[Serusers] TLS: status, CVS, updates ...

Cesc Santasusana cesc.santasusana at nl.thalesgroup.com
Mon Apr 25 13:17:56 CEST 2005 

Hi,

I have tested the free-tls code. It compiles and it works. I've tried
with the minisip user agent connecting over TLS, and no major problems.
Also, the interconnection of SER proxies (t_relay_to_tls between
proxies, to force tls) also works. 

It seems to me as a rather functional piece of code, much wanted by the
community, though it has not made its way through into the CVS. Why? I
think it is time.

This said, it also has some things that need to be fixed. I recently
sent an email to peter and ser-dev ... but just got silence back.
Anyway, here's the email, for those who came up with the same problems:
sessioin resuming not supported (but unconfigured) by ser, and no peer
certificate verification.

Cesc


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>I found what i think it is a bug. I was testing with minisip, which
supports TLS completely on the client side (even client certs, 
>incoming connections, etc). It would create the initial connection ok
to SER. After 2 minutes, SER shuts down the socket. So far 
>so good. When minisip tries to register, it tries to create a new SSL
connection, and as it supports session resuming, it would try 
>to resume the previous session. But SER does not support it ... and
here is the bug. 
>
>To fix it ... as simple as calling 
>       SSL_CTX_set_session_cache_mode( ssl_ctx, SSL_SESS_CACHE_OFF );
>
>This turns the cache off ... and when ssl receives a session resume
request, it sends back a message indicating it is not possible, 
>the client then starts the handshake from scratch. 
>Another solution is to implement session catching ... but this may be
too resource consuming in big servers or in embedded 
>systems ... so maybe better just to not support it by default ...
maybe implement an option to turn it on at will.
>
>Another thing ... the verification of the certificates ... it is
turned off. It should be turned on i think.
>	/* Set verification procedure	 
>	* The verification can be made null with SSL_VERIFY_NONE, or 	

>	* at least easier with SSL_VERIFY_CLIENT_ONCE instead of
SSL_VERIFY_FAIL_IF_NO_PEER_CERT.	 
>	*   For extra control, instead of 0, we can specify a callback
function:	 
>	*           int (*verify_callback)(int, X509_STORE_CTX *)	

>	* Also, depth 2 may be not enough in some scenarios ... though
no need	 
>	* to increase it much further */
>	SSL_CTX_set_verify( _ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);	
>	SSL_CTX_set_verify_depth( _ctx, 2);
>
>


Unclassified

More information about the sr-users mailing list