Summary:ASTERISK-20559: SIP TCP/TLS: When checking the CA certificate fails, the call still goes through
Reporter:Kinsey Moore (kmoore)Labels:
Date Opened:2012-10-12 09:25:49Date Closed:2012-10-17 15:22:19
Versions: 10.9.0 11.0.0-beta2 Frequency of
must be completed before resolvingASTERISK-20531 Asterisk 11.0.0 Blockers
Environment:SIP TCP/TLS connection with differing CA certificates set on either side of the connection. Each side of the call has a valid CA certificate for its respective key, but the CA certificates are not valid for the key on the remote side.Attachments:( 0) tcptls_fix.diff
( 1) tcptls_fix.diff
Description:When calling in this situation and tlsdontverifyserver is set to no, Asterisk produces the error message:
ERROR[16872]: tcptls.c:199 handle_tcptls_connection: Certificate did not verify: certificate signature failure

This should cause the call to fail, but it does not.  The call completes successfully.
Comments:By: Kinsey Moore (kmoore) 2012-10-12 10:46:05.414-0500

Attached a possible fix for this situation and an additional fix that would avoid a segfault if no certificate is provided and common name checking is not disabled.

By: Kinsey Moore (kmoore) 2012-10-12 11:20:29.286-0500

Updated diff with slightly simplified code.