[reSIProcate] TlsConnection.cxx: checkState() changes
John Gregg
jgregg at aylus.com
Tue May 20 14:00:09 CDT 2014
We made changes in this code, and since they are in sensitive
security-related code, someone smart should look them over. I'm not sure
of the circumstances that led us to make these changes, but they may
have involved use of self-generated, self-signed certificates. Both
changes are in resip/stack/ssl/TlsConnection.cxx, in the routine
TlsConnection::checkState(), just below the comment that says:
//post-connection verification: check that certificate name matches
domain name
First, a sanity check: if we don't have any peerNames, fail immediately.
In the old code, the body of the loop would never be executed, and we
would still fall into an error case, so the only real differences
between this code and the old code are the log message and the
mFailureReason being set more accurately.
Second, as the comment in the modified code says:
// If the calling app never bothered to fill out the domain, don't
demand that it match the CM from the cert.
The attached diff file is against 1.9.6.
-John Gregg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TlsConnection.cxx.diff
Type: text/x-patch
Size: 1232 bytes
Desc: not available
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20140520/8b132714/attachment.bin>
More information about the resiprocate-devel
mailing list