[sr-dev] [kamailio/kamailio] tls: add sel for tls verified cert chain (requires OpenSSL 1.1+) (#2289)
Armen Babikyan
notifications at github.com
Fri Apr 17 08:59:31 CEST 2020
* New Feature
* Changes Tested Locally
This sel variable allows a kam script to get access to not just the peer certificate (at index 0), but when a certificate is successfully verified, the entire chain of certificates that were used to verify the peer certificate (at index 1, 2, 3, etc).
This functionality is provided by OpenSSL's SSL_get0_verified_chain() function, which is only available in OpenSSL 1.1.0+ (which is why there is an #if for this feature)
This is important when a server trusts many CAs - without this addition, I don't think that it is definitively possible to tell which CA signed the verified certificate, leading to security issues if one of the trusted CAs was compromised and was used to sign certificates that look like they were signed by another issuing CA.
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/2289
-- Commit Summary --
* tls: add sel for tls verified cert chain (requires OpenSSL 1.1+)
-- File Changes --
M src/modules/tls/tls_select.c (121)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/2289.patch
https://github.com/kamailio/kamailio/pull/2289.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/2289
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20200416/ada5cabb/attachment.html>
More information about the sr-dev
mailing list