[OpenSIPS-Devel] [OpenSIPS/opensips] 550363: Add CRL (Certificate Revocation List) verification...

[Răzvan Crainea]

  Branch: refs/heads/master
  Home:   https://github.com/OpenSIPS/opensips
  Commit: 5503634c4e796410464484e5e9fb210e906a204d
      https://github.com/OpenSIPS/opensips/commit/5503634c4e796410464484e5e9fb210e906a204d
  Author: Bogdan Chifor <chiforbogdan86 at gmail.com>
  Date:   2015-08-24 (Mon, 24 Aug 2015)

  Changed paths:
    M modules/proto_tls/proto_tls.c
    M modules/proto_tls/tls_config.c
    M modules/proto_tls/tls_config.h
    M modules/proto_tls/tls_domain.c
    M modules/proto_tls/tls_domain.h
    M modules/proto_tls/tls_params.c
    M modules/proto_tls/tls_params.h

  Log Message:
  -----------
  Add CRL (Certificate Revocation List) verification for TLS

CRL verification was added in the proto tls module. By adding this
feature revoked client certificates can be detected during the TLS
process, thus permitting a robust security mechanism. The following
parameters where added to the proto tls module in the configuration
script: crl_dir and crl_check_all. The crl_dir parameter specifies the
directory which contains the CRL files (multiple CRL files can be
added).
The crl_check_all parameter must be 0 or 1 and specifies whether all the
certificates from the chain are verified against a CRL or not.
By default, CRL verification is enabled only for client certificates
(or when crl_check_all is 0). If crl_check_all is 1 then the
issuer (chain) certificates are also verified against the given CRL
files.


  Commit: d532f4189db2470f20e1f8263827488b46c39de6
      https://github.com/OpenSIPS/opensips/commit/d532f4189db2470f20e1f8263827488b46c39de6
  Author: Bogdan Chifor <chiforbogdan86 at gmail.com>
  Date:   2015-08-24 (Mon, 24 Aug 2015)

  Changed paths:
    M modules/proto_tls/proto_tls.c
    M modules/proto_tls/tls_select.c
    M modules/proto_tls/tls_select.h

  Log Message:
  -----------
  Extract serial number from certificate subject (TLS module)

Serial number field from the certificate subject was extracted and
exposed
in a script variable. Even though this certificate DN field in quite
unusual it could be used for a granular client authorization after the
TLS process. The following script variables were added:
tls_peer_subject_serial and tls_my_subject_serial. The variable
tls_peer_subject_serial contains the client certificate subject serial
number and tls_my_subject_serial contains the server certificate subject
serial number. In the following example is presented a certificate CN
field which has a serial number:
CN=opensips_user/serialNumber=129/emailAddress=opensips_user at opensips.com


  Commit: 6b265e86e76a1c50c7eef45fa5e6c0e64d8b9ee6
      https://github.com/OpenSIPS/opensips/commit/6b265e86e76a1c50c7eef45fa5e6c0e64d8b9ee6
  Author: Răzvan Crainea <razvan at opensips.org>
  Date:   2015-08-25 (Tue, 25 Aug 2015)

  Changed paths:
    M modules/proto_tls/proto_tls.c
    M modules/proto_tls/tls_config.c
    M modules/proto_tls/tls_config.h
    M modules/proto_tls/tls_domain.c
    M modules/proto_tls/tls_domain.h
    M modules/proto_tls/tls_params.c
    M modules/proto_tls/tls_params.h
    M modules/proto_tls/tls_select.c
    M modules/proto_tls/tls_select.h

  Log Message:
  -----------
  Merge pull request #613 from chiforbogdan/tls-crl-and-serial

Tls crl and serial


Compare: https://github.com/OpenSIPS/opensips/compare/21a07ba6d77c...6b265e86e76a