[reSIProcate] Proposed changes to support optional RFC 5922 TLS Certificate matching rules
Aron Rosenberg
arosenberg at logitech.com
Sun Mar 13 15:31:56 CDT 2011
All,
Below is a proposed patch to allow RFC 5922 TLS certificate common and
subj-alt-name matching rules. RFC 5922 mandates that wildcard matching MUST
NOT be used. However, current resip code allows wildcards on the common name
field.
By default, this new mode is disabled. As part of this patch, the non 5922
mode is changed to allow wildcard matching in all fields, since this mode is
allowed within HTTP over TLS, not prohibited by 3261(and normal web browsers
allow it too.
If there are no complaints, I will commit sometime this week.
-Aron
Index: resip/stack/ssl/TlsConnection.cxx
===================================================================
--- resip/stack/ssl/TlsConnection.cxx (revision 9058)
+++ resip/stack/ssl/TlsConnection.cxx (working copy)
@@ -24,6 +24,8 @@
#define RESIPROCATE_SUBSYSTEM Subsystem::TRANSPORT
+bool TlsConnection::mRFC5922CertificateRules = false;
+
TlsConnection::TlsConnection( Transport* transport, const Tuple& tuple,
Socket fd, Security* security,
bool server, Data domain,
SecurityTypes::SSLType sslType ,
@@ -280,25 +282,21 @@
bool matches = false;
for(std::list<BaseSecurity::PeerName>::iterator it =
mPeerNames.begin(); it != mPeerNames.end(); it++)
{
- if(it->mType == BaseSecurity::CommonName)
+ if(mRFC5922CertificateRules)
{
- //allow wildcard match for subdomain name (RFC 2459)
- if(BaseSecurity::matchHostName(it->mName,
who().getTargetDomain()))
+ if(isEqualNoCase(it->mName, who().getTargetDomain()))
{
matches=true;
break;
}
}
- else //it->mType == SubjectAltName
- {
- //no wildcards for SubjectAltName
- if(isEqualNoCase(it->mName, who().getTargetDomain()))
+ //.amr. allow wildcard match (RFC 2459), RFC 3261 doesn't prevent
wildcards.
+ else if(BaseSecurity::matchHostName(it->mName,
who().getTargetDomain()))
{
matches=true;
break;
}
}
- }
if(!matches)
{
mTlsState = Broken;
Index: resip/stack/ssl/TlsConnection.hxx
===================================================================
--- resip/stack/ssl/TlsConnection.hxx (revision 9057)
+++ resip/stack/ssl/TlsConnection.hxx (working copy)
@@ -48,6 +48,8 @@
typedef enum TlsState { Initial, Broken, Handshaking, Up } TlsState;
static const char * fromState(TlsState);
+ static bool RFC5922CertificateRules() { return
mRFC5922CertificateRules; }
+ static void setRFC5922CertificateRules(bool bEnable) {
mRFC5922CertificateRules = bEnable; }
private:
/// No default c'tor
@@ -67,6 +69,7 @@
SSL* mSsl;
BIO* mBio;
std::list<BaseSecurity::PeerName> mPeerNames;
+ static bool mRFC5922CertificateRules;
};
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20110313/f734a181/attachment.htm>
More information about the resiprocate-devel
mailing list