[Serdev] Re: [Serusers] Free TLS Implementation

Alex Mack amack at fhm.edu
Fri Apr 29 14:58:06 CEST 2005 

Hi Greger!

That was me requesting a download site. Would be great to have the 
package at onsip. Would be greater to have it in CVS ;)

I didn't hear of a patch lately but someone posted a probable bug fix 
with TLS session caching. The post is added below.

Alex Mack

[quote]
Hi,

First, how is free-TLS going? i mean ... is it ever going to make it into CVS? 
I have been testing for some time, it may have some bugs, but just as any piece of code. So far, i think it is good.

I found what i think it is a bug. I was testing with minisip, which supports TLS completely on the client side (even client certs, incoming connections, etc). It would create the initial connection ok to SER. After 2 minutes, SER shuts down the socket. So far so good. When minisip tries to register, it tries to create a new SSL connection, and as it supports session resuming, it would try to resume the previous session. But SER does not support it ... and here is the bug. 

To fix it ... as simple as calling 
       SSL_CTX_set_session_cache_mode( ssl_ctx, SSL_SESS_CACHE_OFF );

This turns the cache off ... and when ssl receives a session resume request, it sends back a message indicating it is not possible, the client then starts the handshake from scratch. 
Another solution is to implement session catching ... but this may be too resource consuming in big servers or in embedded systems ... so maybe better just to not support it by default ... maybe implement an option to turn it on at will.

Another thing ... the verification of the certificates ... it is turned off. It should be turned on i think.
	/* Set verification procedure	 
	* The verification can be made null with SSL_VERIFY_NONE, or 	 
	* at least easier with SSL_VERIFY_CLIENT_ONCE instead of SSL_VERIFY_FAIL_IF_NO_PEER_CERT.	 
	*   For extra control, instead of 0, we can specify a callback function:	 
	*           int (*verify_callback)(int, X509_STORE_CTX *)	 
	* Also, depth 2 may be not enough in some scenarios ... though no need	 
	* to increase it much further */
	SSL_CTX_set_verify( _ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);	
	SSL_CTX_set_verify_depth( _ctx, 2);


This is it for now ... 

Regards,

Cesc



Unclassified
[/quote]


Greger V. Teigre schrieb:

> I saw somebody asking for a place to download the TLS implementation 
> before it is introduced into CVS.  I have the original post from Peter 
> Griffiths. Is that the latest code(I have seen a thread on a patch) ?  
> I can post it to http://onsip.org/
>    As you may be aware of, we have already made available the 
> backports of the LCR, xlog, and UAC modules.
> g-)
>
> Peter Griffiths wrote:
>
>>> hello --
>>>
>>> some time ago i extended ser to support tls, basically
>>> i implemented functions needed by the existing tls
>>> api. i polished the code a bit and i am giving it away
>>> freely. there are still some things to fix, but it
>>> mostly works.
>>>
>>> to use the code, copy tls directory into your ser tree
>>> and optionally patch cfg.lex and cfg.y, then recompile
>>> ser with TLS=on.
>>>
>>> if you also patch cfg.lex and cfg.y then you can use
>>> extended cfg syntax and specify different keys and
>>> certificates for different listen sockets. this is
>>> similar to apache virtual servers with ssl. without
>>> the patches you can only use the default configuration
>>> directives.
>>>
>>> to iptel: would be great to have it in cvs, what do
>>> you think ?
>>>
>>> -- peter
>>>
>>> -----------
>>> example ser.cfg:
>>>
>>> listen=tls:127.0.0.1:5061
>>> listen=tls:127.0.0.1:5062
>>>
>>> # defaults for outgoing tls connections
>>> tls_certificate="default.crt"
>>> tls_private_key = "default.key"
>>>
>>> # domain1.com
>>> tls_domain[127.0.0.1:5061] {
>>>    tls_certificate="domain1.crt"
>>>    tls_private_key = "domain1.key"
>>>    tls_method = sslv2
>>> }
>>>
>>> # domain2.com
>>> tls_domain[127.0.0.1:5062] {
>>>    tls_certificate="domain2.crt"
>>>    tls_private_key="domain2.key"
>>> }
>>>
>>>
>>>
>>>
>>> __________________________________
>>> Celebrate Yahoo!'s 10th Birthday!
>>> Yahoo! Netrospective: 100 Moments of the Web
>>> http://birthday.yahoo.com/netrospective/
>>
>>
>>
>>
>>> _______________________________________________
>>> Serusers mailing list
>>> serusers at lists.iptel.org
>>> http://lists.iptel.org/mailman/listinfo/serusers 
>>
>
> _______________________________________________
> Serdev mailing list
> serdev at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serdev
>
>

More information about the sr-users mailing list