[reSIProcate] Fwd: Proposed changes to support optional RFC 5922 TLS Certificate matching rules
Scott Godin
sgodin at sipspectrum.com
Sun Mar 13 15:50:45 CDT 2011
Hi Aron,
I think the default needs to be flipped. I think RFC5922 support should be
enabled by default, and you must explicitly turn the option off to get the
non-RFC compliant behavior.
I am a little concerned about people relying on wildcards in the CommonName
today - but as long as we document the need to use the following setting - I
think we are good:
TlsConnection::mRFC5922CertificateRules = false;
Scott
---------- Forwarded message ----------
From: Aron Rosenberg <arosenberg at logitech.com>
Date: Sun, Mar 13, 2011 at 4:31 PM
Subject: [reSIProcate] Proposed changes to support optional RFC 5922 TLS
Certificate matching rules
To: resiprocate-devel <resiprocate-devel at resiprocate.org>
All,
Below is a proposed patch to allow RFC 5922 TLS certificate common and
subj-alt-name matching rules. RFC 5922 mandates that wildcard matching MUST
NOT be used. However, current resip code allows wildcards on the common name
field.
By default, this new mode is disabled. As part of this patch, the non 5922
mode is changed to allow wildcard matching in all fields, since this mode is
allowed within HTTP over TLS, not prohibited by 3261(and normal web browsers
allow it too.
If there are no complaints, I will commit sometime this week.
-Aron
Index: resip/stack/ssl/TlsConnection.cxx
===================================================================
--- resip/stack/ssl/TlsConnection.cxx (revision 9058)
+++ resip/stack/ssl/TlsConnection.cxx (working copy)
@@ -24,6 +24,8 @@
#define RESIPROCATE_SUBSYSTEM Subsystem::TRANSPORT
+bool TlsConnection::mRFC5922CertificateRules = false;
+
TlsConnection::TlsConnection( Transport* transport, const Tuple& tuple,
Socket fd, Security* security,
bool server, Data domain,
SecurityTypes::SSLType sslType ,
@@ -280,25 +282,21 @@
bool matches = false;
for(std::list<BaseSecurity::PeerName>::iterator it =
mPeerNames.begin(); it != mPeerNames.end(); it++)
{
- if(it->mType == BaseSecurity::CommonName)
+ if(mRFC5922CertificateRules)
{
- //allow wildcard match for subdomain name (RFC 2459)
- if(BaseSecurity::matchHostName(it->mName,
who().getTargetDomain()))
+ if(isEqualNoCase(it->mName, who().getTargetDomain()))
{
matches=true;
break;
}
}
- else //it->mType == SubjectAltName
- {
- //no wildcards for SubjectAltName
- if(isEqualNoCase(it->mName, who().getTargetDomain()))
+ //.amr. allow wildcard match (RFC 2459), RFC 3261 doesn't prevent
wildcards.
+ else if(BaseSecurity::matchHostName(it->mName,
who().getTargetDomain()))
{
matches=true;
break;
}
}
- }
if(!matches)
{
mTlsState = Broken;
Index: resip/stack/ssl/TlsConnection.hxx
===================================================================
--- resip/stack/ssl/TlsConnection.hxx (revision 9057)
+++ resip/stack/ssl/TlsConnection.hxx (working copy)
@@ -48,6 +48,8 @@
typedef enum TlsState { Initial, Broken, Handshaking, Up } TlsState;
static const char * fromState(TlsState);
+ static bool RFC5922CertificateRules() { return
mRFC5922CertificateRules; }
+ static void setRFC5922CertificateRules(bool bEnable) {
mRFC5922CertificateRules = bEnable; }
private:
/// No default c'tor
@@ -67,6 +69,7 @@
SSL* mSsl;
BIO* mBio;
std::list<BaseSecurity::PeerName> mPeerNames;
+ static bool mRFC5922CertificateRules;
};
}
_______________________________________________
resiprocate-devel mailing list
resiprocate-devel at resiprocate.org
https://list.resiprocate.org/mailman/listinfo/resiprocate-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20110313/6e3bd973/attachment.htm>
More information about the resiprocate-devel
mailing list