< Previous by Date	Date Index	Next by Date >
	Thread Index

[reSIProcate] TlsConnection.cxx: checkState() changes

From: John Gregg <jgregg@xxxxxxxxx>
Date: Tue, 20 May 2014 15:00:09 -0400

We made changes in this code, and since they are in sensitivesecurity-related code, someone smart should look them over. I'm not sureof the circumstances that led us to make these changes, but they mayhave involved use of self-generated, self-signed certificates. Bothchanges are in resip/stack/ssl/TlsConnection.cxx, in the routineTlsConnection::checkState(), just below the comment that says:

//post-connection verification: check that certificate name matchesdomain name

First, a sanity check: if we don't have any peerNames, fail immediately.In the old code, the body of the loop would never be executed, and wewould still fall into an error case, so the only real differencesbetween this code and the old code are the log message and themFailureReason being set more accurately.


Second, as the comment in the modified code says:

// If the calling app never bothered to fill out the domain, don'tdemand that it match the CM from the cert.


The attached diff file is against 1.9.6.

-John Gregg

Index: TlsConnection.cxx
===================================================================
--- TlsConnection.cxx	(revision 27529)
+++ TlsConnection.cxx	(working copy)
@@ -307,6 +307,25 @@
    if (!mServer)
    {
       bool matches = false;
+
+       // AYLUS_CHANGE BEGIN
+
+       // no mPeerNames means we never got a good certificate from the server
+       if (mPeerNames.empty())
+       {
+           mTlsState = Broken;
+           mBio = 0;
+           ErrLog (<< "Certificate validation failed: no common name(s)");
+           mFailureReason = TransportFailure::CertValidationFailure;
+           return mTlsState;
+       }
+
+       // If the calling app never bothered to fill out the domain, don't demand that it match the CM from the cert.
+       if (!who().getTargetDomain().empty())
+       {
+
+       // AYLUS_CHANGE END
+
       for(std::list<BaseSecurity::PeerName>::iterator it = mPeerNames.begin(); it != mPeerNames.end(); it++)
       {
          if(BaseSecurity::matchHostName(it->mName, who().getTargetDomain()))
@@ -328,6 +347,8 @@
       }
    }
 
+   } // AYLUS_CHANGE
+
    InfoLog( << "TLS handshake done for peer " << getPeerNamesData()); 
    mTlsState = Up;
    if (!mOutstandingSends.empty())

Prev by Date: [reSIProcate] rutil Log: give app control over syslog facility; don't hardcode LOCAL6
Next by Date: Re: [reSIProcate] TransactionState::sendCurrentToWire() uses wrong target in server/force target case
Previous by thread: [reSIProcate] rutil Log: give app control over syslog facility; don't hardcode LOCAL6
Next by thread: Re: [reSIProcate] [reSIProcate-users] question about ExtensionHeader and ExtensionParameter
Index(es):
- Date
- Thread