Commit 2d8fffb7 authored by Simon Morlat's avatar Simon Morlat

Use TLS certificates from linux's standard path (/etc/ssl/certs), and allow...

Use TLS certificates from linux's standard path (/etc/ssl/certs), and allow wildcard certificate despite RFC5922.
parent 2d4be4e9
......@@ -11,7 +11,7 @@ dnl information on the package
dnl ---------------------------
dnl update both the version for AC_INIT and the LIBSOFIA_SIP_UA_MAJOR_MINOR
AC_INIT([sofia-sip], [1.13.25bc])
AC_INIT([sofia-sip], [1.13.26bc])
AC_CONFIG_SRCDIR([libsofia-sip-ua/sip/sofia-sip/sip.h])
AC_CONFIG_MACRO_DIR([m4])
AC_SUBST(VER_LIBSOFIA_SIP_UA_MAJOR_MINOR, [1.13])
......
......@@ -37,6 +37,10 @@
#include "config.h"
#ifndef SOFIA_SIP_ALLOW_WILDCARD_CERTS
#define SOFIA_SIP_ALLOW_WILDCARD_CERTS 1
#endif
#include <sofia-sip/su_string.h>
#include <sofia-sip/su.h>
#include <sofia-sip/su_errno.h>
......@@ -3283,8 +3287,18 @@ tport_subject_search(char const *subject, su_strlst_t const *lst)
/* Match two SIP Server Identities */
if (host_cmp(subjuri ? subjuri : subject, lsturi ? lsturi : lststr) == 0)
return 1;
#if 0
/* XXX - IETF drafts forbid wildcard certs */
#ifdef SOFIA_SIP_ALLOW_WILDCARD_CERTS
/*
* See https://tools.ietf.org/html/rfc5922 .
* Wildcard certificates are explicitely disallowed by this RFC.
* However no rational is given from this prohibition. The advantages of inconvenience of wildcard certificates are known.
* It is a matter of balance between security and convenience of administration.
* I personnally don't understand why an RFC about SIP should take a position on this.
* Furthermore there is no explanation about why they would be bad for SIP but acceptable for https.
* It should be the role of IETF's Network Working Group to make the decision to prohibit wildcard certificates, not
* from the sipcore working group.
* - SM
*/
if (!subjuri && !lsturi && su_strnmatch("*.", lststr, 2)) {
size_t urioffset = su_strncspn(subject, 64, ".");
if (urioffset) {
......
......@@ -199,6 +199,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
su_strlst_t const *tls_subjects = NULL;
su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
tls_issues_t ti = {0};
const char *ssl_env_dir;
su_home_auto(autohome, sizeof autohome);
......@@ -217,14 +218,22 @@ static int tport_tls_init_master(tport_primary_t *pri,
TPTAG_TLS_VERIFY_SUBJECTS_REF(tls_subjects),
TAG_END());
/*Initialize base things with our TLS usage*/
if (tls_ciphers) ti.ciphers = su_strdup(autohome, tls_ciphers);
ssl_env_dir = getenv("SSL_CERT_DIR");
if (ssl_env_dir){
ti.CApath = su_strdup(autohome, ssl_env_dir);
}else{
ti.CApath = "/etc/ssl/certs";
}
ti.policy = tls_policy | (tls_verify ? TPTLS_VERIFY_ALL : 0);
ti.verify_depth = tls_depth;
ti.verify_date = tls_date;
ti.version = tls_version;
if (path) {
if (su_strmatch(path, ":") || su_strmatch(path, "")) {
path = NULL;
ti.policy = tls_policy | (tls_verify ? TPTLS_VERIFY_ALL : 0);
ti.verify_depth = tls_depth;
ti.verify_date = tls_date;
ti.version = tls_version;
tlspri->tlspri_master = tls_init_master(&ti);
}
} else {
......@@ -242,23 +251,16 @@ static int tport_tls_init_master(tport_primary_t *pri,
}
ti.keystore = NULL;
if(reg != 0) {
printf("it's a file\n");
ti.keystore = path;
ti.keystore = su_strdup(autohome,path);
}
ti.policy = tls_policy | (tls_verify ? TPTLS_VERIFY_ALL : 0);
ti.verify_depth = tls_depth;
ti.verify_date = tls_date;
ti.configured = path != tbf;
ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
ti.key = su_sprintf(autohome, "%s/%s", path, "agent.pem");
ti.passphrase = su_strdup(autohome, passphrase);
ti.cert = ti.key;
ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
if (tls_ciphers) ti.ciphers = su_strdup(autohome, tls_ciphers);
ti.version = tls_version;
ti.CApath = su_strdup(autohome, path);
SU_DEBUG_9(("%s(%p): tls key = %s\n", __func__, (void *)pri, ti.key));
SU_DEBUG_9(("%s(%p): tls key = %s ; CApath = %s\n", __func__, (void *)pri, ti.key, ti.CApath));
if (ti.key && ti.CAfile && ti.randFile) {
if (access(ti.key, R_OK) != 0) ti.key = NULL;
......@@ -267,6 +269,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
tlspri->tlspri_master = tls_init_master(&ti);
}
}
su_home_zap(autohome);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment