<p>Note: See below for more info about motivation of this feature.</p>
<h4>Pre-Submission Checklist</h4>
<ul>
<li>[ * ] Commit message has the format required by CONTRIBUTING guide</li>
<li>[ * ] Commits are split per component (core, individual modules, libs, utils, ...)</li>
<li>[ * ] Each component has a single commit (if not, squash them into one commit)</li>
<li>[ * ] No commits to README files for modules (changes must be done to docbook files<br>
in <code>doc/</code> subfolder, the README file is autogenerated)</li>
</ul>
<h4>Type Of Change</h4>
<ul class="contains-task-list">
<li class="task-list-item"><input type="checkbox" id="" disabled="" class="task-list-item-checkbox"> Small bug fix (non-breaking change which fixes an issue)</li>
<li>[ * ] New feature (non-breaking change which adds new functionality)</li>
<li class="task-list-item"><input type="checkbox" id="" disabled="" class="task-list-item-checkbox"> Breaking change (fix or feature that would change existing functionality)</li>
</ul>
<h4>Checklist:</h4>
<ul class="contains-task-list">
<li class="task-list-item"><input type="checkbox" id="" disabled="" class="task-list-item-checkbox"> PR should be backported to stable branches</li>
<li>[ * ] Tested changes locally</li>
<li class="task-list-item"><input type="checkbox" id="" disabled="" class="task-list-item-checkbox"> Related to issue #XXXX (replace XXXX with an open issue number)</li>
</ul>
<h4>Description</h4>
<p>This feature aims to replace require_certificate and verify_certificate params with a single option, verify_client:</p>
<ul>
<li>Provides flexibility: require_certificate and verify_certificate are both booleans, so there are only 4 max combinations of params, and only 3 of them make sense (require_certificate=1 and verify_certificate=0 does not). In contrast, verify_client is a list of enumerated values, which can be more gracefully expanded by adding additional behaviors to the enum.</li>
<li>Motivation for this feature is to enable optional_no_ca behavior, described in the docbook; Without this feature, that behavior cannot be represented by any combination of require_certificate and verify_certificate. I figured if I need to add another variable to support desired behavior, it may as well be one that can hold more than just boolean values.</li>
<li>This feature was inspired from a similar one in Nginx; that software has a similar "ssl_verify_client" option that takes the same "on", "off", "optional", and "optional_no_ca" values, which effectively implement the same feature. Note that there is no shared code between implementations, and that these behaviors are implemented (in both cases) via a very thin layer of glue code on top of the OpenSSL library.</li>
<li>Note that the only function definition in tls_verify.c, verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx), has been compiled into the kamailio binary, but apparently not used. Rather than modify the existing function, I added a simple 1-line function (2 if you count the log message too) to enable this feature.</li>
</ul>
<p>Please let me know if I can answer any questions. Thanks!</p>
<hr>
<h4>You can view, comment on, or merge this pull request online at:</h4>
<p> <a href='https://github.com/kamailio/kamailio/pull/2166'>https://github.com/kamailio/kamailio/pull/2166</a></p>
<h4>Commit Summary</h4>
<ul>
<li>tls: add verify_client support</li>
</ul>
<h4>File Changes</h4>
<ul>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-0">src/modules/tls/doc/params.xml</a>
(52)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-1">src/modules/tls/tls_cfg.c</a>
(3)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-2">src/modules/tls/tls_cfg.h</a>
(1)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-3">src/modules/tls/tls_config.c</a>
(31)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-4">src/modules/tls/tls_config.h</a>
(4)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-5">src/modules/tls/tls_domain.c</a>
(20)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-6">src/modules/tls/tls_domain.h</a>
(14)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-7">src/modules/tls/tls_mod.c</a>
(12)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-8">src/modules/tls/tls_rpc.c</a>
(3)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-9">src/modules/tls/tls_verify.c</a>
(6)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/kamailio/kamailio/pull/2166/files#diff-10">src/modules/tls/tls_verify.h</a>
(5)
</li>
</ul>
<h4>Patch Links:</h4>
<ul>
<li><a href='https://github.com/kamailio/kamailio/pull/2166.patch'>https://github.com/kamailio/kamailio/pull/2166.patch</a></li>
<li><a href='https://github.com/kamailio/kamailio/pull/2166.diff'>https://github.com/kamailio/kamailio/pull/2166.diff</a></li>
</ul>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/kamailio/kamailio/pull/2166?email_source=notifications&email_token=ABO7UZMPPRVZSSW3WLSUBELQXGGJ3A5CNFSM4JWEZ7B2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H6PAPTQ">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABO7UZI6WVKKL7T5JX46S2LQXGGJ3ANCNFSM4JWEZ7BQ">unsubscribe</a>.<img src="https://github.com/notifications/beacon/ABO7UZPH74W2EKFNIV2QPA3QXGGJ3A5CNFSM4JWEZ7B2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H6PAPTQ.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/kamailio/kamailio/pull/2166?email_source=notifications\u0026email_token=ABO7UZMPPRVZSSW3WLSUBELQXGGJ3A5CNFSM4JWEZ7B2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H6PAPTQ",
"url": "https://github.com/kamailio/kamailio/pull/2166?email_source=notifications\u0026email_token=ABO7UZMPPRVZSSW3WLSUBELQXGGJ3A5CNFSM4JWEZ7B2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H6PAPTQ",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>