Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP SNI check #45

Merged
merged 3 commits into from
Dec 8, 2020
Merged

HTTP SNI check #45

merged 3 commits into from
Dec 8, 2020

Conversation

cspiel1
Copy link
Collaborator

@cspiel1 cspiel1 commented Dec 1, 2020
edited
Loading

  • The function tls_set_verify_server() should be extended by SNI (hostname verification).
  • Currently only used for rtmp. But this doesn't hurt because IP-addresses are excepted from this change. And for domains it makes sense to check the hostname.
  • The function tls_set_verify_server() now also is used for HTTP clients.
  • The function tls_set_verify_client() only activates certificate verification that accepts all certificates. It is used only in baresip module dtls_srtp. We do not touch this here, but want to rename the verify-handler to "verify_trust_all()".

TODO (but in another PR):

  • For SIP/TLS this function should be called for each TLS connection once. Maybe then it should be renamed to tls_set_verify_peer().

@cspiel1
Copy link
Collaborator Author

cspiel1 commented Dec 1, 2020
edited
Loading

test_tls and test_dtls are failing.

error_string = self signed certificate

Reason: Per default the verify mode is set to SSL_VERIFY_NONE. Now we set it to SSL_VERIFY_PEER.
It seems that self signed certificate is not possible. I have to clarify this.

@cspiel1 cspiel1 marked this pull request as draft December 2, 2020 11:20
@cspiel1 cspiel1 force-pushed the http_SNI_check branch 3 times, most recently from 77569cd to f809c5e Compare December 2, 2020 13:26
@cspiel1
Copy link
Collaborator Author

cspiel1 commented Dec 2, 2020

The tests test_tls and test_dtls are green now

@sreimers Had to fix test_https_loop in retools. How can trigger travis for this PR without pushing an update?

@cspiel1 cspiel1 force-pushed the http_SNI_check branch 2 times, most recently from 1f0a37f to 1056d57 Compare December 2, 2020 14:34
@cspiel1
Copy link
Collaborator Author

cspiel1 commented Dec 2, 2020

Ok, I had to push updates already.

Anyway, I think that manual triggers are not possible until we have such "workflow_dispatch" mentioned here: https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/

But maybe manual triggers are not needed very often.

@cspiel1
tls: extend server verification by host name check (SNI)
1041521 
Also adds a verify handler that prints warnings if verification fails.
@cspiel1
http/client: correct setup of SNI check
4ea9d28 
- Pass TLS hostname set by user to SSL_set_tlsext_host_name().
- Disable SNI check for IP addresses.
@cspiel1 cspiel1 marked this pull request as ready for review December 2, 2020 16:42
alfredh
alfredh reviewed Dec 5, 2020
View reviewed changes
src/tls/openssl/tls.c
}

return 0;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if it is a good practice to remove public functions.

it is probably best to keep it...

Copy link
Collaborator Author

@cspiel1 cspiel1 Dec 6, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, maybe we should keep it. But on the other side:

  • tls_peer_set_verify_host()
  • tls_set_servername()
  • tls_set_verify_server()

is very confusing. Our TLS expert told me that SSL_set1_host() and SSL_set_tlsext_host_name() should be used together. Also setting TLS method to SSL_VERIFY_PEER. Here is a good article: https://quuxplusone.github.io/blog/2020/01/27/openssl-part-4/
If we have only one function which does this for the TLS client makes the re API simpler.

Should we keep the functions anyway? If yes, I would add more details to the doxygen of these functions.

@alfredh
Copy link
Contributor

alfredh commented Dec 5, 2020

@robdyck can you please test this patch?

you should verify that SNI is not present in TLS Hello.

@alfredh
Copy link
Contributor

alfredh commented Dec 7, 2020

should be ok to merge now

@sreimers sreimers merged commit c6ba3a9 into baresip:master Dec 8, 2020
@cspiel1 cspiel1 deleted the http_SNI_check branch December 16, 2020 06:56
@sreimers sreimers added the enhancement New feature or request label Apr 9, 2021
@sreimers sreimers added this to the v2.0.0 milestone Apr 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alfredh alfredh alfredh left review comments

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Roadmap RE
Archived in project
Milestone
v2.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@cspiel1 @alfredh @sreimers