|Summary:||ASTERISK-20559: SIP TCP/TLS: When checking the CA certificate fails, the call still goes through|
|Reporter:||Kinsey Moore (kmoore)||Labels:|
|Date Opened:||2012-10-12 09:25:49||Date Closed:||2012-10-17 15:22:19|
|Versions:||220.127.116.11 10.9.0 11.0.0-beta2||Frequency of|
|Environment:||SIP TCP/TLS connection with differing CA certificates set on either side of the connection. Each side of the call has a valid CA certificate for its respective key, but the CA certificates are not valid for the key on the remote side.||Attachments:||( 0) tcptls_fix.diff|
( 1) tcptls_fix.diff
|Description:||When calling in this situation and tlsdontverifyserver is set to no, Asterisk produces the error message:|
ERROR: tcptls.c:199 handle_tcptls_connection: Certificate did not verify: certificate signature failure
This should cause the call to fail, but it does not. The call completes successfully.
|Comments:||By: Kinsey Moore (kmoore) 2012-10-12 10:46:05.414-0500|
Attached a possible fix for this situation and an additional fix that would avoid a segfault if no certificate is provided and common name checking is not disabled.
By: Kinsey Moore (kmoore) 2012-10-12 11:20:29.286-0500
Updated diff with slightly simplified code.