Scott, Thanks
for your inputs. SSL is working fine now after generating new certificated
with correct hosname information.
However, There
is one problem I found in resip\stack\ssl\TlsConnection.cxx
TlsConnection::read function.
<snip>
int bytesRead =
SSL_read(mSsl,buf,count);
StackLog(<< "SSL_read returned
" << bytesRead << " bytes [" << Data(Data::Borrow, buf,
bytesRead) << "]");
if (bytesRead > 0
&& SSL_pending(mSsl))
{
int restBytes =
SSL_pending(mSsl);
char* buffer =
getWriteBufferForExtraBytes(restBytes);
StackLog(<< "reading remaining buffered
bytes");
restBytes = SSL_read(mSsl, buffer,
SSL_pending(mSsl));
StackLog(<<
"SSL_read returned " << restBytes << " bytes [" <<
Data(Data::Borrow, buffer, restBytes) << "]");
if
(restBytes>0)
{
bytesRead +=
restBytes;
}
else
{
bytesRead =
restBytes;
}
}
</snip>
My Client application was
returning -1 for SSL_read(mSsl,buf,count) function call with error
code 2.
After that it was crashing at
following line :-
StackLog(<< "SSL_read
returned " << bytesRead << " bytes [" << Data(Data::Borrow,
buf, bytesRead) << "]");
when it was trying to write
<< Data(Data::Borrow, buf, bytesRead) .
The correct location for this log
message should be inside if (bytesRead > 0 &&
SSL_pending(mSsl)) block.
The correct code should be
:
<snip>
int bytesRead =
SSL_read(mSsl,buf,count);
if (bytesRead > 0
&& SSL_pending(mSsl))
{
StackLog(<< "SSL_read returned " << bytesRead << " bytes ["
<< Data(Data::Borrow, buf, bytesRead) <<
"]");
int restBytes =
SSL_pending(mSsl);
char* buffer =
getWriteBufferForExtraBytes(restBytes);
StackLog(<< "reading remaining buffered
bytes");
restBytes = SSL_read(mSsl, buffer,
SSL_pending(mSsl));
StackLog(<<
"SSL_read returned " << restBytes << " bytes [" <<
Data(Data::Borrow, buffer, restBytes) << "]");
if
(restBytes>0)
{
bytesRead +=
restBytes;
}
else
{
bytesRead =
restBytes;
}
}
</snip>
Thanks,
~ Rajeev
Sent: Thursday, April 09, 2009 6:57
PM
The problem is that the post TLS handshake hostname validation
check is failing. When a TLS client connects to a server - it must check
that the certificate presented by the server to the client identifies the
server that it is trying to contact. In SIP this means the hostname in
the request URI of the SIP request you are sending must match either the
certificate subject common name, or one of the SubjectAltNames (DNS or URI
entries). The following line in the logs indicate this error:
<<RESIP:TRANSPORT-ERROR>> Certificate name mismatch: trying
to connect to <148.147.174.64> remote cert domain(s) are <Converged
Communication Server 2.1>
There are two problems in your setup. You are using an IP address
to contact the server. When using TLS you should always use hostnames or
SRV records to connect to the TLS server. Your certificate does not
contain a valid hostname in the Subject CommonName field.
Hope this helps.
Scott
On Thu, Apr 9, 2009 at 6:51 AM, Srivastava, Rajeev
Kumar (Rajeev)
<srivastava@xxxxxxxxx> wrote:
Hello
Scott,
Yes, my
reSIProcate Application is TLS Client.
I am not sure
what changes need to be done while generating Certificate to pass this host
validation check.
Is this (the
problem I am facing) because of wrong certificate or do I need to change my
code to work with new version of reSIProcate?
As I am not
very much knowledgeable in SSL stuff, I am attaching the reSIProcate logs
along with the certificates I am using for further help on
this.
Thanks,
~ Rajeev
Is resiprocate the TLS client or server in these traces?
Are there any relevant errors in the resiprocate log files?
Assuming your resiprocate application is the TLS client, it is tearing
down the TLS connection after the handshake. Usually this is because
the post handshake host validation check failed. The code surrounding
hostname validation has changed since release 1.1. The resip logs
should contain some useful information if this is the case.
Scott
On Tue, Apr 7, 2009 at 5:58 AM, Srivastava, Rajeev
Kumar (Rajeev)
<srivastava@xxxxxxxxx> wrote:
Hi,
I recently upgraded
resiprocate library to 1.4.1 form 1.1 for one of my projects(Windows
only).
After that TLS is not getting
enabled.
<code
snip>
Security* pSecurity = new Security ( "..\etc"
);
SipStack* pSipStack = new SipStack (
pSecurity );
StackThread* pStackThread =
new StackThread ( *pSipStack );
pSipStack->addTransport (
TLS,
nTlsPort,
V4,
StunDisabled,
Data::Empty,
Data::from
( strDomain ) );
pSipStack->addTransport ( TCP, nTcpPort);
pSipStack->addTransport ( TCP, nUdpPort);
pStackThread->run ();
</snip>
This same piece of code is
working fine with the same certificate with reSIProcate
1.1.
But it is not working with
reSIProcate 1.4.1
I am attaching WireShark logs
for reference.
Is there any change in SSL
implementation and do I need to use it in a different manner
now?
Do let me know if you need any
more information for helping out.
Thanks,
~
Rajeev
_______________________________________________
resiprocate-users
mailing list
resiprocate-users@xxxxxxxxxxxxxxx
List Archive: http://list.resiprocate.org/archive/resiprocate-users/