[sr-dev] [kamailio/kamailio] stirshaken: Properly handle intermediary/chain certificates when caching certificates (PR #3175)

mrtrev notifications at github.com
Sun Jul 3 02:18:59 CEST 2022 

<!-- Kamailio Pull Request Template -->

<!--
IMPORTANT:
  - for detailed contributing guidelines, read:
    https://github.com/kamailio/kamailio/blob/master/.github/CONTRIBUTING.md
  - pull requests must be done to master branch, unless they are backports
    of fixes from master branch to a stable branch
  - backports to stable branches must be done with 'git cherry-pick -x ...'
  - code is contributed under BSD for core and main components (tm, sl, auth, tls)
  - code is contributed GPLv2 or a compatible license for the other components
  - GPL code is contributed with OpenSSL licensing exception
-->

#### Pre-Submission Checklist
<!-- Go over all points below, and after creating the PR, tick all the checkboxes that apply -->
<!-- All points should be verified, otherwise, read the CONTRIBUTING guidelines from above-->
<!-- If you're unsure about any of these, don't hesitate to ask on sr-dev mailing list -->
- [ ] Commit message has the format required by CONTRIBUTING guide
- [ ] Commits are split per component (core, individual modules, libs, utils, ...)
- [ ] Each component has a single commit (if not, squash them into one commit)
- [ ] No commits to README files for modules (changes must be done to docbook files
in `doc/` subfolder, the README file is autogenerated)

#### Type Of Change
- [ ] Small bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds new functionality)
- [ ] Breaking change (fix or feature that would change existing functionality)

#### Checklist:
<!-- Go over all points below, and after creating the PR, tick the checkboxes that apply -->
- [ ] PR should be backported to stable branches
- [ ] Tested changes locally
- [ ] Related to issue #XXXX (replace XXXX with an open issue number)

#### Description
<!-- Describe your changes in detail -->
When the stirshaken module is in use and configured to cache certifications, validation will succeed on the very first attempt but will then fail every time the certificate is loaded from cache.  The reason is because this module only saves the certificate and discards the any supplied chain certificates.  This patch causes the module to save all supplied certificates and properly loads them upon retrieval.

For the loading to work a patch is required in libstirshaken.  A PR has already been submitted and is linked below.  Without that patch the problem will persist but no other harm is done.  This is a safe change to make that does not break existing behaviour.

- save all certificates provided by signor to the disk cache
- properly load all certificates when loading from cache
- requires patch to libstirshaken (PR 123); this patch causes no harm (but no benefit) without it
- resolve unrelated compiler warnings on 32bit systems

https://github.com/signalwire/libstirshaken/pull/123

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/3175

-- Commit Summary --

  * stirshaken: Properly handle intermediary/chain certificates when caching certificates
  * stirshaken: close file in write failure cases

-- File Changes --

    M src/modules/stirshaken/stirshaken_mod.c (106)

-- Patch Links --

https://github.com/kamailio/kamailio/pull/3175.patch
https://github.com/kamailio/kamailio/pull/3175.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/3175
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/pull/3175 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20220702/0cadd8dd/attachment.htm>

More information about the sr-dev mailing list