[sr-dev] setting up TLS connections from Kamailio

[Olle E. Johansson]

9 nov 2011 kl. 16:01 skrev Klaus Darilion:

> IIRC on outgoing TLS connection the certificate validation only includes verification of the certificate chain against the trusted root CAs. I think there is no check which compares the SIP domain (R-URI, Route URI) against the CN/Subject Alternative of the certificate.
I suspected that being the case. Room for improvement.

> 
> Regarding certificate validation checks, I guess if you grep for "set_verify" you should find the code where the certificate validation checks are enabled. The validation itself is done inside openssl.
Thanks.

It's interesting to consider how we could do this. Either hard-code it in the code or making it possible to verify in the config script. If that's the case, we need a route that is executed BEFORE we send a message on a new connection. 

Or we just implement SIP connection reuse properly. We could have a list with servers that we should require mutual auth from or something like that.

/O
> 
> klaus	
> 	
> 
> On 08.11.2011 21:36, Olle E. Johansson wrote:
>> I am trying to get some detailed understanding on the TLS code in Kamailio, but have a problem finding the code used to connect to other servers over TLS. There is some documentation saying that the server part is a bit weird, since we get into the routing script, having accepted a message, before we can evaluate certificates. I agree with that documentation, but it kind of works so far.
>> 
>> I can't find a way to verify the certificate of the server I connect to as a client *BEFORE* I send any message.  Anyone that can comment or point me to the right file?
>> 
>> Thanks,
>> /O
>> 
>> 
>> 
>> _______________________________________________
>> sr-dev mailing list
>> sr-dev at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

---
* Olle E Johansson - oej at edvina.net
* Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden