From: Mahesh N. <mah...@mg...> - 2008-06-04 11:47:49
|
Hello SIPp Developers. I was trying to make a SIP call over TLS using SIPp. However I see that the TLS mutual authentication does not happen during the TLS handshake. On further investigation over the source code, it seems that the TLS initialization is not done properly. I have quoted the code below (from sipp.cpp) along with my (Mash) comments: *File: sipp.cpp Function: static ssl_init_status FI_init_ssl_context (void) * /* Load the trusted CA's */ SSL_CTX_load_verify_locations(sip_trp_ssl_ctx, tls_cert_name, NULL); SSL_CTX_load_verify_locations(sip_trp_ssl_ctx_client, tls_cert_name, NULL); /* CRL load from application specified only if specified on the command line */ * if (strlen(tls_crl_name) != 0) { * if(sip_tls_load_crls(sip_trp_ssl_ctx,tls_crl_name) == -1) { ERROR("FI_init_ssl_context: Unable to load CRL file (%s)", tls_crl_name); return SSL_INIT_ERROR; } if(sip_tls_load_crls(sip_trp_ssl_ctx_client,tls_crl_name) == -1) { ERROR("FI_init_ssl_context: Unable to load CRL (client) file (%s)", tls_crl_name); return SSL_INIT_ERROR; } *// } Mash: According to me, the module should have ended here for the condition **if (strlen(tls_crl_name) != 0). And the following initialization should have been outside the above condition to have SSL initialization with mutual authentication in place. There is not connection between CRLs and the SSL initialization. This is a bug which should be rectified asap in my opinion for SIPP to be inter-operable with other SSL products. Without the fix, the TLS would be performed only with server authentication and Mutual authentication negotiations would fail. * * /* The following call forces to process the certificates with the */ /* initialised SSL_CTX * */ SSL_CTX_set_verify(sip_trp_ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, sip_tls_verify_callback); SSL_CTX_set_verify(sip_trp_ssl_ctx_client, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, sip_tls_verify_callback); * }* /* Selection Cipher suits - load the application specified ciphers */ SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx, (void *)CALL_BACK_USER_DATA ); SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx_client, (void *)CALL_BACK_USER_DATA ); SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx, passwd_call_back_routine ); SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx_client, passwd_call_back_routine ); ================================================================================================================ Let me know if my comments above make sense and whether the fix for the bug can be checked in. In my local checked out code, I have further modified the code to have an option during runtime for mutual authentication: 1. with-tls-ma = enabled or disabled. Enabled - with mutual authentication. Disabled - with server authentication only. If you think what I have explained is valid, I can checkin the code for the same and you can cross verify it. Cheers, Mahesh. Tehcnical Lead, Mascon Global Limited. EMAIL DISCLAIMER : This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorised distribution or copying is strictly prohibited. If you receive this transmission in error, please notify the sender by reply email and then destroy the message. Opinions, conclusions and other information in this message that do not relate to official business of Mascon shall be understood to be neither given nor endorsed by Mascon. Any information contained in this email, when addressed to Mascon clients is subject to the terms and conditions in governing client contract. Whilst Mascon takes steps to prevent the transmission of viruses via e-mail, we can not guarantee that any email or attachment is free from computer viruses and you are strongly advised to undertake your own anti-virus precautions. Mascon grants no warranties regarding performance, use or quality of any e-mail or attachment and undertakes no liability for loss or damage, howsoever caused. |