< Previous by Date	Date Index	Next by Date >
< Previous in Thread	Thread Index

Re: [reSIProcate-users] How to set the resip use the TLS anyway even TLS valid failure

From: Byron Campen <docfaraday@xxxxxxxxx>
Date: Thu, 28 Nov 2013 19:42:30 -0800

I would strongly advise against doing this, as it means you're defenseless against a man-in-the-middle attack. The problem with sip2sip.info is that either the cert being served by sipthor.net isn't authoritative for sip2sip.info (which means that it appears to be a DNS-mediated man-in-the-middle attack), or it is and we aren't handling the cert correctly. If it is the former, any implementation that works has a serious security vulnerability, or some special bit of configuration that tells it to treat these two domains as equivalent. It would be nice to see a dump of the cert being served by sipthor.net to rule out the latter.

Best regards,
Byron Campen

I have change the source code in the security.cxx to SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_NONE, verifyCallback);

Then got it works.

On Fri, Nov 29, 2013 at 3:35 AM, Daniel Pocock <daniel@xxxxxxxxxxxxx> wrote:

On 22/11/13 10:11, Karlsson wrote:
> Hi, when I use resip with TLS transport to sip2sip.info:443, it says failed
> to valid the certificate, but if I use the doubango softphone to this
> server by TLS, it's works fine.
>
> How can I set the resip use the TLS anyway even TLS valid failure ?

To make repro completely ignore certificate errors (or chain errors)
would require a code change and it is probably not a good idea.

However, you may find that it is possible to obtain a copy of the root
certificate from the CA who signed your peer's certificate. Then you
just add that root certificate into your local configuration.

See these config options:

CertificatePath
CADirectory
CAFile
_______________________________________________
resiprocate-users mailing list
resiprocate-users@xxxxxxxxxxxxxxx
List Archive: http://list.resiprocate.org/archive/resiprocate-users/
_______________________________________________
resiprocate-users mailing list
resiprocate-users@xxxxxxxxxxxxxxx
List Archive: http://list.resiprocate.org/archive/resiprocate-users/

References:
- [reSIProcate-users] How to set the resip use the TLS anyway even TLS valid failure
  - From: Karlsson
- Re: [reSIProcate-users] How to set the resip use the TLS anyway even TLS valid failure
  - From: Daniel Pocock
- Re: [reSIProcate-users] How to set the resip use the TLS anyway even TLS valid failure
  - From: Speed Boy

Prev by Date: Re: [reSIProcate-users] How to set the resip use the TLS anyway even TLS valid failure
Next by Date: Re: [reSIProcate-users] UAS Prack Support is Finally Arriving!
Previous by thread: Re: [reSIProcate-users] How to set the resip use the TLS anyway even TLS valid failure
Next by thread: Re: [reSIProcate-users] [resiprocate] -Merged from b-uasprack-20130904 (6285943)
Index(es):
- Date
- Thread