kenmirrors/freeswitch
1
0
Fork 0
mirror of https://github.com/signalwire/freeswitch.git synced 2025-04-14 16:15:04 +00:00
Code Issues Projects Releases Wiki Activity

Fix docs on enabling cert CN/SAN validation

Browse Source 
The correct incantations to enable certification common name / subject
alternative name verification, per our code, are `subjects_all`,
`subjects_in`, and `subjects_out` in a Sofia profile's
`tls-verify-policy`.  What we've had in our examples and documentation
for years are `all_subjects`, `in_subjects`, and `out_subjects`.

The result of this is that we've almost certainly confused people into
using the incorrect forms.  Those poor people will believe that they
are verifying the CN/SAN of the received host certificate against the
list in `tls-verify-in-subjects` when in fact they are not.

One clear issue in this case was that the incorrect forms failed to
have any effect without providing any warning or error.  This issue
could not have persisted if we had made more noise about incorrect
input.

Given how long this has been broken, it's tempting to alias the
incorrect forms to the correct ones.  However this would certainly
break many existing installations that have, because of this error,
never actually tested their setup with CN/SAN validation enabled.

In this commit, we fix the examples and documentation, and add an
error-level log output when unknown values are passed to
`tls-verify-policy`.

Thanks-to: Andrew Patrikalakis <anrp+freeswitch@anrp.net>
This commit is contained in:
Travis Cross 2015-05-26 14:01:31 +00:00
parent 0c75eaa809
commit 1d726c1d91
6 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
conf/rayo/sip_profiles/external.xml
View File

@ -84,7 +84,7 @@
<!-- Verify the date on TLS certificates -->
<param name="tls-verify-date" value="true"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>

2
conf/vanilla/sip_profiles/external-ipv6.xml
View File

@ -84,7 +84,7 @@
<!-- Verify the date on TLS certificates -->
<param name="tls-verify-date" value="true"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>

2
conf/vanilla/sip_profiles/external.xml
View File

@ -84,7 +84,7 @@
<!-- Verify the date on TLS certificates -->
<param name="tls-verify-date" value="true"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>

2
conf/vanilla/sip_profiles/internal.xml
View File

@ -204,7 +204,7 @@
<!-- Verify the date on TLS certificates -->
<param name="tls-verify-date" value="true"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>

2
src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
View File

@ -242,7 +242,7 @@
how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only
verify outgoing connections, 'all' to verify all connections, also
'in_subjects', 'out_subjects' and 'all_subjects' for subject
'subjects_in', 'subjects_out' and 'subjects_all' for subject
validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS

4
src/mod/endpoints/mod_sofia/sofia_glue.c
View File

@ -323,6 +323,10 @@ enum tport_tls_verify_policy sofia_glue_str2tls_verify_policy(const char * str){
ret |= TPTLS_VERIFY_SUBJECTS_OUT;
} else if (!strncasecmp(ptr_cur, "subjects_all",len)) {
ret |= TPTLS_VERIFY_SUBJECTS_ALL;
} else {
char el[32] = {0};
strncpy(el, ptr_cur, len < sizeof(el) ? len : sizeof(el) - 1);
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Invalid tls-verify-policy value: %s\n", el);
}
ptr_cur = ptr_next;
}