| Summary: | ASTERISK-20559: SIP TCP/TLS: When checking the CA certificate fails, the call still goes through | ||||
| Reporter: | Kinsey Moore (kmoore) | Labels: | |||
| Date Opened: | 2012-10-12 09:25:49 | Date Closed: | 2012-10-17 15:22:19 | ||
| Priority: | Blocker | Regression? | |||
| Status: | Closed/Complete | Components: | Channels/chan_sip/TCP-TLS | ||
| Versions: | 1.8.17.0 10.9.0 11.0.0-beta2 | Frequency of Occurrence | Constant | ||
| Related Issues: |
| ||||
| Environment: | SIP TCP/TLS connection with differing CA certificates set on either side of the connection. Each side of the call has a valid CA certificate for its respective key, but the CA certificates are not valid for the key on the remote side. | Attachments: | ( 0) tcptls_fix.diff ( 1) tcptls_fix.diff | ||
| Description: | When calling in this situation and tlsdontverifyserver is set to no, Asterisk produces the error message: ERROR[16872]: tcptls.c:199 handle_tcptls_connection: Certificate did not verify: certificate signature failure This should cause the call to fail, but it does not. The call completes successfully. | ||||
| Comments: | By: Kinsey Moore (kmoore) 2012-10-12 10:46:05.414-0500 Attached a possible fix for this situation and an additional fix that would avoid a segfault if no certificate is provided and common name checking is not disabled. By: Kinsey Moore (kmoore) 2012-10-12 11:20:29.286-0500 Updated diff with slightly simplified code. | ||||