[Serusers] TLS comments
Andrei Pelinescu-Onciul
andrei at iptel.org
Fri Feb 3 16:27:32 CET 2006
On Feb 03, 2006 at 16:02, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> Andrei Pelinescu-Onciul wrote:
> >On Feb 03, 2006 at 15:48, Jan Janak <jan at iptel.org> wrote:
> >
> >>Andrei Pelinescu-Onciul wrote:
>
> >>>> if (@tls.version == "SSLv2") {
> >>>> sl_send_reply("400", "Bad TLS protocol version");
> >>>> break;
> >>>> }
> >>>
> >>>I think we should not handle TLS errors from the script. A TLS client
> >>>will expect the handshake phase to fail if it uses an unsupported SSL
> >>>version or the wrong certificate. Accepting the ssl connection and then
> >>>returning a SIP error or plainly dropping it, it's just wrong IMHO and
> >>>not very TLS frienldy/conformant. That's what the handshake phase for.
> >>
> >> This was just debugging tip for Klaus. I think that the only case when
> >> sending a SIP reply back is when the client presents a valid certificate
> >> but the common name (or any other field used for authentication) is
> >> invalid. That is if the client presented a valid certificate but
> >> incorrect
> >> one then we should reject politely, otherwise tls handshake just fails.
> >>
> >>
> >>>Moreover if you go to the trouble to accept the connection just to
> >>>reject it immediately you will waste more resources.
> >>>If you don't want to accept V2, then just change the method.
> >>>For cetificates: you either verify them (you can have verify off, verify
> >>>but don't check host name/ip, verify all) or not.
> >>
> >> The verification process does not include checking of common name,
> >> subject
> >> alternative name and other certificate fields. This is what you should
> >> do
> >> in the script.
> >
> >
> >No, I think you should have a verify all option.
> >You could use then the script to allow access to certain resources only
> >to certain clients, but the certificate validity checks should be done
> >at the tls level.
>
> I think this is not possible in all cases. There are many SIP scenarios
> where you can not check the domains. For example in-dialog requests with
> forwarding scenarios. Orwhen the TLS connection has to reestablished for
> responses. Then which SIP domain do you use?
That's why you should set tls certificates/cas on an ip base (it would
be easy to choose the correct certificate/ca).
The tls "extended" certificate checks will just make sure that the
certificate was issued for the ip or dns name of the peer.
This should be a configuration option (e.g tl_verify= off|on|extended).
What I'm trying to say is that certificate validity checks don't make
sense in the script, in the "normal scenarios".
You could use them (with tls_verify=on), but not to deny access in
general, just for some limited resources (e.g. allow local calls, but
permit relaying only if <extra certificate checks>).
Andrei
>
> regards
> klaus
More information about the sr-users
mailing list