tls_openssl: only verify client certs if configured to require them #3281
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Formerly client certs would be *verified* if `verify_cert`, but only *required* if `require_client_cert`. So if you enable `verify_cert` but you don't enable `require_client_cert`, the old behaviour was that a client that presented an invalid client certificate would be rejected, even though a client that presented no certificate at all would be accepted. But you need to enable `verify_cert` if you want *server* certificates to be verified, so this commit makes `verify_cert` only apply to server certificates and `require_client_cert` only apply to client certificates.
|
Any updates here? No progress has been made in the last 30 days, marking as stale. |
|
No updates here. |
|
@jes , as I read the current code, you can do a On the other hand, a So going back to your statement : You can achieve this (for a server RLS domain) by simply setting the |
|
Ah! Great idea. That works, thanks very much :). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
If you want opensips to verify server certs you have to enable
verify_cert, but this also implicitly makes it verify client certs, when presented, even if you don't haverequire_client_certenabled.Details
There was previously no way to configure opensips to verify server certs without having it also verify client certs, even if you configured it to make client certs optional!
Solution
This PR makes
verify_certonly apply in the case of opensips connecting out to a server, andrequire_client_certonly apply in the case of a client connecting into opensips.Compatibility
The only scenario I can imagine it breaking is if you have
require_client_certbut notverify_cert, in which case formerly it would allow any client cert (but require some client cert to be presented), but now it would verify the client certificate. I don't expect this to be a problem because what is the point in requiring a client cert if you don't verify it?Closing issues