow RFC 5922 TLS certificate common and subj-alt-name matching rules. RFC 5922 mandates that wildcard matching MUST NOT be used. However, current resip code allows wildcards on the common name field.

By default, this new mode is disabled. As part of this patch, the non 5922 mode is changed to allow wildcard matching in all fields, since this mode is allowed within HTTP over TLS, not prohibited by 3261(and normal web browsers allow it too.

If there are no complaints, I will commit sometime this week.

-Aron

Index: resip/stack/ssl/TlsConnection.cxx

===================================================================

--- resip/stack/ssl/TlsConnection.cxx (revision 9058)

+++ resip/stack/ssl/TlsConnection.cxx (working copy)

@@ -24,6 +24,8 @@

 

 #define RESIPROCATE_SUBSYSTEM Subsystem::TRANSPORT

 

+bool TlsConnection::mRFC5922CertificateRules = false;

+

 TlsConnection::TlsConnection( Transport* transport, const Tuple& tuple, 

                               Socket fd, Security* security, 

                               bool server, Data domain,  SecurityTypes::SSLType sslType ,

@@ -280,25 +282,21 @@

       bool matches = false;

       for(std::list<BaseSecurity::PeerName>::iterator it = mPeerNames.begin(); it != mPeerNames.end(); it++)

       {

-         if(it->mType == BaseSecurity::CommonName)

+         if(mRFC5922CertificateRules)

          {

-            //allow wildcard match for subdomain name (RFC 2459)

-            if(BaseSecurity::matchHostName(it->mName, who().getTargetDomain()))

+            if(isEqualNoCase(it->mName, who().getTargetDomain()))

             {

                matches=true;

                break;

             }

          }

-         else //it->mType == SubjectAltName

-      {

-            //no wildcards for SubjectAltName

-            if(isEqualNoCase(it->mName, who().getTargetDomain()))

+         //.amr. allow wildcard match (RFC 2459), RFC 3261 doesn't prevent wildcards.

+         else if(BaseSecurity::matchHostName(it->mName, who().getTargetDomain()))

          {

              matches=true;

              break;

          }

       }

-      }

       if(!matches)

       {

          mTlsState = Broken;

Index: resip/stack/ssl/TlsConnection.hxx

===================================================================

--- resip/stack/ssl/TlsConnection.hxx (revision 9057)

+++ resip/stack/ssl/TlsConnection.hxx (working copy)

@@ -48,6 +48,8 @@

       

       typedef enum TlsState { Initial, Broken, Handshaking, Up } TlsState;

       static const char * fromState(TlsState);

+      static bool RFC5922CertificateRules() { return mRFC5922CertificateRules; }

+      static void setRFC5922CertificateRules(bool bEnable) { mRFC5922CertificateRules = bEnable; }

    

    private:

       /// No default c'tor

@@ -67,6 +69,7 @@

       SSL* mSsl;

       BIO* mBio;

       std::list<BaseSecurity::PeerName> mPeerNames;

+      static bool mRFC5922CertificateRules;

 };

  

 }

_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxx
https://list.resiprocate.org/mailman/listinfo/resiprocate-devel