[OpenSIPS-Devel] [opensips] Tls crl and serial (#613)

chiforbogdan notifications at github.com
Mon Aug 24 19:13:49 CEST 2015 

CRL (Certificate Revocation List) based verification was added to the proto tls module. User is able to configure a directory which contains multiple CRL files. The proto tls module parses the directory and adds the given CRL files to the SSL context [the config script option: modparam("proto_tls", "crl_dir", "/home/chifor/work/Opensips/build/etc/opensips/tls/")]. 
Also the user can enable beside the client certificate verification, the chain certificates verification (all the certificates given in the "ca_list" script parameter are verified against the given CRL files) [the config script option: modparam("proto_tls", "crl_check_all", "1")]. By default the "crl_check_all" is 0(disabled), meaning that only the client certificate is verified against the CRLs.
Also were introduced two new script variables: tls_peer_subject_serial and tls_my_subject_serial. These script variables extract the serial number field from the certificate CN: (CN=opensips_user/serialNumber=129/emailAddress=opensips_user at opensips.com). These variables could be used in a post-TLS authorization scenario. The serial number from the certificate CN is specified by the OpenSSL NID_serialNumber.
You can view, comment on, or merge this pull request online at:

  https://github.com/OpenSIPS/opensips/pull/613

-- Commit Summary --

  * Add CRL (Certificate Revocation List) verification for TLS
  * Extract serial number from certificate subject (TLS module)

-- File Changes --

    M modules/proto_tls/proto_tls.c (100)
    M modules/proto_tls/tls_config.c (2)
    M modules/proto_tls/tls_config.h (1)
    M modules/proto_tls/tls_domain.c (1)
    M modules/proto_tls/tls_domain.h (2)
    M modules/proto_tls/tls_params.c (27)
    M modules/proto_tls/tls_params.h (4)
    M modules/proto_tls/tls_select.c (2)
    M modules/proto_tls/tls_select.h (3)

-- Patch Links --

https://github.com/OpenSIPS/opensips/pull/613.patch
https://github.com/OpenSIPS/opensips/pull/613.diff

---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/pull/613
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20150824/de43c602/attachment.htm>

More information about the Devel mailing list