Ensure Asterisk fails TCP/TLS SIP calls when certificate checking fails

When placing a call to a TCP/TLS SIP endpoint whose certificate is not signed by a configured CA certificate, Asterisk would issue a warning and continue to process the call as if there was not an issue with the certificate. Asterisk now properly fails the call if the certificate fails verification or if the certificate does not exist when certificate checking is enabled (the default behavior). (closes issue ASTERISK-20559) Reported by: kmoore Review: https://reviewboard.asterisk.org/r/2163/ ........ Merged revisions 375146 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 375147 from http://svn.asterisk.org/svn/asterisk/branches/10 ........ Merged revisions 375148 from http://svn.asterisk.org/svn/asterisk/branches/11 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@375149 65c4cc65-6c06-0410-ace0-fbb531ad65f3
author: Kinsey Moore <kmoore@digium.com> 2012-10-17 19:01:27 +0000
committer: Kinsey Moore <kmoore@digium.com> 2012-10-17 19:01:27 +0000
commit: 372e29620c4b0b1db59bc7b96637e54479a76696 (patch)
tree: c4a65b659e4622f8452b402edb4ad57c644ff617 /main/tcptls.c
parent: 6d57ecd48c2efa36973ebcf204ffed0ed8a39580 (diff)
1 files changed, 11 insertions, 7 deletions
diff --git a/main/tcptls.c b/main/tcptls.c
index b52cdc491..dffba1dcd 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -198,11 +198,19 @@ static void *handle_tcptls_connection(void *data)
 				long res;
 				peer = SSL_get_peer_certificate(tcptls_session->ssl);
 				if (!peer) {
-					ast_log(LOG_WARNING, "No peer SSL certificate\n");
+					ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");
+					ast_tcptls_close_session_file(tcptls_session);
+					ao2_ref(tcptls_session, -1);
+					return NULL;
 				}
+
 				res = SSL_get_verify_result(tcptls_session->ssl);
 				if (res != X509_V_OK) {
 					ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
+					X509_free(peer);
+					ast_tcptls_close_session_file(tcptls_session);
+					ao2_ref(tcptls_session, -1);
+					return NULL;
 				}
 				if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
 					ASN1_STRING *str;
@@ -233,17 +241,13 @@ static void *handle_tcptls_connection(void *data)
 					}
 					if (!found) {
 						ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
-						if (peer) {
-							X509_free(peer);
-						}
+						X509_free(peer);
 						ast_tcptls_close_session_file(tcptls_session);
 						ao2_ref(tcptls_session, -1);
 						return NULL;
 					}
 				}
-				if (peer) {
-					X509_free(peer);
-				}
+				X509_free(peer);
 			}
 		}
 		if (!tcptls_session->f) {	/* no success opening descriptor stacking */
author	Kinsey Moore <kmoore@digium.com>	2012-10-17 19:01:27 +0000
committer	Kinsey Moore <kmoore@digium.com>	2012-10-17 19:01:27 +0000
commit	372e29620c4b0b1db59bc7b96637e54479a76696 (patch)
tree	c4a65b659e4622f8452b402edb4ad57c644ff617 /main/tcptls.c
parent	6d57ecd48c2efa36973ebcf204ffed0ed8a39580 (diff)